"User interaction is not allowed" trying to sign an OSX app using codesign

macos ssh jenkins code-signing
Trejkaz picture Trejkaz · Nov 25, 2013 · Viewed 83.7k times · Source

Our automated build is running on Jenkins. The build itself is running on slaves, with the slaves being executed via SSH.

I get an error:

00:03:25.113 [codesign-app] build/App.app: User interaction is not allowed.

I have tried every suggestion I have seen so far in other posts here:

  • Using security unlock-keychain immediately before signing to unlock the keychain.
  • Moving the signing key out into its own keychain.
  • Moving the signing key into the login keychain.
  • Moving the signing key into the system keychain.
  • Manually setting list-keychains to only the keychain which contains the key.

In all cases, I get the same error.

In an attempt to diagnose the issue, I tried running the "security unlock-keychain" command on my local terminal and found that it doesn't actually unlock the keychain - if I look in Keychain Access, the lock symbol is still there. This is the case whether I pass the password on the command-line or whether I let it prompt me for it. Unlocking the same keychain using the GUI will prompt me for the password and then unlock it. Additionally, if I run "security lock-keychain", I do see the key lock immediately after running the command. This makes me think that unlock-keychain doesn't actually work. I experience the same behaviour on Lion (which we're using for the build slaves) and Mavericks (which I'm developing on.)

Next, I tried adding -v to all the security commands:

list-keychains "-d" "system" "-s" "/Users/tester/.secret/App.keychain"
Listing keychains to see if it was added: ((
        "/Library/Keychains/System.keychain"
))
unlock-keychain "-p" "**PASSWORD**" "/Users/tester/.secret/App.keychain"
build/App.app: User interaction is not allowed.

From this, it would seem that list-keychains is what isn't working. Maybe neither work. :/

There is a similar question here. The solution is interesting - set "SessionCreate" to true in launchctl. But I'm not building on the master - my build process is started from SSH on a slave build machine. Maybe there is a command-line way to do what launchctl is doing when you run "SessionCreate"?

Answer

bmauter picture bmauter · Mar 25, 2014

I too have been fighting this. Nothing helped until I tried the suggestion on http://devnet.jetbrains.com/thread/311971. Thanks ashish agrawal!

Login your build user via the GUI and open Keychain Access. Select your signing private key, right-click, choose Get Info, change to the Access Control tab and select the "Allow all applications to access this item".

access control tab

Related questions

Use PPK file in Mac Terminal to connect to remote connection over SSH

I have been using Putty on Windows XP and used the .ppk file to connect to my Linux servers (several servers). On the servers I have the following folder and file ~/.ssh/authorized_keys I now want to use a …

Read More
How do I open port 22 in OS X 10.6.7

I am trying to open port 22 on osx so I can connect to localhost using ssh. This is my current situation: ssh localhost ssh: connect to host localhost port 22: Connection refused I have generated a key and tossed it into …

Read More
SSH -L connection successful, but localhost port forwarding not working "channel 3: open failed: connect failed: Connection refused"

My lab runs RStudio on a server. A couple weeks ago, from my cousin's house, I successfully ssh'd into the server and pulled up the server-side RStudio through my local Firefox browser. Now when I try to access the server …

Read More