Mac Build Agent unable to sign .pkg file. SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)

Hello.

We have a .pkg file that needs to be signed using TeamCity after our TeamCity build has completed.

Ideally this could be a build step that runs a script at the end. After much researching, I tried the following:

Script INPUT:

security import applicationkey.p12 -k login.keychain -P "password"

security import installerkey.p12 -k login.keychain -P "password"

security -v unlock-keychain -p "password" /Users/administrator/Library/Keychains/login.keychain

security -v unlock-keychain -u /Library/Keychains/System.keychain

productsign --keychain /Users/administrator/Library/Keychains/login.keychain --sign 'Developer ID Installer: Company LLC' CompanyInstaller.pkg CompanyInstallerSigned.pkg

pkgutil --check-signature CompanyInstallerSigned.pkg

OUTPUT:

unlock-keychain "-p" "mypassword" "/Users/administrator/Library/Keychains/login.keychain"

unlock-keychain "-u" "/Library/Keychains/System.keychain"

productsign: using timestamp authority for signature

productsign: signing product with identity "Developer ID Installer: Company LLC" from keychain /Users/administrator/Library/Keychains/login.keychain

productsign: adding certificate "Developer ID Certification Authority"

productsign: adding certificate "Apple Root CA"

2016-10-05 14:57:11.484 productsign[9385:29611120] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)

Error signing data.

productsign: error: Failed to sign the product.

QUESTION:

I've noticed many solutions to this mentioning to click the "Always Allow" from the dialog prompt the first time it appears in reference to the Keychain's Access Control, however my only interaction with this build agent is through SSH. Is there a means to sign a .pkg using productsign on Teamcity mac build agent without gui interaction with this "Always Allow" prompt? Or, is there a way to login to the build agent and view a gui so I could click on this "Always Allow" to bypass this?

Note: I've also tried saving the (local signing machine) private key's Access Control to "Allow all application to access this item", exported it, imported it to the build agent's login.keychain, then tried the above again, to only have the same output. When I do the same process on my macbookpro, everything works, however I do not recall if I did click "Alway Allow" from long ago.

Thank you,

K

 

Please sign in to leave a comment.