Saturday, November 27, 2021

#1 2021-06-18 02:41:53 pm

t.spoon
Member
From:: BFE, Massachusetts
Registered: 2013-01-13
Posts: 518

Code Signing from Script Debugger without entering my password?

I have my Apple Developer Certificate in keychain and code signing turned on for exports from Script Debugger.

But every time I do an export, it asks me to enter my username and password to access the system keychain - not once, but 4 times per export.

That's annoying enough... but we have batch export scripts that deploy an entire git repository branch of out Applescripts to a test environment. It's 185 scripts. When run, now that code signing is turned on, it asks me to enter my username and password 740 consecutive times when that script is run. It's also constantly stealing focus as it goes.

I tried deleting my Apple Developer Certificates from the System keychain and installing them in my user keychain - I figured this would solve the login problem. I removed the system copies and quit and restarted Script Debugger. No dice... signing still works, but it still asks for the username and password 4 times per script.

Any suggestions?

Thanks,

t.spoon.


Ditched the Hackintosh.
Intel Mac Mini i7 and M1 Mac Mini on a KVM.

Offline

 

#2 2021-06-18 06:07:32 pm

Shane Stanley
Member
From:: Australia
Registered: 2002-12-07
Posts: 6729

Re: Code Signing from Script Debugger without entering my password?

People have had success solving other privacy-related issues by deleting SD from the various Security & Privacy panes in System Preferences, deleting any previous versions of SD, rebooting, and trying again.

Can you try a test and see if it happens using SD Notary too? Just export without signing, and either Sign Only or Notarize.


Shane Stanley <sstanley@myriad-com.com.au>
www.macosxautomation.com/applescript/apps/
latenightsw.com

Offline

 

#3 2021-11-16 12:56:49 pm

t.spoon
Member
From:: BFE, Massachusetts
Registered: 2013-01-13
Posts: 518

Re: Code Signing from Script Debugger without entering my password?

Well, after needing to go off to work on other things, I've gotten back to this.

I tried deleting Script Debugger from every section where it occurred in
System Preferences -> Security and Privacy
Then re-adding it, but that didn't change things, it still wants the password 4 times per signing.

I got SD Notary setup... it's better, it only wants the password twice per signing neutral

Any other ideas what I can try? I've been googling and found some things to try, but no luck yet.

There are posts about problems like this from having various certificates in the wrong level of keychain. I see three possible related certificates in this chain:

Developer ID Application: [company name](number)
Apple Worldwide Developer Relations Certification Authority
Developer ID Certification Authority



And then there are three relevant keychains:

login
System
System Roots



but it's unclear to me what certificates are supposed to be where... I've got

Developer ID Application: [company name](number)
Apple Worldwide Developer Relations Certification Authority


In "login" and then

Developer ID Certification Authority



is in both:

login
System Roots



The two copies of that may be the issue, but it's unclear to me where it's supposed to go...


Ditched the Hackintosh.
Intel Mac Mini i7 and M1 Mac Mini on a KVM.

Offline

 

#4 2021-11-16 01:14:57 pm

t.spoon
Member
From:: BFE, Massachusetts
Registered: 2013-01-13
Posts: 518

Re: Code Signing from Script Debugger without entering my password?

After more searching, it appeared to me that "Developer ID Certification Authority" is supposed to be in "System Roots," so I deleted the other copy out of "Login," and I still get the same problem.


Ditched the Hackintosh.
Intel Mac Mini i7 and M1 Mac Mini on a KVM.

Offline

 

#5 2021-11-16 02:47:49 pm

t.spoon
Member
From:: BFE, Massachusetts
Registered: 2013-01-13
Posts: 518

Re: Code Signing from Script Debugger without entering my password?

I found it!

My developer certificates were missing an associated private key in the keychain.

FYI, keychain's UI here is terrible... the "Category" column on the left side-pane, one would expect to simply refine the list of items on the right based on category... in fact, for certificates, it changes the UI to give a carrot to drop down and view keys associated with certificates only when you click on "Certificates" on the left... otherwise you can view the same  certificate and it will NOT show a carrot and associated keys.

Anyway, I was missing my associated keys. I had another developer click "certificates," carrot down, shift-click to select both the cert and the key, then right-click and export as a p12 file, then I imported those to my keychain, deleted my original copy of the cert without the key. I also clicked on each associated key, switched to the "Access Control" tab, and choose "Allow all applications to access this item."

Problem solved.

Here's the Stack Overflow post I finally found that led me to this solution:

https://stackoverflow.com/questions/128 … n-keychain


Ditched the Hackintosh.
Intel Mac Mini i7 and M1 Mac Mini on a KVM.

Offline

 

Board footer

Powered by FluxBB

RSS (new topics) RSS (active topics)