Keychain prompts for permission to use private key regardless of access control settings

Originator:dpfeiffer%gowithfloat.com
Number:rdar://28524119 Date Originated:9/28
Status:Open Resolved:
Product:macOS Product Version:10.12
Classification:Bug Reproducible:Always
 
Summary:
Our build server uses the security command line tools to create a new keychain for each build. On Mac OS 10.11.x (and older), it could create a keychain, import the signing identity (specifying /usr/bin/codesign as an allowed application), and then use that identity to codesign an application without any UI interaction required.

The same approach on macOS 10.12 results in a UI prompt:
codesign wants to access key "key name" in your keychain. Do you want to allow access to this item?

This prompt occurs even if the private key has it's access control set to "Allow all application to access this item"

Steps to Reproduce:
1. Execute the following commands in Terminal (requires a signing identity to be available to import)
security create-keychain -p test test
security unlock-keychain -p test test
security import identity.p12 -k test -P password -T /usr/bin/codesign
security list-keychains -s test

2. Use /usr/bin/codesign to sign an application.

Expected Results:
The system should not prompt for access to the key because codesign is already specified as an allowed application.

Actual Results:
The system will prompt you to allow codesign to access the key despite codesign already having access (see screenshot).

Version:
macOS 10.12

Notes:


Configuration:

Comments

Please have in mind that this command line tool works like the list-keychains's way of modification. If you execute set-key-partition-list with apple it will overwrite all partitionIDs in the certificates. It won't validate the values passed. What I saw was that the keychain imported by "security import" had another partition named "apple-tool:". I don't know what this is for, but I'd personally keep it there.

In order to make the stated command work you have to append ":" to the "apple" partitionID. By knowing those little caveats you will get to the following command "security set-key-partition-list -S apple-tool:,apple: -k keychainPass keychainName" and it will make things work correctly for you.

Thanks for the detailed follow-up, Ilian. Confirmed this is working. I'm following up with ADR asking for documentation for the change.

By dpfeiffer%gowithfloat.com at Oct. 18, 2016, 7:18 p.m. (reply...)

Apple Developer Relations

This is new behavior in Sierra. You need to use "security set-key-partition-list -S apple -k " after importing the item and before attempting to use it via codesign.

(Haven't had a chance to verify yet.)

By dpfeiffer%gowithfloat.com at Oct. 12, 2016, 4:05 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!