ios Sierra 中的安全性/协同设计:钥匙串忽略访问控制设置和 UI 提示以获得许可
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/39868578/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission
提问by Sven Driemecker
Starting with macOS Sierra, I can't import a codesign-identity into a keychain with /usr/bin/security any more without usr/bin/codesign UI-prompting for access when using this identity. This breaks the packaging scripts of build server. There seems to be no workaround. This affects custom created keychains, but also the login.keychain.
从 macOS Sierra 开始,在使用此身份时,如果没有 usr/bin/codesign UI 提示进行访问,我将无法再使用 /usr/bin/security 将 codesign-identity 导入到钥匙串中。这打破了构建服务器的打包脚本。似乎没有解决方法。这会影响自定义创建的钥匙串,但也会影响 login.keychain。
Steps to Reproduce: Execute the following commands in Terminal (requires a signing identity to be available to import):
重现步骤:在终端中执行以下命令(需要签名身份才能导入):
security create-keychain -p test buildagent.keychain
security unlock-keychain -p test buildagent.keychain
security list-keychains -d user -s buildagent.keychain
security default-keychain -s buildagent.keychain
security import identity.p12 -k buildagent.keychain -P password -T /usr/bin/codesign
codesign -vfs '$IDENTITY' '${PRODUCT}' --keychain 'buildagent.keychain'
Result: macOS shows a UI-prompt asking for permission to access the previously imported private key.
结果:macOS 显示一个 UI 提示,要求获得访问先前导入的私钥的权限。
I have tried many workarounds, but nothing seems to work:
我尝试了很多解决方法,但似乎没有任何效果:
- Using the new .keychain-db extension when specifying the keychain-name
- Using the login.keychain instead of the custom one
- Importing the p12 with -A ('Allow any application to access the imported key')
- Importing the Cert und Key separately (being extracted from the p12 before with openssl pkcs12)
- 指定钥匙串名称时使用新的 .keychain-db 扩展名
- 使用 login.keychain 而不是自定义的
- 使用 -A 导入 p12('允许任何应用程序访问导入的密钥')
- 分别导入证书和密钥(之前使用 openssl pkcs12 从 p12 中提取)
Importing the identity definitely works, I can see the cert and key when displaying the contents of the keychain in the Keychain Access application. The access control setting for the private key is also correctly configured (with the desired codesign exception rule).
导入身份肯定有效,在钥匙串访问应用程序中显示钥匙串的内容时,我可以看到证书和密钥。私钥的访问控制设置也已正确配置(使用所需的代码设计例外规则)。
How can I avoid the UI prompt from Sierra?
如何避免 Sierra 的 UI 提示?
回答by Ilian Iliev
The command you need to use is as follows:
您需要使用的命令如下:
security set-key-partition-list -S apple-tool:,apple: -s -k keychainPass keychainName
security set-key-partition-list -S apple-tool:,apple: -s -k keychainPass keychainName
Please have in mind that this command line tool works like the list-keychains's way of modification. If you execute set-key-partition-list with a single value it will overwrite all partitionIDs in the certificates. It won't validate the values passed.
请记住,此命令行工具的工作方式类似于 list-keychains 的修改方式。如果您使用单个值执行 set-key-partition-list,它将覆盖证书中的所有 partitionID。它不会验证传递的值。
What this command does is that it sets the PartitionIDs (items after -S separated by comma) for keys that can sign (-s) for a specific keychain.
The actual partitionID that allows the codesigning is apple:.
此命令的作用是为可以为特定钥匙串签名 (-s) 的密钥设置 PartitionID(-S 之后的项目,以逗号分隔)。允许代码签名的实际 partitionID 是apple:.
I am not aware what apple-tool:is doing as it is not documented, but it was there after importing the key with security importso I'm keeping it in order to avoid breaking people who copy-paste the command.
我不知道apple-tool:在做什么,因为它没有记录,但它在导入密钥后就在那里,security import所以我保留它以避免破坏复制粘贴命令的人。
This change was introduced with Mac OS Sierra and is not documented (or at least I could not find documentation). As of Oct 16 the man page for security still doesn't list this command.
此更改是在 Mac OS Sierra 中引入的,并且没有记录(或者至少我找不到文档)。截至 10 月 16 日,安全手册页仍未列出此命令。
For more information you can refer to this bug report - http://www.openradar.me/28524119
有关更多信息,您可以参考此错误报告 - http://www.openradar.me/28524119
回答by Rafael Machado
For those who are having this issue with Travis or other CI, you have to add codesignin the application id list.
对于那些在使用 Travis 或其他 CI 时遇到此问题的人,您必须添加codesign到应用程序 ID 列表中。
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k keychainPass keychainName
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k keychainPass keychainName
P.S:
I'm using keychainName.keychain (adding .keychain)
PS:我正在使用 keychainName.keychain (添加.keychain)
回答by Wouter
The command from this answeronly unlocked the keychain for me, but I still had the UI-prompt asking whether the current application could use the key.
