How do I add authorizations to code sign an app from new keychain without any human interaction

Question

I'm trying to automate the process of building iphone apps with a particular certificate. So imagine if different users uploaded their cert into the system and it was immediately available to code sign against. I want to do this without any interaction. I also don't want to clutter up the system or logon keychain with different user certificates. To this end I have:

• turned off the requirement in XCODE to require code signing for a a build.
• developed a ruby script to build an application via the xcodebuild command line tool
• created a script to automatically create a new keychain for a user of my system
• written a script to code sign a built iphone app.

Everything works, but I need to manually hit enter when the codesign program tries to exercise the sign permission. My keychains are all unlocked. Oddly enough it works if I make the keychain the default keychain, but that isn't scalable ie I could only have one build process going at any given time.

When I manually click always allow for that process, I get an entry in my keychain dump that looks like this:

entry 1:
    authorizations (6): decrypt derive export_clear export_wrapped mac sign
    don't-require-password
    description: privateKey
    applications (2):
        0: /usr/bin/codesign (OK)

So I'm thinking that I need to use the authorize command in security to pre-autorize codesign for those permissions. The security man page is pretty poor. I can't seem to get it to work using commands like this:

security -v authorize -uew sign | /usr/bin/codesign [code sign vars pointing to app and a specific keychain]

Does anyone have any ideas?

Answer 1

If you import your certificate into your keychain with a -A it will allow access to all programs trying to request that cert. This isn't very secure but works. You can also use -T to limit it to a particular app. Look up the import param found in man security.