Creating a temporary keychain for your build system

I use fastlane and matcha lot. But sometimes it is just not cutting it when setting up build systems like GitHub Actions, Bitbucket or Gitlab Pipelines. In that case it can be helpful to create and manage your own keychain.

For example we experienced that productsignwas giving us a lot of trouble when using Github Actions. This is because for whatever reason productsignwanted to prompt the user to input a password for the private key. And this is not possible on a CI-system. Fastlane match should have set the keychain correctly but we was unable to get it to work.

This was driving me crazy, I tried everything — I even posted on StackOverflow but no one seemed to have been having this issue before.

https://stackoverflow.com/questions/68541016/github-actions-productsign-hangs

The solution was to create our own keychain and import our certificates directly to that one. When that is done, codesignand productsigncan read the certificates without any problems.

Variables

Before running any of the scripts you need to setup up a few environment variables.

MY_KEYCHAIN = "tmp-keychain"
MY_KEYCHAIN_PASSWORD = "temp1234"
CERT = "installer-id.p12"
CERT_PASSWORD = "test1234"
IDENTITY_CERTIFICATE = "Common name from $CERT"

Setup New Keychain

The following can simply be put into two shell scripts that you can execute before signing and when signing is complete.

# default again user login keychain
security list-keychains -d user -s login.keychain

# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)

# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"

# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"

# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN

Clean up

# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"

# default again user login keychain
security list-keychains -d user -s login.keychain

Thats about it.

--

--

--

I work as a software developer with years of experience within the field of web, apps and server architecture.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

AADSTS500011  —  Error in Enterprise API call from SharePoint Framework

A Tale of Two Kafka Clients

One Trick A Day: D-34

Era Swap Users | Mission & Vision

Share (whisky) data with the help of Azure — part 3

Top React Jobs — Week 7, 2021

React.js Jobs

Enterprise Linux Security (Part 3)

Learning the basics of Algorithms — why should I care?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rasmus Styrk

Rasmus Styrk

I work as a software developer with years of experience within the field of web, apps and server architecture.

More from Medium

Building your CLM system with Contract Metadata Extraction

[Cluster Strolls page.01] ~Avatars in Cluster~

Road to Automation: Updates

5GMETA Hackathon Registrations Now Open!