Creating a temporary keychain for your build system

Rasmus Styrk
2 min readAug 8, 2021

--

I use fastlane and matcha lot. But sometimes it is just not cutting it when setting up build systems like GitHub Actions, Bitbucket or Gitlab Pipelines. In that case it can be helpful to create and manage your own keychain.

For example we experienced that productsignwas giving us a lot of trouble when using Github Actions. This is because for whatever reason productsignwanted to prompt the user to input a password for the private key. And this is not possible on a CI-system. Fastlane match should have set the keychain correctly but we was unable to get it to work.

This was driving me crazy, I tried everything — I even posted on StackOverflow but no one seemed to have been having this issue before.

https://stackoverflow.com/questions/68541016/github-actions-productsign-hangs

The solution was to create our own keychain and import our certificates directly to that one. When that is done, codesignand productsigncan read the certificates without any problems.

Variables

Before running any of the scripts you need to setup up a few environment variables.

MY_KEYCHAIN = "tmp-keychain"
MY_KEYCHAIN_PASSWORD = "temp1234"
CERT = "installer-id.p12"
CERT_PASSWORD = "test1234"
IDENTITY_CERTIFICATE = "Common name from $CERT"

Setup New Keychain

The following can simply be put into two shell scripts that you can execute before signing and when signing is complete.

# default again user login keychain
security list-keychains -d user -s login.keychain

# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)

# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"

# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"

# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN

Clean up

# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"

# default again user login keychain
security list-keychains -d user -s login.keychain

Thats about it.

--

--

Rasmus Styrk
Rasmus Styrk

Written by Rasmus Styrk

I work as a software developer with years of experience within the field of web, apps and server architecture.