errSecInternalComponent for a specific target

I am looking for any help regarding an errSecInternalComponent error I am seeing when trying to archive my iOS app via my CI process. Specifically, this CI process is a GitHub Action running on a self-hosted M2 Pro Mini machine to which we have Screen Share access. I have followed the very helpful seminal post and have confirmed that I can run the necessary command in the local terminal via Screen Share, and I don't get any Keychain Access dialogs to pop up. When I try to run the same command via an SSH terminal from my local machine on that same machine, I get the following error:

/Users/{username}/Library/Developer/Xcode/DerivedData/{projectID}/Build/Intermediates.noindex/ArchiveIntermediates/{projectname}/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/{some name}NotificationServiceExtension.appex: errSecInternalComponent

I only get the error for that one service extension target. The project is only a couple years old, created with Xcode 14 or maybe 13. The signing has always been managed automatically with the provisioning profiles for all our targets being managed by Xcode.

Thanks in advance for any advice or suggestions as to what I may be missing or how to address this problem. I am more than happy to provide any more information I can to diagnose and solve the issue.

When things fail, copy the failed command from the output (much you pasted in above, just unredact the user name, project ID, and so on) and try running it in two contexts:

  • In the SSH session that saw the problem

  • In a Terminal window via screen sharing

I suspect that the first test will fail in the same way, but I want you to run it anyway, just to be sure.

And I’m genuinely curious as to what the second test will reveal (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sorry for the delayed response, I didn't see your feedback until today. I can run the xcodebuild archive command (wrapped in a Makefile) from the terminal window in a screen share session with no problem, but no prompts for password. If I run the same command via SSH, I get the same error I posted before. If I run security unlock-keychain in the SSH session and then re-run the archive command, it works. What I can't figure out now is how to effectively have CI run the same keychain unlocking when the job is run as a GitHub Action workflow given that the security unlock-keychain is interactive on the command line. Is there any way to do the unlock programmatically without having to hard code the password for the account to unlock the keychain?

Is there any way to do the unlock programmatically without having to hard code the password for the account to unlock the keychain?

Programmatically? Or from a script?

Programmatically you can unlock the keychain with SecKeychainUnlock.

From a script, security uses getpass under the covers (getpass man page). There are standard tricks for puppetstringing getpass.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Ah, I wasn't aware of the getpass option! This is a script, so I will give that a shot and see if I can script it up from there.

errSecInternalComponent for a specific target
 
 
Q