We've recently updated our build server to macOS 15.1.1 and ever since notarization sporadically fails. Notarytool says No Keychain password item found for profile: foo, even though that item is present.
I found out it works when I either log in using Remote Desktop (don't need to do anything else, just login and wait) or when running security unlock-keychain via SSH (but that one's not persistent, either).
We're using GitLab (via gitlab-runner on the build server) and so far notarization hasn't had much problems with the keychain. That started with macOS 15.1.
Are there any changes in 15.1 that we need to be aware of to make this stable?
This is probably the data protection keychain locking itself at an inopportune time. I’ve seen reports like this previously. I’m not aware of any change in macOS 15.1 that would make it happen more often, but macOS is a complex system and there are lots of moving parts here, including third-party moving parts.
How you fix this kinda depends on the capabilities and policies of your CI system. Most CI systems have a way to provision secrets to the jobs that they run. If your org is OK with using that mechanism, you can skip the keychain entirely:
-
Have your CI system provision your build job with either an app-specific password or an App Store Connect API key.
-
Pass that directly to
notarytool.
To pass in an app-specific password, use --apple-id , --password, and --team-id.
To pass in an ASC API key, use --key, --key-id, and --issuer. I have examples of these in TN3147 Migrating to the latest notarization tool.
There are other ways to slice this problem, so if the above isn’t compatible with your policies let me know and I’ll outline the alternatives.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"