I am integrating code signing into our builds and have created a custom keychain which is held within the source code tree and used to sign the code (it's copied to ~/Library/Keychains before being used, so it's in a well known location).
However when attempting to sign I get an error:
$ /usr/bin/codesign --sign='Mac Developer: John Doe (AA1AAA1AAA)' \
--keychain=~/Library/Keychains/xxx.keychain \
dist/64/gmake/release/bin/libmylib.dylib
Mac Developer: John Doe (AA1AAA1AAA): no identity found
However:
$ security find-identity -p codesigning ~/Library/Keychains/xxx.keychain
Policy: Code Signing
Matching identities
1) 49F2FBE79899DF18A9638AC6B1302E2EB6E079AD "Mac Developer: John Doe (AA1AAA1AAA)"
1 identities found
Valid identities only
1) 49F2FBE79899DF18A9638AC6B1302E2EB6E079AD "Mac Developer: John Doe (AA1AAA1AAA)"
So I don't understand why codesign is unable to find the identity.
Can anyone suggest a solution?
Note that I have also tried with the identity's SHA-1, with the same result.
Some of codesign's error messages are less than clear. The problem here is that codesign couldn't find the keychain, and that is caused by the use of --keychain=~/path. This is interpreted as a single argument and no tilde expansion is performed. If you modify your command to use separate arguments it should work as expected:
codesign --sign 'Mac Developer: John Doe (AA1AAA1AAA)' \
--keychain ~/Library/Keychains/xxx.keychain \
dist/64/gmake/release/bin/libmylib.dylib