productsign error: SignData failed: CSSMERR_CSP_NO_USER_INTERACTION

Question

When signing an app from an ssh terminal session, I am getting the following error:

productsign[29321:707] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)

productsign was working until recently.

How do I get around this error?

Answer 1

I solved it by accident - after combing the web for hours - while reproducing the steps when filing an incident report with Apple Support.

From the Mac (as opposed to from an ssh session) the same command generated a popup asking for permission to access the Keychain.

After choosing "Always Allow" the problem went away. Forever.

Answer 2

try to unlock keychain from this terminal:

security -v unlock-keychain -p "<Password>" "/Users/<UserName>/Library/Keychains/login.keychain"

Answer 3

Based on Danny Schoemann's answer and my own research I found complete solution for me:

1. You really need login to your mac machine using GUI, first time, and sign anything with the certificate that you need. Then you will get request window with available option "Always allow" to use this certificate (or smth like that).

   • Important: if you need to use productsign with ssh or other console session (like Jenkins), your certificate must by installed into system scope, but not into user scope.

2. If you need to keep your certificate in user scope, you need to unlock your keychain every time in console session when you need to sign something (as Alex wrote):

   security -v unlock-keychain -p "Password" /Users/<UserName>/Library/Keychains/login.keychain"
   

   You may put it into you build script.

   Obvious minus of this solution - you need to store your password in some unencrypted script, that is insecure, so I prefer first solution.