During the codesigning phase Im getting a popup to enter a keychain password for the generated keychain

[7sharp9]

I have my machine setup as a local runner and when it gets to the code signing phase this pops up:

I moved to a local machine runner because I burned through my 2000 minutes quite quick and I think this was happening on the Github host too as it was runing for 40 minutes just on the code signing job.

It does look like the importing of the keys work as I see the keychain file. I can also look through the job commands and find the password to enter but this should not happen.

Did I miss sometihn I have to do or did Apple change something?

[7sharp9]

      {
        "type": "action",
        "reference": {
          "type": "script"
        },
        "contextName": "setup-keychain",
        "inputs": {
          "type": 2,
          "map": [
            {
              "key": "script",
              "value": {
                "type": 3,
                "file": 8,
                "line": 51,
                "col": 12,
                "expr": "format('# Set up keychain path\nKEYCHAIN_PATH=\"$HOME/Library/Keychains/{0}.keychain-db\"\nKEYCHAIN_PASSWORD=\"$(openssl rand -base64 12)\"\necho \"::add-mask::$KEYCHAIN_PASSWORD\"\n\n# Create new keychain (without making it default)\nsecurity create-keychain -p \"$KEYCHAIN_PASSWORD\" \"$KEYCHAIN_PATH\"\n\n# Unlock it for use\nsecurity unlock-keychain -p \"$KEYCHAIN_PASSWORD\" \"$KEYCHAIN_PATH\"\n\n# Set output for cleanup\necho \"keychain-path=$KEYCHAIN_PATH\" >> $GITHUB_OUTPUT\necho \"keychain-***" >> $GITHUB_OUTPUT\n', inputs.keychain-name)"
              }
            },
            {
              "key": "shell",
              "value": {
                "type": 0,
                "file": 8,
                "line": 50,
                "col": 14,
                "lit": "bash"
              }
            }
          ]
        },
        "condition": "success()"
      },

Log doesn't show anything untoward unless you notice something?

[7sharp9]

# Ensures codesign will not need a password prompt for this particular keychain
security set-key-partition-list -S apple-tool:,apple: -s -k "***" "/Users/davethomas/Library/Keychains/github-action-build_and_test-13350523276-84-1.keychain-db"

# Add keychain to keychain list (without changing default)
security list-keychains -d user -s "/Users/davethomas/Library/Keychains/github-action-build_and_test-13350523276-84-1.keychain-db" $(security list-keychains -d user | xargs)

This is the next job I ran. I grabbed the command output. I masked my own password, not that it matters :-)

Not sure it this is helpful or not? I cant see anything wrong with it.

[sudara]

For pamplejuce, sounds like we should put a timeout on the codesign step (see the pkgbuild step).

For the keychain action, are you using your main macos user or a new user? There's docs on the latter here, but it's not an easy/supported path: https://melatonin.dev/manuals/pamplejuce/github-actions-workflows-101/using-self-hosted-runners-as-another-user/

Have you tried passing the temporary keychain name to the codesign commands? Assuming your keychain step is still named keychain:

--keychain ${{ steps.keychain.outputs.keychain-path }}

[7sharp9]

Im using it as my user account. I think whats happening is the keychain is auto locking itself. By the time my build is finished the keychain is locked. If I move the keychain step to just before signing it seems to flow without asking for a password

[7sharp9]

I think it was getting confused as I had the certs installed in my login keychain as weel so it may be worth passing:

--keychain "{{ steps.keychain.outputs.keychain-path }}"

as an argument to codesign

I've not tried this yet as I just removed my certs for now.

[sudara]

Ah yeah, on my own projects I also have my keychain unlocking right before signing. Maybe that's another change worth making to pamplejuce.