Keychain won't unlock from Jenkins script unless user logged in

user756365 picture user756365 · Jun 20, 2011 · Viewed 45.8k times · Source

I'm running a Jenkins CI server on an OS X machine. The server is running as a standard user 'john', and is started by running launchctl. One of the things this server does is build XCode projects using keys and certificates stored in a keychain 'xcode.keychain':

Jenkins (which is running under the user 'john' according to activity monitor) calls these commands from a script when the user presses a button on the web interface.

security default-keychain -s /Users/john/Library/Keychains/xcode.keychain
security unlock-keychain -p password /Users/john/Library/Keychains/xcode.keychain
xcodebuild ...

If I happen to be logged into the server as 'john' via the UI, the keychain gets unlocked properly when Jenkins calls those commands. But, if I'm not logged in, xcode.keychain doesn't get unlocked and the build fails. Any ideas?

Answer

Taytay picture Taytay · Mar 13, 2013

I had to:

  1. Right-click on the private key in my keychain that my build process was trying to use
  2. Click "Get Info"
  3. Then the "Access Control" tab.
  4. You can add specific apps (like "codesign") to the list of apps that are allowed access to that key, or just allow access from all applications.

This cleared it up for me.

More info in these comments: https://stackoverflow.com/a/12235462/544130 https://stackoverflow.com/a/14761060/544130