Keychain prompts for permission to use private key regardless of access control settings
| Originator: | tim | ||
| Number: | rdar://29251121 | Date Originated: | 14-Nov-2016 02:35 PM |
| Status: | Open | Resolved: | |
| Product: | macOS | Product Version: | 10.12 |
| Classification: | Serious Bug | Reproducible: | Always |
This is a duplicate of rdar://28524119 Summary: Our build server uses the security command line tools to create a new keychain for each build. On Mac OS 10.11.x (and older), it could create a keychain, import the signing identity (specifying /usr/bin/codesign as an allowed application), and then use that identity to codesign an application without any UI interaction required. The same approach on macOS 10.12 results in a UI prompt: codesign wants to access key "key name" in your keychain. Do you want to allow access to this item? This prompt occurs even if the private key has it's access control set to "Allow all application to access this item" Steps to Reproduce: 1. Execute the following commands in Terminal (requires a signing identity to be available to import) security create-keychain -p test test security unlock-keychain -p test test security import identity.p12 -k test -P password -T /usr/bin/codesign security list-keychains -s test 2. Use /usr/bin/codesign to sign an application. Expected Results: The system should not prompt for access to the key because codesign is already specified as an allowed application. Actual Results: The system will prompt you to allow codesign to access the key despite codesign already having access (see screenshot). Version: macOS 10.12 Notes: Configuration:
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!