Stored credentials reset after a few hours when using "notarytool store-credentials"

Question

Created Oct ’23

Replies 5

Boosts 0

Participants 2

I'm using the "notarytool store-credentials" command to store my access credentials for notarizing our apps from a build server through Jenkins. The machine is a Mac Mini M1 running Ventura.

This works per se but for a reason I don't understand, I need to do this repeatedly. When I store the credentials, it will work for the next hours but at some point the machine will "forget" the access credentials resulting in this error output:

Conducting pre-submission checks for <app name> and initiating connection to the Apple notary service...
Error: No Keychain password item found for profile: notarization

Run 'notarytool store-credentials' to create another credential profile.

I then have to run the store-credentials command again so I can use it again for the next few hours. This is obviously quite annoying especially since it's absolutely not obvious why it behaves that way. The machine is on 24/7 and I don't see why the keychain item gets removed.

I'd appreciate any insight and would like to know what I have to do to store the credentials permanently.

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’23

I don’t think the credentials are being removed. Rather, you’re unable to access them because the keychain is locked.

By default notarytool works with the data protection keychain, which can make things a bit tricky. If you use screen sharing to log into the machine (or log in using the GUI) and run Keychain Access, do you see your stored credential there?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

non-lethalapps OP

Oct ’23

The one and only eskimo! ;-) Thanks for your help!

I have created new credentials this morning. I notarized an app directly after and it worked fine as expected.

I just tried notarizing again (about 6 hours later) and it failed with the error message:

"Error: No Keychain password item found for profile: notarization"

You are correct though that the keychain item itself is still present so it's probably a keychain access problem. Do you know how to get around that?

Thanks!

0

Answer 3

DTS Engineer OP

Apple

Oct ’23

You are correct though that the keychain item itself is still present so it's probably a keychain access problem.

A good test would be to log in with the GUI again. That should unlock your data protection keychain and thus allow this to work again.

Do you know how to get around that?

IIRC the security unlock-keychain command with no fancy arguments will unlock both the file-based and data protection keychains. That’s what I’d try first.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

non-lethalapps OP

Oct ’23

Thanks!

I have tried that but unfortunately it didn't work. The command per se finished and didn't print any error message but when triggering a build with notarization directly after, it still prints the error message about the keychain item not being found.

I checked and found that the keychain item was added to the iCloud keychain so I also tried unlocking the iCloud keychain specifically using security unlock-keychain iCloud but that unfortunately didn't work.

I also tried logging in through remote desktop and that also didn't change things.

Can you think of another solution? Things were working fine with altool and stapler.

0

Answer 5

DTS Engineer OP

Apple

Oct ’23

Bummer.

Things were working fine with altool …

altool always uses the file-based keychain. You can force notarytool to do the same by passing a keychain to it using the --keychain option. I think that might be the easiest path forward for you.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0