Keychain won't unlock from Jenkins script unless user logged in
I'm running a Jenkins CI server on an OS X machine. The server is running as a standard user 'john', and is started by running launchctl. One of the things this server does is build XCode projects using keys and certificates stored in a keychain 'xcode.keychain':
Jenkins (which is running under the user 'john' according to activity monitor) calls these commands from a script when the user presses a button on the web interface.
security default-keychain -s /Users/john/Library/Keychains/xcode.keychain
security unlock-keychain -p password /Users/john/Library/Keychains/xcode.keychain
xcodebuild ...
If I happen to be logged into the server as 'john' via the UI, the keychain gets unlocked properly when Jenkins calls those commands. But, if I'm not logged in, xcode.keychain doesn't get unlocked and the build fails. Any ideas?
Answer
I had to:
- Right-click on the private key in my keychain that my build process was trying to use
- Click "Get Info"
- Then the "Access Control" tab.
- You can add specific apps (like "codesign") to the list of apps that are allowed access to that key, or just allow access from all applications.
This cleared it up for me.
More info in these comments: https://stackoverflow.com/a/12235462/544130 https://stackoverflow.com/a/14761060/544130