Sierra中的安全性/协同设计:Keychain忽略访问控制设置和UI提示以获得许可 [英] security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission
问题描述
从macOS Sierra开始,我无法在没有usr / bin / codesign UI的情况下使用/ usr / bin / security将codeign-identity导入到钥匙串中,以便在使用此身份时提示访问。这打破了构建服务器的打包脚本。似乎没有解决方法。这会影响自定义创建的钥匙串,但也会影响login.keychain。
Starting with macOS Sierra, I can't import a codesign-identity into a keychain with /usr/bin/security any more without usr/bin/codesign UI-prompting for access when using this identity. This breaks the packaging scripts of build server. There seems to be no workaround. This affects custom created keychains, but also the login.keychain.
重现步骤:
在终端中执行以下命令(要求签名身份可用)导入):
Steps to Reproduce: Execute the following commands in Terminal (requires a signing identity to be available to import):
security create-keychain -p test buildagent.keychain
security unlock-keychain -p test buildagent.keychain
security list-keychains -d user -s buildagent.keychain
security default-keychain -s buildagent.keychain
security import identity.p12 -k buildagent.keychain -P password -T /usr/bin/codesign
codesign -vfs '$IDENTITY' '${PRODUCT}' --keychain 'buildagent.keychain'
结果:macOS显示UI提示,要求获得访问先前导入的私钥的权限。
Result: macOS shows a UI-prompt asking for permission to access the previously imported private key.
我尝试了很多解决方法,但似乎没有任何工作:
I have tried many workarounds, but nothing seems to work:
- 在指定时使用新的.keychain-db扩展名keychain-name
- 使用logi n.keychain而不是自定义的
- 使用-A导入p12('允许任何应用程序访问
导入的密钥') - 单独导入Cert und Key(使用openssl pkcs12从p12中提取
)
- Using the new .keychain-db extension when specifying the keychain-name
- Using the login.keychain instead of the custom one
- Importing the p12 with -A ('Allow any application to access the imported key')
- Importing the Cert und Key separately (being extracted from the p12 before with openssl pkcs12)
明确导入身份当我在Keychain Access应用程序中显示钥匙串的内容时,我可以看到证书和密钥。私钥的访问控制设置也已正确配置(使用所需的代码签名例外规则)。
Importing the identity definitely works, I can see the cert and key when displaying the contents of the keychain in the Keychain Access application. The access control setting for the private key is also correctly configured (with the desired codesign exception rule).
如何避免来自Sierra的UI提示?
How can I avoid the UI prompt from Sierra?
推荐答案
您需要使用的命令如下:
The command you need to use is as follows:
security set-key-partition-list -S apple-tool :, apple:-s -k keychainPass keychainName
请注意,此命令行工具的工作方式与list-keychains的修改方式类似。 如果使用单个值执行set-key-partition-list,它将覆盖证书中的所有partitionID。它不会验证传递的值。
Please have in mind that this command line tool works like the list-keychains's way of modification. If you execute set-key-partition-list with a single value it will overwrite all partitionIDs in the certificates. It won't validate the values passed.
这个命令的作用是它为那些键设置PartitionIDs(-S之后用逗号分隔的项目)可以为特定的钥匙串签名(-s)。
允许代码签名的实际分区ID是 apple:。
What this command does is that it sets the PartitionIDs (items after -S separated by comma) for keys that can sign (-s) for a specific keychain.
The actual partitionID that allows the codesigning is apple:.
我不知道什么是 apple-tool:正在进行操作,因为它没有记录,但是在导入了安全导入的密钥后它就在那里了所以我'保持它以避免破坏复制粘贴命令的人。
I am not aware what apple-tool: is doing as it is not documented, but it was there after importing the key with security import so I'm keeping it in order to avoid breaking people who copy-paste the command.
此更改是在Mac OS Sierra中引入的,没有记录(或者至少我不能找文件)。截至10月16日,安全手册页仍未列出此命令。
This change was introduced with Mac OS Sierra and is not documented (or at least I could not find documentation). As of Oct 16 the man page for security still doesn't list this command.
有关详细信息,请参阅此错误报告 - http://www.openradar.me/28524119
For more information you can refer to this bug report - http://www.openradar.me/28524119
这篇关于Sierra中的安全性/协同设计:Keychain忽略访问控制设置和UI提示以获得许可的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
