Unable to unlock login keychain on sierra in ssh

I have a script which remotes ssh into a Mac. The original script, which worked on El Capitan, would unlock the keychain with this:

security unlock-keychain -p mypassword

The above command gives on error on Sierra so I updated it to this:

security unlock-keychain -p mypassword ~/Library/Keychains/login.keychain

The command above appears to work but then when I list keychains, the login keychain still isn't there and my script fails trying to sign my code because it can't get to the certificates.

(~)$ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"

This all works perfectly in a terminal window on the host but I need it to work remotely in SSH.

Thank you for any help or suggestions.

Update October 10, 2016: I changed the ssh authentication from password to rsa key and it started working. After I could access the login keychain, I started getting an error in the ssh shell: SecKey API returned: -25308 from codesign. This turned out to be a permissions error. When I tried it on the host in a terminal, a dialog from the keychain popped up asking me to allow access.


Solution 1:

Your login keychain doesn't appear to be in the search list, i.e. when you checked it, it just shows the System keychain twice. No login keychain:

(~)$ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
(~)$ security list-keychains -d user -s login.keychain
(~)$ security list-keychains
"/Users/USERNAME/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"

You can use the security command to lookup the -25308 error code. In this case, it says "User interaction not allowed". This is typical if you're trying to sign your app via SSH (or via Jenkins).

security error -25308
Error: 0xFFFF9D24 -25308 User interaction is not allowed.

You need to do a security command to enable codesigning of your application through a non interactive shell:

security set-key-partition-list -S apple: -k <Password> -D <Identity> -t private <your.keychain>

Here is a "complete" Jenkins / SSH friendly script to signing your app:

MY_KEYCHAIN="temp.keychain"
MY_KEYCHAIN_PASSWORD="secret"
CERT="certificate.p12"
CERT_PASSWORD="certificate secret"

security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Create temp keychain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g) # Append temp keychain to the user domain
security set-keychain-settings "$MY_KEYCHAIN" # Remove relock timeout
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Unlock keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -T "/usr/bin/codesign" # Add certificate to keychain
CERT_IDENTITY=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | sed -e 's/[^"]*"//' -e 's/".*//') # Programmatically derive the identity
CERT_UUID=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | awk '{print $2}') # Handy to have UUID (just in case)
security set-key-partition-list -S apple-tool:,apple: -s -k $MY_KEYCHAIN_PASSWORD -D "$CERT_IDENTITY" -t private $MY_KEYCHAIN # Enable codesigning from a non user interactive shell
### INSERT BUILD COMMANDS HERE ###
security delete-keychain "$MY_KEYCHAIN" # Delete temporary keychain

Shout out to Bochun Bai for spending 3 weeks with Apple support to finding the solution to the -25308 issue and posting it to https://sinofool.net/blog/archives/322