errSecInternalComponent when using codesign from within a daemon

Question

Created Feb ’22

Replies 1

Boosts 0

Views 1k

Participants 2

I have my own running daemon application that listens to a network port and executes some different commands based on the coming request. All is working fine except when trying to execute the following codesign command.

sudo codesign --force --timestamp --options=runtime --entitlements <Entitlements File Path> --sign <Application Certificate Id> <file to sign>

Where I see an error saying errSecInternalComponent. However, when I take the same command and paste it into the terminal it works.

I have my application certificate installed under both login and System keychains and set to be Always Trust in settings.

I tried adding --keychain option to specify the keychain path for the codesign command. Also, I made sure that both login and System keychains are unlocked during command execution. Besides, I tried adding the following key/value pair to my daemon plist file and restarting it.

<key>SessionCreate</key>
<true/>

All of the above trials failed to fix the issue, I'm out of ideas and any help would be highly appreciated.

Boost

Answer 1

Systems Engineer OP

Apple

Feb ’22

Have you tried adding your daemon to the Access Control list for the private key on the Signing Identity in the Keychain?

Are you running your daemon in a global security context (root user) or a per-user security context such as a launchd agent? See more on this here.

The reason I ask is because the Keychain assets that you codesign with are associated with a user on the system and these assets are made available when the user session is established. Are you logged into the machine through the standard login window or something like a SSH session?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0