Add codesign to private key ACL without Keychain

I'm trying to set up continuous builds/integration for a stable of iPhone apps.

I have:

• A开发者_JS百科 dedicated Mac Mini.
• A user account named "build"
• Hudson set up as a LaunchAgent for build, by dropping a plist in /Users/build/Library/LaunchAgents
  • Tried as a system-wide LaunchDaemon running as hudson, but then had no access to the build user's login keychain. Long story, full of heartache.
• The system set to automatically login "build" on startup, so that Hudson starts running.

The big problem is codesigning and the Keychain.

We create code on behalf of our clients' developer identities, so we have several developer identities and we will be adding more.

I want to put the Mini in a deep dark room and never look at it, but the first time you build with a developer identity, a GUI dialog pops up asking if you want to always allow codesign to access the developer identity.

Assuming you do, that dialog box modifies the keychain access control list (ACL) so that codesign is allowed.

You can view this by opening Keychain Access, expanding the certificate, selecting the private key, right-clicking, selecting Get Info, and then switching to the Access Control tab. A "virgin" key will only have Keychain Access in its "always allow" application list. One you have used and confirmed in the dialog box will have codesign as well.

This box provides a way to add an application, except you get the standard Finder file picker, which hides Unix folders. There's no way to navigate to /usr/bin/codesign. So it's impossible to add manually!

Does anyone know of a way around this?

I'm aware of one method using the -T switch of "security import" but then you must specify the ACL when you import the key in the first place, so any keys added in the Keychain GUI would have to be tossed and reimported. Not exactly very nice.

Normally the "cleansed" version of the file system that the Keychain's Get Info dialog presents to you won't allow you to access the hidden /usr/bin directory, but I found a way around this.

1. Get normal Finder windows to show all files. If you aren't aware of how to do this, check out this article.
2. In a normal Finder window, navigate to /usr/bin
3. Drag bin over to the Places area in the sidebar. Now bin is a shortcut you can access from anywhere.
4. From within the Keychain's Get Info -> Access Control pane, click the "+" button to open the find application dialog.
5. Click the bin that is now under the Places on this sidebar.
6. Navigate to and select codesign.
7. Click the Save Changes button.

Just registred to say THANK you very much, David Boike. Great workaround that helped me a lot. But there is a better way to do this.

Open File Dialog press 'Cmd' + 'Shift' + '.'

That combination should toggle visibility of hidden items on file system. If combination was not effective, try to change presentation mode to 'list' or 'grid' and try it again.

Thanks and good luck!

I found a solution by doing an applescript that "Clicks" the "Always Allow" button after having no luck with security or certtool for adding the ACL privileges.

#!/usr/bin/osascript
tell application "System Events"
  tell window 1 of process "SecurityAgent"
    click button "Always Allow" of group 1
  end tell
end tell

Ok this took me almost half a day to figure out but I now have it working. I was following this article.

The article shows adding the cert like this with the -A option but this didn't work for me.

security import "ADistribution.p12" -k appledev -f pkcs12 -A -P ""

This question mentioned the -T option which did work for me.

security import "Distribution.p12" -k appledev -f pkcs12 -P "" -T /usr/bin/codesign