Keychains | keychain wrapper that is so easy to use that your cat | Identity Management library

Short answer: use pkgutil --check-signature instead of codesign -dvv.

Long answer: flat packages use a somewhat different signing format than other things, and you need to use different tools to sign them & check the signatures. Specifically, use productsign instead of codesign to sign them, and pkgutil instead of codesign to check the signature.

When you use codesign -dvv on a package, it's looking for its format of signature, and indeed there isn't one there.

so I figured it out. If anyone has the same issue, the fix for this current problem is that you have to run a gradle task in the root directory of the project, before building the iOS part.

./gradlew generateDummyFramework

In my case with Jenkins I added sh './gradlew generateDummyFramework before the sh 'pod install' shell command in the Build stage. This fixed the issue in question.

The problem was caused from Cocoapods not being able to access the framework file, hence pod install can't configure the framework correctly. The reason for the build to fail on the first build but not on the second is because the framework file is generated when you run a build in XCode. After that Cocoapods can configure the file correctly.

If anyone has a different answer I'm eager to know about it!

After 3-weeks of messing around with keychains, rewriting our codesign scripts to directly call the Security.framework CoreFoundtion APIs, validating keychain dumps for correct trusted app and partition list settings and testing countless other theories, it is this simple, you can no longer have the WWDR Intermediates in any keychain other than the System.keychain. Once installed there, it magically works.

https://www.apple.com/certificateauthority/

This is a change made by Apple in newer versions of the keychain search mechanism and maybe related to the deprecation of the custom keychain APIs in the Security.framework.

Just look at all of the deprecated APIs. This effectively kills off custom keychains.

https://developer.apple.com/documentation/security/keychain_services/keychains?language=objc

As an aside to the solution, the next bit of pain is getting these certificates into the System.keychain. Apple has gone out of its way to make remote administration of dozens of machines as painful as possible.

I see that is_ci also ran. Does your match command look like this: match(.., readonly: is_ci, ...) and are you running the command on a CI service like Jenkins or some other one? If so, run it locally first, that will generate all the relevant certs and provisioning profiles needed. Then run it on your CI service again.

If you want to use a single developer and/or distribution certificate for multiple apps belonging to the same development team, you may use the same signing identities repository and branch to store the signing identities for your apps:

Matchfile example for both App #1 and #2:

It said, it lacks git_url, and username.

I've solved the issue by two things :

1- Should enable two factor authentication In github

2- In token setting it should to Select scopes to manage access In general So I checked ( repo, workflow and gist ).

Try using the option: -u

A user with "admin" privileges is still only a normal, non-root user, but one which is allowed to perform certain operations as root, for example under 'sudo' or the MacOS authorization prompts (which would enable certificate additions, but would require a user prompt and registration with the database at /var/db/auth.db). Authorizations can be popped up using AuthorizationExecuteWithPrivileges, with a good example being "security execute-with-privileges", which pops up the authentication and uses /usr/libexec/security_authtrampoline - a Setuid root binary.

You're right about writing to System being reserved for root only, and the situation becomes even more complication with System Integrity Protection (SIP), and with MacOS's move (in 10.15) to a read-only mounted root filesystem. The former (SIP) adds protections such that, without the proper com.apple.rootless.* entitlement you won't be able to modify files, even as root, and the latter (r/o mount) means that nothing (short of remounting, and/or holding system installer entitlement) won't enable you to write anything.

The "direct" approach you specify, of modifying the files in /Library/keychains will fail because note that the keychain file ownership is root's.

Adding certificates programmatically will require either root, or the com.apple.private.system-keychain entitlement (or one of its siblings - I forget which - see http://newosxbook.com/ent.jl?ent=com.apple.private.system-keychain&osVer=MacOS13 for a full list of entitlements).

Also note, that messing with the keychain could have some serious impact. This is where everything that is secret and holy to macOS - root certs, passwords, Apple ID, etc - is held. Beware. Once a root CA is installed, it can be trusted for all sorts of applications (including, to some extents, code signing, website proxying, and even more sinister uses). So there's a pretty good reason it's not given too just any user - since a batch operation without a prompt could surreptitiously inject such a CA, and open up avenues for malware.

References: "*OS Internals, Volume III", which deals with this in Chapter 11 and the authorizations in chapter 6. Website: newosxbook.com