gon icon indicating copy to clipboard operation
gon copied to clipboard
verified publisher icon mitchellh

Avoiding password prompts

Open neilpa opened this issue 5 years ago • 5 comments

First off, thanks for this tool. Much better than the signing/notarizing scripts I've been hacking on.

In that work, I may have stumbled on an approach that solves the prompt issue with some clues from this SO post. Specifically, creating a temp keychain, importing the signing identities into that and then referencing the temp keychain when invoking codesign, productbuild, etc. Something like

security create-keychain -p insecure ci-keys
security set-keychain-settings ci-keys # remove the auto-lock timeout
security unlock-keychain -p insecure ci-keys
# -P $PASSWORD if the identity files are password protected
security import dev-id-app.p12 -k ci-keys -P "" -A # or -T /usr/bin/codesign
security import dev-id-pkg.p12 -k ci-keys -P "" -A # or -T /usr/bin/productbuild -T /usr/bin/productsign
codesign -s $dev-id-app-SHA1 --keychain ci-keys ...
productbuild --sign $dev-id-pkg-SHA1 --keychain ci-keys ...

One thing to note, I had to import the original .cer file (from the web download) into the keychain via Finder and re-export it as a .p12. When I tried security import dev-id-app.cer it didn't import as an "identity" which the .p12 version does.

I also haven't verified on a fresh OS yet and have previously clicked "Always Allow" for the default keychain. There are notes in the man pages about embedding intermediate certs when signing that could be looked up in the standard keychain which may be problematic still. Although, I suspect those could be added to the temp keychain if needed as well.

neilpa avatar Mar 05 '20 16:03 neilpa

This is interesting. It'd definitely be worth investigating for sure. I don't have time right now to look into this but I'd be down to have this built-in. I think we should clean up the keychain of course too (especially in cases of errors).

mitchellh avatar Mar 06 '20 18:03 mitchellh

I finally got around to experimenting with this again. Unfortunately, I've yet to make it work without at least one password prompt. The codesign calls work fine with the one-off keychain. However, both productbuild --sign ... or productsign result in a prompt and I've tried a lot of various ways to ensure everything is "unlocked". Same for the login keychain, whenever you re-import a new identity there's at least one prompt.

I do have an alternative approach to signing distribution .pkg files based on xar and openssl. It's definitely more CI friendly but not sure how you feel about new dependencies vs. the stock MacOS tools. It may also be feasible to implement directly in go using the stdlib crypto primitives but I haven't looked into that yet.

neilpa avatar Apr 23 '20 19:04 neilpa

Actually, I don't think the alternatives to productbuild work any longer due to the need for the "secure timestamp".

neilpa avatar Apr 23 '20 20:04 neilpa

After even more trial and error I've figured out something that works with productbuild. Use an explicit filepath for all keychain references instead of a shorthand name, e.g. s/ci-keys/~\/ci.keychain-db.

neilpa avatar Apr 23 '20 20:04 neilpa

This is related to #39. Have a look there for a possible solution.

davidnewhall avatar Jul 20 '22 04:07 davidnewhall