Reputation: 2233
modify per-application access control for private key via command line?
I have a cert in a key chain that contains a private key. I'd like to add an application to the access control "white list" for that key. I know how to do this using the graphical key chain tool, but I'd like to do it via the command line as part of an Xcode build script.
From what I can tell the "security" command is the way to manipulate key chains at the command line, but I can't figure out from the man page how I'd go about accomplishing this task.
For completeness, here's exactly what I do in the key chain tool that I'd like to do via the command line:
- Click the cert to show its private key.
- Right-click the private key and select the "Get Info" menu item.
- Click the "Access Control" tab.
- Click the "+" button to add an application to the white list.
- Select the application (in my case Xcode) and click "Add".
I might also be interested in how to allow access to all applications.
Upvotes: 10
Views: 5632
Answers (2)
Reputation: 117
Disclaimer
I'm honest this is probably not the best place to post this... but I stumbled onto this (and several other) entries with more or less the same problem. See also https://stackoverflow.com/a/34388302/359100. But since I found a solution which could help other people who try to change access control for private key in Keychain via remote session my solution could help...
B/c for me importing via CLI did not work (using -T or -A). I always got that pop regarding access from Keychain.
BTW: If you know a better SO answer where this belongs... please let me know or move it there...
Solution
Create a Keychain on your local machine. E.g. name it apple-development[.keychain]. Add there your private keys and assign necessary access control (best: "Allow all ..."). Now copy that keychain to your remote Mac and add it there via Keychain application (File / Add Keychain...). For CI you maybe do something like this:
security unlock-keychain -p YOUR-KEYCHAIN-PASSWORD "${HOME}/apple-development.keychain"
Upvotes: 2
Reputation: 33039
I don't think there is any way from security to do this after the key was imported. However, if you're importing the key for the first time, you can use the -T flag:
-T Specify an application which may access the imported key
(multiple -T options are allowed)
So in my case I was able to do this:
security import my.key -P mypassword -T /usr/bin/pkgbuild
And everything worked!
Upvotes: 5
Related Questions
- How to allow all applications to access keychain item without prompt
- macos grant access to system keychain for app
- Allow certain apps to access the keychain using command line
- Add items to particular OS X keychain other than the default
- Apple keychain store client identity so only my application could access it
- Application always asks for permission to access keychain
- How do I add authorizations to code sign an app from new keychain without any human interaction
- Delete Private key from keychain mac programmatically
- Make private keychain specific to an app
- How to programmatically allow access to the KeyChain for my application?