errSecInternalComponent when trying to codesign an app through SSH

Hi,

I'm trying to ssh into another machine, copy an app into that machine and codesign it using my "Dev ID Application" certificate, then copy it back to my original machine.

I'm getting the "errSecInternalComponent" error when running codesign. This is the bash script I'm running:

ssh ${REMOTE_SERVER} "security -v unlock-keychain -p <REDACTED> /Users/<REDACTED>/Library/keychains/login.keychain-db"

ssh ${REMOTE_SERVER} "codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACTED>\" \"/tmp/$BUILD_ID/ui-app/<APP_NAME>.app\""

ssh ${REMOTE_SERVER} "codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/<APP_NAME>.app"

I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session.

Any help would be greatly appreciated.

Thanks!

Answered by roy-bei in 813469022

Ok, found a solution after 10 hours. When running standalone multiple SSH commands the unlock-keychain doesn't stick between commands, running:

ssh ${REMOTE_SERVER}  "security unlock-keychain -p <REDACT> /Users/<REDACT>/Library/Keychains/login.keychain-db && 
codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACT>\" \"/tmp/$BUILD_ID/ui-app/<REDACT>.app\""

Fixed it. Good luck :)

Accepted Answer

Ok, found a solution after 10 hours. When running standalone multiple SSH commands the unlock-keychain doesn't stick between commands, running:

ssh ${REMOTE_SERVER}  "security unlock-keychain -p <REDACT> /Users/<REDACT>/Library/Keychains/login.keychain-db && 
codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACT>\" \"/tmp/$BUILD_ID/ui-app/<REDACT>.app\""

Fixed it. Good luck :)

Thanks for sharing.

For those reading along at home, I discuss this topic in some detail in Resolving errSecInternalComponent errors during code signing.

Oh, and one last thing. You wrote:

codesign -vvv --deep …

Be careful when using --deep. It’s fine to use when verifying, as you’re doing here, but don’t use it when signing. See --deep Considered Harmful for more on that.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

errSecInternalComponent when trying to codesign an app through SSH
 
 
Q