We have a persistent CodeSign issue with the following error shown in the log when running an iOS build on a Jenkins node with macOS Catalina 10.15.7:
errSecInternalComponent
Command CodeSign failed with a nonzero exit code
We have a troubleshooting page and we tried all of the following, to no avail. The CodeSign issue is still there:
__________________________________________________
Check that all the required certificates are present in Keychain Access
Check that the access control of all certificates is correct
Check that the certificate for the corresponding territory has the right access control (either code sign or all apps)
If not, expand the certificate for the territory (arrow), select both the public and the private key underneath it and delete: you will be prompted to enter the password
Quit Keychain Access
Run the following command to import again the certificate with the right access controls:
sudo security import <certname>.p12 -P <password> -k /Library/Keychains/System.keychain -T /usr/bin/codesign
NB: It is not recommended to import a p12 with multiple certificate. Better have an approach where you import the certificates one by one, territory by territory.
NB: Sometimes, you need to repeat the process several times before you get the right access controls.
Now, check that the access control is correct in Keychain Access. Right click the private key and select Get Info. Select the Access Control tab in the info window.
Access control should be either Allow all applications to access this item or Confirm before allowing access selected with codesign listed in the applications allowed to access:
Make sure the certificates are trusted
If the certificates are NOT trusted, please install the certificate from Apple WorldWide Developer Certificate Authority:
https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
If code signing still doesn't work, in Keychain Access, select File > Unlock All Keychains then File > Lock All Keychains.
Then type the following in a Terminal window to reboot the system:
sudo reboot
Check that all the required provisioning profiles are present for all territories for release-enterprise and release-appstore and that they match the certificates installed in Keychain Access
Cd into the ~ /Library/MobileDevice/Provisioning\ Profiles and check if the required provisioning profiles are present.
If not, either use scp to copy the missing profiles to this folder or use drag and drop from your local Finder to the remote Finder in Screen Sharing (drag and drop of files is a little fiddly, but it works).
Troubleshooting further: Check that all the required provisioning profiles are present for all territories for release-enterprise and release-appstore.
When running this command in the Terminal , it returns a list of valid entities:
security find-identity -vp codesigning
For example, a list of 18 entities: 9 public key and the 9 corresponding private keys
If there are e.g 36 entities, there could be doubled. Check both the login and system keychains for duplicates. There should be 9 certificates listed in the system keychain.
Even if you have the right number of certificates in the system keychain and they access control is codesign or allow all applications, there could still be codesign issues. In that case, check the login keychain. Delete certificates that don’t need to be there. If it still doesn’t work, e.g the login keychain is empty and you have a code sign error, create a self signed certificate for Code Signing in the login keychain.
If code signing still doesn't work, in Keychain Access, select File > Unlock All Keychains then File > Lock All Keychains.
Then type the following in a Terminal window to reboot the system:
sudo reboot
__________________________________________________
What we haven’t tried yet is this:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${PASSWORD}" "${KEYCHAIN}"
But we don’t know how to run it nor if this is the right thing to do.
errSecInternalComponent
Command CodeSign failed with a nonzero exit code
We have a troubleshooting page and we tried all of the following, to no avail. The CodeSign issue is still there:
__________________________________________________
Check that all the required certificates are present in Keychain Access
Check that the access control of all certificates is correct
Check that the certificate for the corresponding territory has the right access control (either code sign or all apps)
If not, expand the certificate for the territory (arrow), select both the public and the private key underneath it and delete: you will be prompted to enter the password
Quit Keychain Access
Run the following command to import again the certificate with the right access controls:
sudo security import <certname>.p12 -P <password> -k /Library/Keychains/System.keychain -T /usr/bin/codesign
NB: It is not recommended to import a p12 with multiple certificate. Better have an approach where you import the certificates one by one, territory by territory.
NB: Sometimes, you need to repeat the process several times before you get the right access controls.
Now, check that the access control is correct in Keychain Access. Right click the private key and select Get Info. Select the Access Control tab in the info window.
Access control should be either Allow all applications to access this item or Confirm before allowing access selected with codesign listed in the applications allowed to access:
Make sure the certificates are trusted
If the certificates are NOT trusted, please install the certificate from Apple WorldWide Developer Certificate Authority:
https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
If code signing still doesn't work, in Keychain Access, select File > Unlock All Keychains then File > Lock All Keychains.
Then type the following in a Terminal window to reboot the system:
sudo reboot
Check that all the required provisioning profiles are present for all territories for release-enterprise and release-appstore and that they match the certificates installed in Keychain Access
Cd into the ~ /Library/MobileDevice/Provisioning\ Profiles and check if the required provisioning profiles are present.
If not, either use scp to copy the missing profiles to this folder or use drag and drop from your local Finder to the remote Finder in Screen Sharing (drag and drop of files is a little fiddly, but it works).
Troubleshooting further: Check that all the required provisioning profiles are present for all territories for release-enterprise and release-appstore.
When running this command in the Terminal , it returns a list of valid entities:
security find-identity -vp codesigning
For example, a list of 18 entities: 9 public key and the 9 corresponding private keys
If there are e.g 36 entities, there could be doubled. Check both the login and system keychains for duplicates. There should be 9 certificates listed in the system keychain.
Even if you have the right number of certificates in the system keychain and they access control is codesign or allow all applications, there could still be codesign issues. In that case, check the login keychain. Delete certificates that don’t need to be there. If it still doesn’t work, e.g the login keychain is empty and you have a code sign error, create a self signed certificate for Code Signing in the login keychain.
If code signing still doesn't work, in Keychain Access, select File > Unlock All Keychains then File > Lock All Keychains.
Then type the following in a Terminal window to reboot the system:
sudo reboot
__________________________________________________
What we haven’t tried yet is this:
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${PASSWORD}" "${KEYCHAIN}"
But we don’t know how to run it nor if this is the right thing to do.
