11 Replies
      Latest reply on Nov 22, 2018 2:15 PM by Bidli
      egormerkushev Level 1 Level 1 (0 points)

        In our company we have big Xcode project with workspace that contains 7 subprojects. Yesterday I installed 10.14 18A347e and today I get troubles with codesign. Xcode building for devices is failed with error every time:

         

         

        error: The specified item could not be found in the keychain.

         

         

        It is remarkable that every build finished with different result: codesign cannot sign different frameworks and libs build to build.

         

         

        CodeSign /Users/egor.merkushev/Library/Developer/Xcode/DerivedData/MyApp-daluhbxrpqwoyrcpcfqzexbfzsud/Build/Products/Debug-iphoneos/MyApp.app/Frameworks/somename.framework
            cd /Users/egor.merkushev/Development/myapp
            export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
            export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
           
        Signing Identity:     "iPhone Developer: Egor Merkushev (XXXXXXXXX)"
        
        
        /usr/bin/codesign --force --sign XXXXXXXXXXXXXXX --preserve-metadata=identifier,entitlements,flags --timestamp=none /Users/egor.merkushev/Library/Developer/Xcode/DerivedData/MyApp-daluhbxrpqwoyrcpcfqzexbfzsud/Build/Products/Debug-iphoneos/MyApp.app/Frameworks/somename.framework

        I tried to run codesign command manually and it successfully finished. So I found that Xcode run 5-6 processes of codesign for one build. And I think what it is a bug of Keychain - it does not allow access to my certificate for such number of processes simultaneously. I tried to turn off parallel build and change build system in Xcode, but got no success. Can somebody help me?

        • Re: Simultaneous access to Keychain
          egormerkushev Level 1 Level 1 (0 points)

          I updated to 10.14 (18A353d) - no effect, same problem. 1 or 2 items for siging from total 6 can not be signed and failed with

          error: The specified item could not be found in the keychain.
          • Re: Simultaneous access to Keychain
            cstar Level 1 Level 1 (10 points)

            We are seeing the same issue with 10.14 final. Have you found a solution meanwhile? Do you keep your code signature keys on a smartcard? It's not an option for us to go back to 10.13 because Xcode 10 does not build asset catalogs correctly when run on 10.13.

             

            (And yes, we had the same issue from time to time on 10.13, it's not completely reproducible on 10.14, but so frequent that we can't make a complete build.)

              • Re: Simultaneous access to Keychain
                cstar Level 1 Level 1 (10 points)

                Just in case anybody experiences the same problem and google leads to this thread: I've been able to fix it by making a wrapper around codesign which prevents parallel execution.

                 

                Background: We use a smartcard to store the code signing key and use OpenSC to make it available in the keychain. The build process requires multiple codesign operations. The first sign-operation takes a while to complete. It completes successfully. But before it completes, several other sign-operations are started. These operations exit immediately with an error, before the first sign-operation completes.

                 

                As a workaround, I have deactivated System Integrity Protection so that I can edit /usr/bin/. Then I have renamed /usr/bin/codesign to /usr/bin/codesign.orig and added the following script as /usr/bin/codesign:

                 

                #!/bin/bash
                # This wrapper around codesign ensures that only one codesign operation is
                # running at the same time. When the signing is performed on a smart card
                # (via OpenSC), it fails when concurrent processes request a signature.
                
                lockfile="/var/tmp/codesign-od-fix.lock"
                pid=$$
                while ! ln -s "$pid" "$lockfile" 2>/dev/null; do
                    # first check whether lock-link is stale
                    otherPID=$(readlink "$lockfile")
                    if kill -0 "$otherPID" 2>/dev/null; then
                        # PID still exists, wait...
                        sleep 0.1
                    else
                        # lock is stale, PID does not exist any more
                        rm -f "$lockfile" 2>/dev/null
                    fi
                done
                # We now hold the lock
                
                /usr/bin/codesign.orig "$@"
                rval=$?
                
                # remove lock
                rm -f "$lockfile" 2>/dev/null
                
                exit "$rval"
                

                 

                /usr/bin/codesign must be executable, of course. After this change, SIP can be activated again.

                 

                Note, however, that this workaround must probably be applied for every system update, at least if it contains /usr/bin/codesign.

                  • Re: Simultaneous access to Keychain
                    egormerkushev Level 1 Level 1 (0 points)

                    Thank you for this solution! It works.

                    PS
                    No thanks to macOS team. Bad work, guys.


                    • Re: Simultaneous access to Keychain
                      sh-a-n Level 1 Level 1 (0 points)

                      Thank you!. It helps.

                       

                      Apple, pls, release patch for mac OS Mojave!

                      • Re: Simultaneous access to Keychain
                        Bidli Level 1 Level 1 (0 points)

                        Your answer led me to the solution for my case: Since many years, I have attached a smartcard to my computer which contains a certified private key to sign emails and PDFs. This never was a problem when building apps with Xcode. Since I have installed 10.14, I get the "The specified item could not be found in the keychain." error when I have attached the smartcard. The solution in my case is to simply remove it but it took two frustrating days to figure this out.

                         

                        More generally: When the smartcard is inserted, I see an additional keychain in the Keychain Access app. It's the first one in the list and it is locked. My guess is that Xcode / codesign only tries to find the code signing certificate / private key in this additional keychain instead of in the login keychain. I will create a bug report for this.