Teamcity: Mac build agent unable to sign .pkg file using productsign. SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)

Question

Scenario:

I have a .pkg file that needs to be signed using TeamCity after our TeamCity build has completed.

Ideally this could be a build step or script that runs at the end. After research, I tried the following:

Script INPUT:

security import applicationkey.p12 -k login.keychain -P "password"

security import installerkey.p12 -k login.keychain -P "password"

security -v unlock-keychain -p "password" /Users/administrator/Library/Keychains/login.keychain

security -v unlock-keychain -u /Library/Keychains/System.keychain

productsign --keychain /Users/administrator/Library/Keychains/login.keychain --sign 'Developer ID Installer: Company LLC' CompanyInstaller.pkg CompanyInstallerSigned.pkg

pkgutil --check-signature CompanyInstallerSigned.pkg

OUTPUT:

unlock-keychain "-p" "mypassword" "/Users/administrator/Library/Keychains/login.keychain"

unlock-keychain "-u" "/Library/Keychains/System.keychain"

productsign: using timestamp authority for signature

productsign: signing product with identity "Developer ID Installer: Company LLC" from keychain /Users/administrator/Library/Keychains/login.keychain

productsign: adding certificate "Developer ID Certification Authority"

productsign: adding certificate "Apple Root CA"

2016-10-05 14:57:11.484 productsign[9385:29611120] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)

Error signing data.

productsign: error: Failed to sign the product.

QUESTION:

I've noticed many solutions to this mentioning to click the "Always Allow" from the dialog prompt the first time it appears in reference to the Keychain's Access Control, however my only known interaction with this build agent is through SSH. Is there a means to sign a .pkg using productsign on Teamcity mac build agent without gui interaction with this "Always Allow" prompt? Or, is there a way to login to the build agent and view a gui so I could click on this "Always Allow" to enable this?

Note: I've also tried saving the (local signing machine) private key's Access Control to "Allow all application to access this item", exported it, imported it to the build agent's login.keychain, then tried the above again, to only have the same output. When I do the same process on my macbookpro, everything works, however I do not recall if I did click "Alway Allow" from long ago.

Any thoughts? Much appreciated.

Answer 1

We ran into this problem as well - we are using TeamCity to sign packages on a Mac build agent.

The first time we set up the build agent, we imported the certificate into the keychain and granted the 'always allow' permission; this seemed to work. At some point the build agent was rebooted and then signing packages no longer worked, whatever we tried with permission & trust settings. We kept getting the SignData failed: CSSMERR_CSP_NO_USER_INTERACTION error.

We fixed this (hopefully for good!) by moving the certificate into the 'System' keychain (it was previously in the 'login') keychain. We didn't need to change our call to productsign at all - it picked up the system keychain correctly. I imagine that if you had the certificate in both keychains then you would need to tell productsign which keychain to use (--keychain ...).

Answer 2

When you are in productsign you are using the Developer ID Installer certificate and generally suggests that it doesn't have access to Private key for signing where it fails with this error.

To fix this goto

Keychain Access->Click on the Little Triangle Arrow (>) in front of "Developer ID Installer" certificate under login keychain or your appropriate keychain. Double click on the Private Key Click on "Access Control" tab Select "Allow all applications to access this item" Now try productsign from commandline again, it should work.