Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Add codesign to private key ACL without Keychain

I'm trying to set up continuous builds/integration for a stable of iPhone apps.

I have:

  • A dedicated Mac Mini.
  • A user account named "build"
  • Hudson set up as a LaunchAgent for build, by dropping a plist in /Users/build/Library/LaunchAgents
    • Tried as a system-wide LaunchDaemon running as hudson, but then had no access to the build user's login keychain. Long story, full of heartache.
  • The system set to automatically login "build" on startup, so that Hudson starts running.

The big problem is codesigning and the Keychain.

We create code on behalf of our clients' developer identities, so we have several developer identities and we will be adding more.

I want to put the Mini in a deep dark room and never look at it, but the first time you build with a developer identity, a GUI dialog pops up asking if you want to always allow codesign to access the developer identity.

Assuming you do, that dialog box modifies the keychain access control list (ACL) so that codesign is allowed.

You can view this by opening Keychain Access, expanding the certificate, selecting the private key, right-clicking, selecting Get Info, and then switching to the Access Control tab. A "virgin" key will only have Keychain Access in its "always allow" application list. One you have used and confirmed in the dialog box will have codesign as well.

This box provides a way to add an application, except you get the standard Finder file picker, which hides Unix folders. There's no way to navigate to /usr/bin/codesign. So it's impossible to add manually!

Does anyone know of a way around this?

I'm aware of one method using the -T switch of "security import" but then you must specify the ACL when you import the key in the first place, so any keys added in the Keychain GUI would have to be tossed and reimported. Not exactly very nice.

like image 811
David Boike Avatar asked Jan 21 '11 22:01

David Boike


2 Answers

Normally the "cleansed" version of the file system that the Keychain's Get Info dialog presents to you won't allow you to access the hidden /usr/bin directory, but I found a way around this.

  1. Get normal Finder windows to show all files. If you aren't aware of how to do this, check out this article.
  2. In a normal Finder window, navigate to /usr/bin
  3. Drag bin over to the Places area in the sidebar. Now bin is a shortcut you can access from anywhere.
  4. From within the Keychain's Get Info -> Access Control pane, click the "+" button to open the find application dialog.
  5. Click the bin that is now under the Places on this sidebar.
  6. Navigate to and select codesign.
  7. Click the Save Changes button.
like image 189
David Boike Avatar answered Nov 05 '22 18:11

David Boike


Just registred to say THANK you very much, David Boike. Great workaround that helped me a lot. But there is a better way to do this.

Open File Dialog press 'Cmd' + 'Shift' + '.'

That combination should toggle visibility of hidden items on file system. If combination was not effective, try to change presentation mode to 'list' or 'grid' and try it again.

Thanks and good luck!

like image 6
Paul Bar. Avatar answered Nov 05 '22 19:11

Paul Bar.