Simultaneous access to Keychain

App & System Services Core OS
egormerkushev
egormerkushev OP
Created Aug ’18
Replies 11
Boosts 0
Views 7.4k
Participants 4

In our company we have big Xcode project with workspace that contains 7 subprojects. Yesterday I installed 10.14 18A347e and today I get troubles with codesign. Xcode building for devices is failed with error every time:



error: The specified item could not be found in the keychain.



It is remarkable that every build finished with different result: codesign cannot sign different frameworks and libs build to build.



CodeSign /Users/egor.merkushev/Library/Developer/Xcode/DerivedData/MyApp-daluhbxrpqwoyrcpcfqzexbfzsud/Build/Products/Debug-iphoneos/MyApp.app/Frameworks/somename.framework
    cd /Users/egor.merkushev/Development/myapp
    export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
    export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
   
Signing Identity:     "iPhone Developer: Egor Merkushev (XXXXXXXXX)"
 
 
/usr/bin/codesign --force --sign XXXXXXXXXXXXXXX --preserve-metadata=identifier,entitlements,flags --timestamp=none /Users/egor.merkushev/Library/Developer/Xcode/DerivedData/MyApp-daluhbxrpqwoyrcpcfqzexbfzsud/Build/Products/Debug-iphoneos/MyApp.app/Frameworks/somename.framework

I tried to run codesign command manually and it successfully finished. So I found that Xcode run 5-6 processes of codesign for one build. And I think what it is a bug of Keychain - it does not allow access to my certificate for such number of processes simultaneously. I tried to turn off parallel build and change build system in Xcode, but got no success. Can somebody help me?

Answered by cstar in 333777022

Just in case anybody experiences the same problem and google leads to this thread: I've been able to fix it by making a wrapper around codesign which prevents parallel execution.


Background: We use a smartcard to store the code signing key and use OpenSC to make it available in the keychain. The build process requires multiple codesign operations. The first sign-operation takes a while to complete. It completes successfully. But before it completes, several other sign-operations are started. These operations exit immediately with an error, before the first sign-operation completes.


As a workaround, I have deactivated System Integrity Protection so that I can edit /usr/bin/. Then I have renamed /usr/bin/codesign to /usr/bin/codesign.orig and added the following script as /usr/bin/codesign:


#!/bin/bash
# This wrapper around codesign ensures that only one codesign operation is
# running at the same time. When the signing is performed on a smart card
# (via OpenSC), it fails when concurrent processes request a signature.
 
lockfile="/var/tmp/codesign-od-fix.lock"
pid=$$
while ! ln -s "$pid" "$lockfile" 2>/dev/null; do
    # first check whether lock-link is stale
    otherPID=$(readlink "$lockfile")
    if kill -0 "$otherPID" 2>/dev/null; then
        # PID still exists, wait...
        sleep 0.1
    else
        # lock is stale, PID does not exist any more
        rm -f "$lockfile" 2>/dev/null
    fi
done
# We now hold the lock
 
/usr/bin/codesign.orig "$@"
rval=$?
 
# remove lock
rm -f "$lockfile" 2>/dev/null
 
exit "$rval"


/usr/bin/codesign must be executable, of course. After this change, SIP can be activated again.


Note, however, that this workaround must probably be applied for every system update, at least if it contains /usr/bin/codesign.

Replies  11
Boosts  0
Views  7.4k
Participants  4
egormerkushev
egormerkushev OP
Aug ’18

I updated to 10.14 (18A353d) - no effect, same problem. 1 or 2 items for siging from total 6 can not be signed and failed with

error: The specified item could not be found in the keychain.
0
egormerkushev
egormerkushev OP
Aug ’18

I try create a new user account and build app with same settings as on 11.13 - I have same errors.
I tried Xcode 9.4 and new Xcode 10 beta, new build system and old build system, new tools and old tools - no success.

0
egormerkushev
egormerkushev OP
Aug ’18

Help topics also are unhelpful https://help.apple.com/xcode/mac/current/#/devd1432da9a

0
egormerkushev
egormerkushev OP
Aug ’18

Clean install of Mojave beta again with clean Keychain also had no effect.

0
egormerkushev
egormerkushev OP
Aug ’18

I totally reinstalled High Sierra and problem was partially resolved. Sometimes I get the same error time to time.

0
cstar
cstar OP
Sep ’18

We are seeing the same issue with 10.14 final. Have you found a solution meanwhile? Do you keep your code signature keys on a smartcard? It's not an option for us to go back to 10.13 because Xcode 10 does not build asset catalogs correctly when run on 10.13.


(And yes, we had the same issue from time to time on 10.13, it's not completely reproducible on 10.14, but so frequent that we can't make a complete build.)

0
cstar
cstar OP
Oct ’18
Accepted Answer

Just in case anybody experiences the same problem and google leads to this thread: I've been able to fix it by making a wrapper around codesign which prevents parallel execution.


Background: We use a smartcard to store the code signing key and use OpenSC to make it available in the keychain. The build process requires multiple codesign operations. The first sign-operation takes a while to complete. It completes successfully. But before it completes, several other sign-operations are started. These operations exit immediately with an error, before the first sign-operation completes.


As a workaround, I have deactivated System Integrity Protection so that I can edit /usr/bin/. Then I have renamed /usr/bin/codesign to /usr/bin/codesign.orig and added the following script as /usr/bin/codesign:


#!/bin/bash
# This wrapper around codesign ensures that only one codesign operation is
# running at the same time. When the signing is performed on a smart card
# (via OpenSC), it fails when concurrent processes request a signature.
 
lockfile="/var/tmp/codesign-od-fix.lock"
pid=$$
while ! ln -s "$pid" "$lockfile" 2>/dev/null; do
    # first check whether lock-link is stale
    otherPID=$(readlink "$lockfile")
    if kill -0 "$otherPID" 2>/dev/null; then
        # PID still exists, wait...
        sleep 0.1
    else
        # lock is stale, PID does not exist any more
        rm -f "$lockfile" 2>/dev/null
    fi
done
# We now hold the lock
 
/usr/bin/codesign.orig "$@"
rval=$?
 
# remove lock
rm -f "$lockfile" 2>/dev/null
 
exit "$rval"


/usr/bin/codesign must be executable, of course. After this change, SIP can be activated again.


Note, however, that this workaround must probably be applied for every system update, at least if it contains /usr/bin/codesign.

1
egormerkushev
egormerkushev OP
Oct ’18

Thank you for this solution! It works.
PS
No thanks to macOS team. Bad work, guys.

0
sh-a-n
sh-a-n OP
Oct ’18

Thank you!. It helps.


Apple, pls, release patch for mac OS Mojave!

0
egormerkushev
egormerkushev OP
Oct ’18

Also I found that permanently disabled SIP can help. But it is unsafe solution.

0
Bidli
Bidli OP
Nov ’18

Your answer led me to the solution for my case: Since many years, I have attached a smartcard to my computer which contains a certified private key to sign emails and PDFs. This never was a problem when building apps with Xcode. Since I have installed 10.14, I get the "The specified item could not be found in the keychain." error when I have attached the smartcard. The solution in my case is to simply remove it but it took two frustrating days to figure this out.


More generally: When the smartcard is inserted, I see an additional keychain in the Keychain Access app. It's the first one in the list and it is locked. My guess is that Xcode / codesign only tries to find the code signing certificate / private key in this additional keychain instead of in the login keychain. I will create a bug report for this.

0
Simultaneous access to Keychain
First post date Last post date
 
 
Q