codesigning with 2 user accounts on 1 machine

Question

Created Jul ’22

Replies 4

Boosts 0

Participants 3

Dear apple folks,

we try to establish command line based codesigning for a second user account on a machine, where it already works for another user account.

User A is able to run the codesign tool like this:

  /usr/bin/codesign --verbose \
    --timestamp \
    -o runtime \
    --entitlements $BASEDIR/entitlements.plist \
    --sign "Developer ID Application: OUR COMPANY" \
    OUR_APP.app

With keychain, user A sees the following objects within the system area:

A private key of OUR COMPANY
The Developer ID Application certificate for OUR COMPANY

User A can ask security find-identity -p codesigning and gets an output with 1 matching and 1 valid identity.

This is fine so far. Not so user B.

With keychain, user B sees the same objects within the sytem area as user A on this same machine.

But security find-identity lists 0 identities and codesign tells user B "The specified item could not be found in the keychain".

So: although the items are visible in keychain, somehow, the identity is not accessible for user B.

At this point we have a lack of understanding how this is supposed to work. Can 2 users on one machine share one digital identity for codesigning? Or does user B need a second identity?

We have then executed the steps in thread https://developer.apple.com/forums/thread/660871 meaning:

we exported the digital identity consisting of
- private key and
- the developer ID application certificate
  
  with user A to a p12 file using keychain access.
we imported this p12 file with user B via the command security import IDENTITY_FILE.p12

After this, still the same behaviour: no identities listed from security find-identity -p codesigning and codesign still throws "The specified item could not be found in the keychain".

Any ideas?

Answered by capella_markus in 720325022

Got it.

This has been some keychain misconfiguration issue.

User A's digital identity was spread over different keychains:

The certificate was located in the system keychain.
The related private key was located in the login keychain.

That's why keychain access did not show any digital identity under 'my certificates'. codesign however was able to use these scattered items.

Additionally, other unrelated private keys were located in the system keychain. This led me export a digital ID with an invalid combination of key and certificate. This digital ID did not work for codesigning with user B.

Exporting the digital ID of User A with a valid combination of private key and certificate and importing this for User B has solved the problem.

By the way, the following article has been very enlightened: Certificate Signing Requests Explained: https://developer.apple.com/forums/thread/699268

Thanks!

Boost

Answer 1

mikeyh OP

Jul ’22

within the system area

Are you trying to share an identity for both users via a single entry in the system keychain?

Try importing into each user login keychain.

0

Answer 2

capella_markus OP

Jul ’22

Hi again,

We have now imported the p12 file into user B's login keychain via

  security import IDENTITY_FILE.p12 -k login.keychain

After this, still the same behaviour: no identities listed from security find-identity -p codesigning and codesign still throws "The specified item could not be found in the keychain".

Reading your reply, I begin to wonder why user A stores it's identity within the system keychain instead of the login keychain. I can only state that codesigning works this way for user A.

Following https://developer.apple.com/forums/thread/699268 , digital identities are listed in keyring within login / my certificates. This ist not the case for both users A and B, not in system and not in login.

Mh ...

0

Answer 3

mikeyh OP

Jul ’22

Which macOS and Xcode versions?

Xcode managed certificates are recommended for initial setup which uses the default login keychain (see https://developer.apple.com/forums/thread/709545?answerId=719589022#719589022)

Try opening the p12 using the Keychain Access app, which will import to the default login keychain then right click on the certificate > Evaluate "Developer ID Application: Name (Team)" for Code Signing.

You can also get info on the certificate to confirm it is valid for code signing by checking the extensions for something like this:

Extension              Key Usage ( 2.5.29.15 )
Critical               YES
Usage                  Digital Signature

Extension              Basic Constraints ( 2.5.29.19 )
Critical               YES
Certificate Authority  NO

Extension              Extended Key Usage ( 2.5.29.37 )
Critical               YES
Purpose #1             Code Signing ( 1.3.6.1.5.5.7.3.3 )

If it is not valid for code signing then export again using Keychain Access.

0

Answer 4

capella_markus OP

Jul ’22

Accepted Answer

Got it.

This has been some keychain misconfiguration issue.

User A's digital identity was spread over different keychains:

The certificate was located in the system keychain.
The related private key was located in the login keychain.

That's why keychain access did not show any digital identity under 'my certificates'. codesign however was able to use these scattered items.

Additionally, other unrelated private keys were located in the system keychain. This led me export a digital ID with an invalid combination of key and certificate. This digital ID did not work for codesigning with user B.

Exporting the digital ID of User A with a valid combination of private key and certificate and importing this for User B has solved the problem.

By the way, the following article has been very enlightened: Certificate Signing Requests Explained: https://developer.apple.com/forums/thread/699268

Thanks!

0