Creating a temporary keychain for your build system

I use fastlane and matcha lot. But sometimes it is just not cutting it when setting up build systems like GitHub Actions, Bitbucket or Gitlab Pipelines. In that case it can be helpful to create and manage your own keychain.

For example we experienced that productsignwas giving us a lot of trouble when using Github Actions. This is because for whatever reason productsignwanted to prompt the user to input a password for the private key. And this is not possible on a CI-system. Fastlane match should have set the keychain correctly but we was unable to get it to work.

This was driving me crazy, I tried everything — I even posted on StackOverflow but no one seemed to have been having this issue before.

https://stackoverflow.com/questions/68541016/github-actions-productsign-hangs

The solution was to create our own keychain and import our certificates directly to that one. When that is done, codesignand productsigncan read the certificates without any problems.

Before running any of the scripts you need to setup up a few environment variables.

MY_KEYCHAIN = "tmp-keychain"
MY_KEYCHAIN_PASSWORD = "temp1234"
CERT = "installer-id.p12"
CERT_PASSWORD = "test1234"
IDENTITY_CERTIFICATE = "Common name from $CERT"

The following can simply be put into two shell scripts that you can execute before signing and when signing is complete.

# default again user login keychain
security list-keychains -d user -s login.keychain

# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)

# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"

# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"

# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN

# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"

# default again user login keychain
security list-keychains -d user -s login.keychain

Thats about it.

--

--

I work as a software developer with years of experience within the field of web, apps and server architecture.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rasmus Styrk

I work as a software developer with years of experience within the field of web, apps and server architecture.