OSX: security: cert import failed: write permissions error

[michaelspecht]

When I run the build agent interactively (by just calling ./run.sh), I have no issues with any builds. When I install the agent as a service (./agent/svc.sh install agent) and use that for builds, however, I get a permissions error. It looks like it has problems dealing with the provisioning file/keychain. If I modify the agent plist and add the following key/value (as outlined here http://serverfault.com/questions/328785/how-do-i-launch-a-process-as-a-specific-user-at-startup-on-os-x), it will run no problem (but then I can no longer launch the iOS simulator for tests):

<key>SessionCreate</key>
<true/>

Has anyone run into a similar problem? Our VSO build is set to create the app package using the signing and provisioning profile we set in VSO.

Log:

Provisioning profile file found.
/usr/bin/security delete-keychain /Users/username/Downloads/myagent/_work/3/s/appname/_tasktmp.keychain
Command failed: /bin/sh -c /usr/libexec/PlistBuddy -c "Print UUID" /dev/stdin <<< $(/usr/bin/security cms -D -i "/Users/username/Downloads/myagent/_work/3/s/Certificates/appname.mobileprovision")
security: cert import failed: write permissions error
security: problem decoding
Print: Entry, "UUID", Does Not Exist
taskRunner fail
task result: Failed
Return code: 1

[bryanmacfarlane]

This is fixed in 0.6.5. Thanks for reporting!

[CKGrafico]

Where is fixed @bryanmacfarlane ? I can still reproduce after 'curl -skSL http://aka.ms/xplatagent | bash'

[zulalay]

Any updates? same issue

[zulalay]

maybe that can give any clue https://www.visualstudio.com/docs/build/apps/mobile/secure-certs

[bryanmacfarlane]

It's fixed in the agent service configuration code. So, if you just do curl to 'update' an existing agent, the plist is still not going SessionCreate key in the plist

You also have to configure as a launch agent (as opposed to launch daemon) for tests to work.

Finally, the new agent has these changes and only does launch agent.

https://github.com/Microsoft/vsts-agent

That's replacing this agent.

BUT! wait for new preview that's coming out tomorrow. Should be build 2.101.0

[zulalay]

thank you for your reply. I am still running into different issues (very confused)...

but let me ask you if i understood you correctly: I read it as follows: one of my options is to completely get rid of my old vso-agent and use vsts-agent (which was released today) instead. correct or am i missing something? :)

[bryanmacfarlane]

Yes, the new agent is deprecating this one. We combined our closed source windows agent and this open source node agent into one open source agent using .net core xplat (vsts-agent link above)

I'm interested in whether you work with the path forward.

[bryanmacfarlane]

It also installs SxS in another directory so you can simply stop/disable your node one and setup the new one in a different dir

[zulalay]

Still no success. Tried to install vsts-agent on 2 different machines. and both places getting:

Workspace 'ws_2_32' created. ERROR: An argument error occurred: Unable to determine the workspace. You may be able to correct this by running 'tf workspaces -collection:TeamProjectCollectionUrl'

Looks like it doesnt do the 'mapping' step

[bryanmacfarlane]

Log an issue in the vsts-agent repo.