Getting rid of duplicate system keychain in keychain list using jenkins launched as a mac osx slave through a StartupItem

Question

I'm building my iOS projects from a jenkins slave and getting some weird results. If I try to build my project from the command-line as jenkins does it, there are no problems. But jenkins keeps telling me the identity appears more than once in the keychain. The identity is not duplicated, I checked it a lot of times.

I'm launching the jenkins slave as my user (using sudo -u, ps shows the correct user) from a StartupItem. The signing cert, its private key and the WWDR intermediate certificate are deployed into the System keychain because I cannot access the login keychain launching jenkins from the StartupItem.

After digging a little bit through SO and Google I've found that it could be related to something pointed in this question:

Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development

I have set a command-line step in order to print the list-keychains output and I'm getting the same:

+ security list-keychains
    "/Library/Keychains/System.keychain"
    "/Library/Keychains/applepushserviced.keychain"
    "/Library/Keychains/System.keychain"

But it is not working for me, xcodebuild keeps saying "Certificate identity 'XXXXXX' appears more than once in the keychain" and seems to be related as I have the System.keychain duplicated in the keychain list.

I cannot find a way to leave just one System.keychain into the list, I tried:

• Executing a first script using security list-keychains -s in order to change the list w/o luck
• Cleaning all the certs and keys and start over again
• Resetting the keychains
• Creating a dedicated user for the jenkins service trying to avoid any mess from the previous user, but seems to be something more system-wide related
• Resetting LS database

Any clues from anyone?

I tried to leave a comment on the previous mentioned question but I'm a newbie, I can't do it and answering doesn't seems polite as I need to ask something, I'm not giving an answer. So any answer through this question would be appreciated. Thanks in advance!

---

Environment:

• OSX Lion 10.7.3
• Xcode 4.3
• Xcode command-line tools updated
• Jenkins ver. 1.456 and up to date plugins.

Answer 1

This can also be fixed by opening Keychain Access, Edit, Keychain List and removing the System keychain from the User list. It's still available from System.

Answer 2

Currently, it cannot be done using a StartupItem... I've finally managed the problem using a LaunchDaemon based on an answer from the linked SO. This is the LaunchDaemon I'm using:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
        "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
        <key>GroupName</key>
        <string>wheel</string>
        <key>KeepAlive</key>
        <true/>
        <key>Label</key>
        <string>org.jenkins-ci</string>
        <key>ProgramArguments</key>
        <array>
                <string>/usr/bin/java</string>
                <string>-jar</string>
                <string>/Users/jenkins/work/slave.jar</string>
                <string>-noCertificateCheck</string>
                <string>-jnlpUrl</string>
                <string>https://MySERVER/jenkins/computer/MacOSX/slave-agent.jnlp</string>
        </array>
        <key>RunAtLoad</key>
        <true/>
        <key>UserName</key>
        <string>jenkins</string>
        <key>SessionCreate</key>
        <true/>
</dict>
</plist>

Answer 3

So I see that keychain list when I run Jenkins from launchctl as a LaunchDaemon. No matter which user I tell launchctl to use when it launches I always only see only those keychains.

To change this behavior I started Jenkins from a launchd plist as a LaunchAgent. Using Jenkins to list the keychains in this instance shows the users Login keychain and System keychain rather than the slightly odd "System,applepushserviced,System" list.