Creating a temporary keychain for your build system

I use fastlane and matcha lot. But sometimes it is just not cutting it when setting up build systems like GitHub Actions, Bitbucket or Gitlab Pipelines. In that case it can be helpful to create and manage your own keychain.

For example we experienced that productsignwas giving us a lot of trouble when using Github Actions. This is because for whatever reason productsignwanted to prompt the user to input a password for the private key. And this is not possible on a CI-system. Fastlane match should have set the keychain correctly but we was unable to get it to work.

This was driving me crazy, I tried everything — I even posted on StackOverflow but no one seemed to have been having this issue before.

https://stackoverflow.com/questions/68541016/github-actions-productsign-hangs

The solution was to create our own keychain and import our certificates directly to that one. When that is done, codesignand productsigncan read the certificates without any problems.

Variables

Before running any of the scripts you need to setup up a few environment variables.

MY_KEYCHAIN = "tmp-keychain"
MY_KEYCHAIN_PASSWORD = "temp1234"
CERT = "installer-id.p12"
CERT_PASSWORD = "test1234"
IDENTITY_CERTIFICATE = "Common name from $CERT"

Setup New Keychain

The following can simply be put into two shell scripts that you can execute before signing and when signing is complete.

# default again user login keychain
security list-keychains -d user -s login.keychain

# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)

# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"

# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"

# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN

Clean up

# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"

# default again user login keychain
security list-keychains -d user -s login.keychain

Thats about it.

--

--

--

I work as a software developer with years of experience within the field of web, apps and server architecture.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

File upload in e2e tests using SauceLabs

Immutability

Image result for immutable

How to create an App Like Udemy: Online Tutor Marketplace

Discovery of data synchronisation with Google Drive on Android

xSuter | Auction Coming Soon!welcome to take free money.

How to Install Android Studios on a Chromebook

Kubernetes Authentication

Automate Application infrastructure — Kubernetes K8s

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rasmus Styrk

Rasmus Styrk

I work as a software developer with years of experience within the field of web, apps and server architecture.

More from Medium

Information about Swift Auto Layout

Firebase Push Notification — Swift

[Measurement APIs] How to create custom Units and Dimensions (Part 2)

Run your First GraphQL Operation Type(query)-Swift