security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission

ios macos keychain codesign macos-sierra
Sven Driemecker picture Sven Driemecker · Oct 5, 2016 · Viewed 29.5k times · Source

Starting with macOS Sierra, I can't import a codesign-identity into a keychain with /usr/bin/security any more without usr/bin/codesign UI-prompting for access when using this identity. This breaks the packaging scripts of build server. There seems to be no workaround. This affects custom created keychains, but also the login.keychain.

Steps to Reproduce: Execute the following commands in Terminal (requires a signing identity to be available to import):

security create-keychain -p test buildagent.keychain
security unlock-keychain -p test buildagent.keychain

security list-keychains -d user -s buildagent.keychain
security default-keychain -s buildagent.keychain

security import identity.p12 -k buildagent.keychain -P password -T /usr/bin/codesign

codesign -vfs '$IDENTITY' '${PRODUCT}' --keychain 'buildagent.keychain'

Result: macOS shows a UI-prompt asking for permission to access the previously imported private key.

I have tried many workarounds, but nothing seems to work:

  • Using the new .keychain-db extension when specifying the keychain-name
  • Using the login.keychain instead of the custom one
  • Importing the p12 with -A ('Allow any application to access the imported key')
  • Importing the Cert und Key separately (being extracted from the p12 before with openssl pkcs12)

Importing the identity definitely works, I can see the cert and key when displaying the contents of the keychain in the Keychain Access application. The access control setting for the private key is also correctly configured (with the desired codesign exception rule).

How can I avoid the UI prompt from Sierra?

Answer

Ilian Iliev picture Ilian Iliev · Oct 14, 2016

The command you need to use is as follows:

security set-key-partition-list -S apple-tool:,apple: -s -k keychainPass keychainName

Please have in mind that this command line tool works like the list-keychains's way of modification. If you execute set-key-partition-list with a single value it will overwrite all partitionIDs in the certificates. It won't validate the values passed.

What this command does is that it sets the PartitionIDs (items after -S separated by comma) for keys that can sign (-s) for a specific keychain. The actual partitionID that allows the codesigning is apple:.

I am not aware what apple-tool: is doing as it is not documented, but it was there after importing the key with security import so I'm keeping it in order to avoid breaking people who copy-paste the command.

This change was introduced with Mac OS Sierra and is not documented (or at least I could not find documentation). As of Oct 16 the man page for security still doesn't list this command.

For more information you can refer to this bug report - http://www.openradar.me/28524119

Related questions

Why are there so many iMessage Signing Keys in the private key section of Keychain?

I tried to clean my keychain because there are many certificates in it. When I opened the private key section, I found there are too many of the same key. Can I delete them? I don't know what they are …

Read More
What makes a keychain item unique (in iOS)?

My question concerns keychains in iOS (iPhone, iPad, ...). I think (but am not sure) that the implementation of keychains under Mac OS X raises the same question with the same answer. iOS provides five types (classes) of keychain items. You …

Read More
I lost my public key. Can I recover it from a private key?

I created a key pair + signed certificate for iOS/OSX development. Somewhere along the way, I lost the public key that goes with my private key. Maybe it's because Keychain Access doesn't group the private and public keys together, like …

Read More