Unable to unlock login keychain on sierra in ssh

I have a script which remotes ssh into a Mac. The original script, which worked on El Capitan, would unlock the keychain with this:

security unlock-keychain -p mypassword

The above command gives on error on Sierra so I updated it to this:

security unlock-keychain -p mypassword ~/Library/Keychains/login.keychain

The command above appears to work but then when I list keychains, the login keychain still isn’t there and my script fails trying to sign my code because it can’t get to the certificates.

(~)$ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"

This all works perfectly in a terminal window on the host but I need it to work remotely in SSH.

Thank you for any help or suggestions.

Update October 10, 2016: I changed the ssh authentication from password to rsa key and it started working. After I could access the login keychain, I started getting an error in the ssh shell: SecKey API returned: -25308 from codesign. This turned out to be a permissions error. When I tried it on the host in a terminal, a dialog from the keychain popped up asking me to allow access.

Answer

Your login keychain doesn’t appear to be in the search list, i.e. when you checked it, it just shows the System keychain twice. No login keychain:

(~)$ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
(~)$ security list-keychains -d user -s login.keychain
(~)$ security list-keychains
"/Users/USERNAME/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"

You can use the security command to lookup the -25308 error code.
In this case, it says “User interaction not allowed”.
This is typical if you’re trying to sign your app via SSH (or via Jenkins).

security error -25308
Error: 0xFFFF9D24 -25308 User interaction is not allowed.

You need to do a security command to enable codesigning of your application through a non interactive shell:

security set-key-partition-list -S apple: -k <Password> -D <Identity> -t private <your.keychain>

Here is a “complete” Jenkins / SSH friendly script to signing your app:

MY_KEYCHAIN="temp.keychain"
MY_KEYCHAIN_PASSWORD="secret"
CERT="certificate.p12"
CERT_PASSWORD="certificate secret"

security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Create temp keychain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g) # Append temp keychain to the user domain
security set-keychain-settings "$MY_KEYCHAIN" # Remove relock timeout
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Unlock keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -T "/usr/bin/codesign" # Add certificate to keychain
CERT_IDENTITY=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | sed -e 's/[^"]*"//' -e 's/".*//') # Programmatically derive the identity
CERT_UUID=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | awk '{print $2}') # Handy to have UUID (just in case)
security set-key-partition-list -S apple-tool:,apple: -s -k $MY_KEYCHAIN_PASSWORD -D "$CERT_IDENTITY" -t private $MY_KEYCHAIN # Enable codesigning from a non user interactive shell
### INSERT BUILD COMMANDS HERE ###
security delete-keychain "$MY_KEYCHAIN" # Delete temporary keychain

Shout out to Bochun Bai for spending 3 weeks with Apple support to finding the solution to the -25308 issue and posting it to https://sinofool.net/blog/archives/322

Attribution
Source : Link , Question Author : mw2785 , Answer Author : Stephen Quan

Leave a Comment