这个答案中的命令只为我解锁了钥匙串,但我仍然有 UI 提示询问当前应用程序是否可以使用密钥。
I prevented the prompt like this:
我阻止了这样的提示:
Go to the keychain in Keychain Access, double click on all the keys there, and in the tab Access Control, check 'Allow all applications to access this item'.
转到钥匙串访问中的钥匙串,双击那里的所有钥匙,然后在选项卡访问控制中,选中“允许所有应用程序访问此项目”。
I was able to upload the new keychain file then to my Jenkins build server, where it is unlocked by the Keychains and Provisioning Profiles Plugin. The build now succeeds signing.
我能够将新的钥匙串文件上传到我的 Jenkins 构建服务器,在那里它由钥匙串和配置文件插件解锁。构建现在成功签名。
回答by Ika
For some reason the security set-key-partition-listdid not work for me.
出于某种原因,这security set-key-partition-list对我不起作用。
I solved it by using the -A option when importing the certificate in the keychain:
我在钥匙串中导入证书时使用 -A 选项解决了这个问题:
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
There is no need to use the security set-key-partition-listafterwards.
没有必要使用security set-key-partition-listafter。
This option allows any application to access the imported key without warning. Hence, it prevents the prompt from showing up. Note that it is insecure as the key is not protected but depending on your build context it might help.
此选项允许任何应用程序在没有警告的情况下访问导入的密钥。因此,它可以防止提示出现。请注意,它是不安全的,因为密钥不受保护,但根据您的构建上下文,它可能会有所帮助。
On top of that the keychain must be added to the search list:
最重要的是,钥匙串必须添加到搜索列表中:
security list-keychains -s ${KEYCHAIN_PATH}
Then the keychain should be unlocked. Otherwise a prompt asking for the keychain password will be displayed:
然后应该解锁钥匙串。否则将显示要求输入钥匙串密码的提示:
security unlock-keychain -p ${KEYCHAIN_PASSWORD} ${KEYCHAIN_PATH}
Eventually the auto-lock timeout should be disabled. This is in case the build is quite long and the keychain re-locks itself:
最终应禁用自动锁定超时。这是在构建很长并且钥匙串重新锁定自身的情况下:
security set-keychain-settings ${KEYCHAIN_PATH}
回答by arnoldbird
After trying many different solutions, what worked for me was simply changing the password of my keychain.
在尝试了许多不同的解决方案后,对我有用的只是更改钥匙串的密码。
- Finder > Go > Utilities
- Open the Keychain Access utility.
- Not sure if I needed to do this step: In the left sidebar of the Keychain Access utility, click on My Certificates. Look at the Keychain column to confirm which Keychain your apple developer certificate is in. In my case it was in the "login" keychain.
- Change the password for the keychain from the previous step. You might want to trying locking it then unlocking it, if it's locked. You change the password by clicking on the relevant keychain ("login", in my case) and then selecting "Change Password..." from the Edit menu of the Keychain Access utility.
- The next time I ran the archive step in Xcode (in the Product menu) I was eventually prompted for a keychain password and I entered the password for my "login" keychain. Then it worked. When it finished I saw an Archives screen with my app listed in it.
- Finder > 前往 > 实用工具
- 打开钥匙串访问实用程序。
- 不确定是否需要执行此步骤:在钥匙串访问实用程序的左侧栏中,单击我的证书。查看钥匙串列以确认您的苹果开发人员证书所在的钥匙串。在我的情况下,它位于“登录”钥匙串中。
- 更改上一步中钥匙串的密码。如果它被锁定,您可能想尝试锁定它然后解锁它。您可以通过单击相关的钥匙串(在我的情况下为“登录”),然后从钥匙串访问实用程序的“编辑”菜单中选择“更改密码...”来更改密码。
- 下次我在 Xcode 中(在产品菜单中)运行存档步骤时,我最终被提示输入钥匙串密码,我输入了“登录”钥匙串的密码。然后它起作用了。完成后,我看到了一个档案屏幕,其中列出了我的应用程序。
回答by Ivan Krylov
I spent a couple of days looking for a solution. This didn't help
我花了几天时间寻找解决方案。这没有帮助
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
but when I listed the apps explicitly - it worked (on Catalina at least)!
但是当我明确列出应用程序时 - 它起作用了(至少在 Catalina 上)!
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -T /usr/bin/codesign -T /usr/bin/productsign
回答by Norbert
Next to using
接下来使用
security set-key-partition-list -S apple-tool:,apple: -s -k keychainPass keychainName
I also had to change the settings for my keychain to "no timeout" used by
我还必须将钥匙串的设置更改为使用的“无超时”
security set-keychain-settings keychainName
(Documentation available at https://ss64.com/osx/security-keychain-settings.html)
(文档可在https://ss64.com/osx/security-keychain-settings.html 获得)
回答by sacred
Also if your app was build more than 5 minutes - you can run out of custom keychain lock timer and receive -1=ffffffff error. So disable keychain lock as tmp solution.
此外,如果您的应用程序构建时间超过 5 分钟 - 您可能会用完自定义钥匙串锁定计时器并收到 -1=ffffffff 错误。所以禁用钥匙串锁作为 tmp 解决方案。
