Scenario:
I have a .pkg file that needs to be signed using TeamCity after our TeamCity build has completed.
Ideally this could be a build step or script that runs at the end. After research, I tried the following:
Script INPUT:
security import applicationkey.p12 -k login.keychain -P "password"
security import installerkey.p12 -k login.keychain -P "password"
security -v unlock-keychain -p "password" /Users/administrator/Library/Keychains/login.keychain
security -v unlock-keychain -u /Library/Keychains/System.keychain
productsign --keychain /Users/administrator/Library/Keychains/login.keychain --sign 'Developer ID Installer: Company LLC' CompanyInstaller.pkg CompanyInstallerSigned.pkg
pkgutil --check-signature CompanyInstallerSigned.pkg
OUTPUT:
unlock-keychain "-p" "mypassword" "/Users/administrator/Library/Keychains/login.keychain"
unlock-keychain "-u" "/Library/Keychains/System.keychain"
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: Company LLC" from keychain /Users/administrator/Library/Keychains/login.keychain
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
2016-10-05 14:57:11.484 productsign[9385:29611120] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)
Error signing data.
productsign: error: Failed to sign the product.
QUESTION:
I've noticed many solutions to this mentioning to click the "Always Allow" from the dialog prompt the first time it appears in reference to the Keychain's Access Control, however my only known interaction with this build agent is through SSH. Is there a means to sign a .pkg using productsign on Teamcity mac build agent without gui interaction with this "Always Allow" prompt? Or, is there a way to login to the build agent and view a gui so I could click on this "Always Allow" to enable this?
Note: I've also tried saving the (local signing machine) private key's Access Control to "Allow all application to access this item", exported it, imported it to the build agent's login.keychain, then tried the above again, to only have the same output. When I do the same process on my macbookpro, everything works, however I do not recall if I did click "Alway Allow" from long ago.
Any thoughts? Much appreciated.
We ran into this problem as well - we are using TeamCity to sign packages on a Mac build agent.
The first time we set up the build agent, we imported the certificate into the keychain and granted the 'always allow' permission; this seemed to work. At some point the build agent was rebooted and then signing packages no longer worked, whatever we tried with permission & trust settings. We kept getting the
SignData failed: CSSMERR_CSP_NO_USER_INTERACTION
error.We fixed this (hopefully for good!) by moving the certificate into the 'System' keychain (it was previously in the 'login') keychain. We didn't need to change our call to
productsign
at all - it picked up the system keychain correctly. I imagine that if you had the certificate in both keychains then you would need to tellproductsign
which keychain to use (--keychain ...
).