search

tauri-apps / tauri

Build smaller, faster, and more secure desktop and mobile applications with a web frontend.
https://tauri.app
Apache License 2.0
83.96k stars 2.52k forks source link

[bug] macos `codesign` error "The specified item could not be found in the keychain" #4051

Closed JonasKruckenberg closed 2 years ago

JonasKruckenberg commented 2 years ago

Describe the bug

Related to #4008.

As of eaf9e5a9a6c0959be46d2969a423ef7689ea9225 the tauri bundler runs the following command during code signing on macos: security default-keychain -s $KEYCHAIN_ID, this command is fine when code signing in a CI runner that get's discarded afterwards anyway, but seriously not fine if you try to code sign locally. As many apps use the default keychain to store access tokens, this will make it impossible to access any apps and log into new ones until the user restarts the app.

I resolved this issues with PR #4053, but ran into another issue:

The codesign command (the one that does the actual signing) can't find the certificate in the keychain unless the keychain is primed with security default-keychain or security list-keychain -d user -s $KEYCHAIN_ID first. This bug is absolutely unexplainable to me and I haven't found any reasonable explanation other than this is some sort of syncing issue in macos.

This issues is intended to be a tracking issue for this problem and is referenced in the code for future reference.

Reproduction

  1. Build the cli at commit eaf9e5a9a6c0959be46d2969a423ef7689ea9225
  2. See it correctly signing a build on macos
  3. Comment out line 79-87
  4. See it break with the error error: The specified item could not be found in the keychain.

Expected behavior

To not require priming a command with a completely unrelated command?

Platform and versions

cargo tauri info

Environment
  › OS: Mac OS 12.4.0 X64
  › Node.js: 18.0.0
  › npm: 8.6.0
  › pnpm: 7.0.0-rc.7
  › yarn: 3.1.0
  › rustup: 1.24.3
  › rustc: 1.59.0
  › cargo: 1.59.0
  › Rust toolchain: stable-aarch64-apple-darwin 

Packages
WARNING: no lock files found, defaulting to npm
  › @tauri-apps/cli [NPM]: 1.0.0-rc.9
  › @tauri-apps/api [NPM]: 1.0.0-rc.3(outdated, latest: 1.0.0-rc.4)
  › tauri [RUST]: 1.0.0-rc.6 (no lockfile),
  › tauri-build [RUST]: no manifest (no lockfile),
  › tao [RUST]: no manifest (no lockfile),
  › wry [RUST]: no manifest (no lockfile),

App
  › build-type: bundle
  › CSP: default-src 'self' style-src 'self' 'unsafe-inline' connect-src http://localhost:55001
  › distDir: ../../plz-out/gen/frontend/dist/client
  › devPath: http://localhost:3000/
package.json not found

App directory structure
  ├─ app
  ├─ extension-host
  ├─ common
  ├─ ext-youtube
  └─ ext-twitter

Stack trace

No response

Additional context

No response

lucasfernog commented 2 years ago

This has been resolved (we kept the security list-keychains -d user -s $keychains usage as it is responsible for setting the keychains to the search list (the confusion happens because a command named list actually sets something). Here's the command help output:

$ security list-keychains help
Usage: list-keychains [-d user|system|common|dynamic] [-s [keychain...]]
    -d  Use the specified preference domain
    -s  Set the search list to the specified keychains
With no parameters, display the search list.
        Display or manipulate the keychain search list