Keychain won't unlock from Jenkins script unless user logged in

I'm running a Jenkins CI server on an OS X machine. The server is running as a standard user 'john', and is started by running launchctl. One of the things this server does is build XCode projects using keys and certificates stored in a keychain 'xcode.keychain':

Jenkins (which is running under the user 'john' according to activity monitor) calls these commands from a script when the user presses a button on the web interface.

security default-keychain -s /Users/john/Library/Keychains/xcode.keychain
security unlock-keychain -p password /Users/john/Library/Keychains/xcode.keychain
xcodebuild ...

If I happen to be logged开发者_开发知识库 into the server as 'john' via the UI, the keychain gets unlocked properly when Jenkins calls those commands. But, if I'm not logged in, xcode.keychain doesn't get unlocked and the build fails. Any ideas?

I had to:

1. Right-click on the private key in my keychain that my build process was trying to use
2. Click "Get Info"
3. Then the "Access Control" tab.
4. You can add specific apps (like "codesign") to the list of apps that are allowed access to that key, or just allow access from all applications.

This cleared it up for me.

More info in these comments: https://stackoverflow.com/a/12235462/544130 https://stackoverflow.com/a/14761060/544130

Running Jenkins without launchd works. I used the following command:

sudo su jenkins -c "JENKINS_HOME=/Users/Shared/Jenkins/Home /Library/Application\ Support/Jenkins/jenkins-runner.sh"

I stumbled upon the exact same issue recently.

security list-keychains -s /Users/john/Library/Keychains/xcode.keychain probably will fix your problem. Let me know if it works.

Recently I found a solution to this over there: Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development

You could try Jenkins.app, an alternative way to run Jenkins. It runs Jenkins in a user session, so Keychain should not be a problem.