Sierra 中的安全性/协同设计:钥匙串忽略访问控制设置和 UI 提示以获得许可 [英] security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission
问题描述
从 macOS Sierra 开始,在使用此身份时,如果没有 usr/bin/codesign UI 提示进行访问,我将无法再使用/usr/bin/security 将 codesign-identity 导入到钥匙串中.这打破了构建服务器的打包脚本.似乎没有解决方法.这会影响自定义创建的钥匙串,也会影响 login.keychain.
Starting with macOS Sierra, I can't import a codesign-identity into a keychain with /usr/bin/security any more without usr/bin/codesign UI-prompting for access when using this identity. This breaks the packaging scripts of build server. There seems to be no workaround. This affects custom created keychains, but also the login.keychain.
重现步骤:在终端中执行以下命令(需要签名身份才能导入):
Steps to Reproduce: Execute the following commands in Terminal (requires a signing identity to be available to import):
security create-keychain -p test buildagent.keychain
security unlock-keychain -p test buildagent.keychain
security list-keychains -d user -s buildagent.keychain
security default-keychain -s buildagent.keychain
security import identity.p12 -k buildagent.keychain -P password -T /usr/bin/codesign
codesign -vfs '$IDENTITY' '${PRODUCT}' --keychain 'buildagent.keychain'
结果:macOS 显示 UI 提示,要求获得访问先前导入的私钥的权限.
Result: macOS shows a UI-prompt asking for permission to access the previously imported private key.
我尝试了很多解决方法,但似乎没有任何效果:
I have tried many workarounds, but nothing seems to work:
- 在指定钥匙串名称时使用新的 .keychain-db 扩展名
- 使用 login.keychain 而不是自定义的
- 使用 -A 导入 p12('允许任何应用程序访问导入的密钥')
- 分别导入证书和密钥(被提取从之前的 p12 使用 openssl pkcs12)
导入身份肯定有效,我可以在钥匙串访问应用程序中显示钥匙串内容时看到证书和密钥.私钥的访问控制设置也已正确配置(使用所需的协同设计例外规则).
Importing the identity definitely works, I can see the cert and key when displaying the contents of the keychain in the Keychain Access application. The access control setting for the private key is also correctly configured (with the desired codesign exception rule).
如何避免 Sierra 的 UI 提示?
How can I avoid the UI prompt from Sierra?
推荐答案
你需要用到的命令如下:
security set-key-partition-list -S apple-tool:,apple: -s -k keychainPass keychainName
请记住,此命令行工具的工作方式类似于 list-keychains 的修改方式.如果您使用单个值执行 set-key-partition-list,它将覆盖证书中的所有 partitionID.它不会验证传递的值.
Please have in mind that this command line tool works like the list-keychains's way of modification. If you execute set-key-partition-list with a single value it will overwrite all partitionIDs in the certificates. It won't validate the values passed.
此命令的作用是为可以为特定钥匙串签名 (-s) 的密钥设置 PartitionID(-S 之后的项目,以逗号分隔).允许代码签名的实际 partitionID 是 apple:.
What this command does is that it sets the PartitionIDs (items after -S separated by comma) for keys that can sign (-s) for a specific keychain.
The actual partitionID that allows the codesigning is apple:.
我不知道 apple-tool: 在做什么,因为它没有记录,但是在使用 security import 导入密钥后它就在那里,所以我保留以免破坏复制粘贴命令的人.
I am not aware what apple-tool: is doing as it is not documented, but it was there after importing the key with security import so I'm keeping it in order to avoid breaking people who copy-paste the command.
此更改是在 Mac OS Sierra 中引入的,并且没有记录(或者至少我找不到文档).截至 10 月 16 日,安全手册页仍未列出此命令.
This change was introduced with Mac OS Sierra and is not documented (or at least I could not find documentation). As of Oct 16 the man page for security still doesn't list this command.
有关更多信息,您可以参考此错误报告 - http://www.openradar.me/28524119
For more information you can refer to this bug report - http://www.openradar.me/28524119
这篇关于Sierra 中的安全性/协同设计:钥匙串忽略访问控制设置和 UI 提示以获得许可的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
