security/Keychain Access does not honor Access Control
| Originator: | michael.thomas | ||
| Number: | rdar://28397396 | Date Originated: | 09/20/2016 |
| Status: | Open | Resolved: | |
| Product: | macOS | Product Version: | 10.12/16A322 |
| Classification: | Reproducible: |
Summary: The security command line tool does not honor the -T /usr/bin/codesign or -A (insecure but had to try) parameters when adding a certificate/private key .p12 to a keychain via the command line. When codesign attempts to use that certificate the GUI prompt for password appears, which will then allow codesign to continue. When I attempt to set the ACL in Keychain Access for a private key, the same behavior occurs. While a nuisance at best on a local development machine, this has become a nightmare scenario for CI setups when new keys are added/updated. Steps to Reproduce: Requirements: * a .p12 containing an iOS Development certificate & the private key used to generate that certificate. * an example project to build (can be any of the sample Apple projects, as long as you use the previously mentioned certificate above). 1. In terminal run this command: `security import test.p12 -k ~/Library/Keychains/login.keychain-db -T /usr/bin/codesign -T /usr/bin/security` 2. Now run xcodebuild from the terminal - once it reaches the codesign command it will prompt you for your password. Expected Results: The password prompt should not appear as we're making Access Control exceptions for the private key. Actual Results: The password prompt appears when an "allowed" command attempts to use the private key. Version: 10.12/16A322 Configuration: Any hardware, macOS GM or greater
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!