How to unlock system keychain in OS X using terminal

Question

I have private key and certificate in system keychain and I want to access it using CodeSign so it needs to be unlocked.

if I try to unlock login keychain using below script then no problem

security unlock-keychain -p password login.keychain

But If I use the same syntax for system.keychain then I get this error security: SecKeychainUnlock The user name or passphrase you entered is not correct.

security unlock-keychain -p password /Library/Keychains/System.keychain

From this what I can see there is no way to enter username in the syntax.

My intention is to unlock the keychain while code-signing the build,so that I won't get prompt like below.In the case of code-signing event in jenkins I'd get error like "User Interaction is not allowed"

I know this problem can be solved by giving access to all apps in keychain But I intend to do it via script itself.

Any help is appreciated !

Answer 1

Gathering data from various sources (1, 2 and 3), it seems that when unlocking the system keychain using the security unlock-keychain command, keychain typically doesn't require a passphrase or username. It relies on the system password instead.

That’s the reason why when you try to unlock the system keychain with a password using security unlock-keychain -p password /Library/Keychains/System.keychain, it fails because it's expecting a username-password combination, which isn't applicable in this context.

Therefore, to avoid this "User Interaction is not allowed" error message during code-signing events in Jenkins, you can grant the Jenkins user access to the private key and certificate in the system keychain, without requiring “manual intervention”.

Here is a step by step to achieve this through the UI, according to the references shared above:

• Open Keychain Access on the machine where Jenkins is running.
• Locate the private key and certificate in the system keychain.
• Right-click on the private key and select Get Info.
• In the Access Control tab, click on the + sign to add a new entry.
• In the dialog box that appears, search for jenkins and add it to the list.
• Ensure that the jenkins entry has the appropriate permissions (e.g: "Allow all applications to access this item"). 


By granting Jenkins user access to the private key and certificate, you will ensure that Jenkins can access them without requiring manual intervention during code-signing events.

If you still prefer using a script to unlock the system keychain (as you commented), you can consider using the sudo command (cf references) in your script, to execute the security unlock-keychain command with elevated privileges. 



Note: Always keep in mind the security implications of storing passwords / passphrases in scripts...

Answer 2

#!/bin/bash

echo "Starting the ACS Transaction Data Generation Process..."

# Define function to check path existence
check_path() {
    if [ ! -e "$1" ]; then
        echo "Path does not exist: $1"
        exit 1
    fi
}

# Environment setup
if [ "$1" = "local" ]; then
    JAVA_CMD="C:/Program Files/Java/jdk1.8.0_111/bin/java"  # Adjust this path based on your local Java installation
    CONFIG_PATH="C:/apps_data_01/ppapi/regressionSuite/config"  # Example path, change it to your actual path
    MCGETPW_JAR="C:/usr/local/share/jni/MCGetPW.jar"  # Example path, change it to your actual path
    LIB_JARS=$(echo C:/apps_data_01/ppapi/regressionSuite/lib/*.jar | tr ' ' ':')  # Example path, change it to your actual path
elif [ "$1" = "perf" ]; then
    JAVA_CMD="/sys_apps_01/java/java-1.8.0-openjdk-1.8.0.111.x86_64/bin/java"
    CONFIG_PATH="/apps_data_01/ppapi/regressionSuite/config"
    MCGETPW_JAR="/usr/local/share/jni/MCGetPW.jar"
    LIB_JARS=$(echo /apps_data_01/ppapi/regressionSuite/lib/*.jar | tr ' ' ':')
else
    echo "Unknown environment. Usage: $0 <local|perf> <number_of_transactions>"
    exit 1
fi

# Check paths
check_path "$JAVA_CMD"
check_path "$CONFIG_PATH"
check_path "$MCGETPW_JAR"
for jar in $(echo $LIB_JARS | tr ':' ' '); do
    check_path "$jar"
done

# Read arguments
if [ -z "$2" ]; then
    echo "Number of transactions not provided. Usage: $0 <local|perf> <number_of_transactions>"
    exit 1
fi

NUM_TRANSACTIONS=$2
ENVIRONMENT=$1

# Ensure classpath is correctly formed
CLASSPATH="$CONFIG_PATH:$MCGETPW_JAR:$LIB_JARS"
echo "Classpath set to: $CLASSPATH"

# Execute AcsTransactionDataGenerator
echo "Executing AcsTransactionDataGenerator with $NUM_TRANSACTIONS transactions in $ENVIRONMENT environment..."
$JAVA_CMD -cp "$CLASSPATH" com.mastercard.perftest.data.generator.AcsTransactionDataGenerator $NUM_TRANSACTIONS $ENVIRONMENT
STATUS=$?
if [ $STATUS -ne 0 ]; then
    echo "AcsTransactionDataGenerator failed with status $STATUS"
    exit $STATUS
else
    echo "AcsTransactionDataGenerator succeeded"
fi

# Execute AnotherGenerator (or any other second generator class you have)
echo "Executing AnotherGenerator with $NUM_TRANSACTIONS transactions in $ENVIRONMENT environment..."
$JAVA_CMD -cp "$CLASSPATH" com.mastercard.perftest.data.generator.AnotherGenerator $NUM_TRANSACTIONS $ENVIRONMENT
STATUS=$?
if [ $STATUS -ne 0 ]; then
    echo "AnotherGenerator failed with status $STATUS"
    exit $STATUS
else
    echo "AnotherGenerator succeeded"
fi

echo "Data generation process completed"