Switching default keychain

[jl-gogovapps]

Describe the bug

Ultimately, I'm trying to use match/gym to build apps through a self-hosted runner.

I've tried many combinations of the following:

bundle exec fastlane run create_keychain
bundle exec fastlane run unlock_keychain

However, the result of security default-keychain is always /Library/Keychain/System. I can only change the system default with sudo

Has anyone been able to work though a similar issue? I've found a lot of similar or outdated issues, but they all point to things like "use setup_ci" or unlock the keychain, but I think the crux of the problem here is the inability to change the default keychain.

Alternatively, I'm able to see valid certs with

security find-identity -v -p codesigning mykeychain

but unable to see them with

security find-identity -v -p codesigning

Is there a way for me to get xcodebuild to use the specific keychain?

To Reproduce
See above

Expected behavior

$ security default-keychain mykeychain
$ security default-keychain
/path/to/mykeychain

Runner Version and Platform

OSX - tar xzf ./actions-runner-linux-x64-2.165.2.tar.gz

[TingluoHuang]

@jl-gogovapps can you share a YAML file with what you are trying to run? can you make your script work in a bash shell without the runner involved?

[raphaelcruzeiro]

I'm experiencing this issue as well @TingluoHuang. What is interesting here is that this works the first time I install the the runner but stops working after the machine is rebooted (reinstalling the runner makes it work again).

When the problem starts occurring, security default-keychain returns only the system keychain if it's being ran by the runner. If I ssh to the machine under the same user, security default-keychain returns the correct keychain. The only workaround I found so far is to reinstall the runner.

[sebalopez]

Hi, I am facing this exact issue but for me it only started after the recent MacOS upgrade to 10.15.7 - this was actually working fine for me with the runner running as a service up until a couple weeks ago.
Are there any news on merging this PR?

[jl-gogovapps]

i ran into issues with keychains recently, they are really hard to debug, and there are many similar stackoverflows - the issue was one of the two WWDR certs missing.

Make sure you have:

WWDR Certificate (Expiring 02/07/2023 21:48:47 UTC)
WWDR Certificate (Expiring 02/20/2030 12:00:00 UTC)

from https://www.apple.com/certificateauthority/

[sebalopez]

I read elsewhere on SO having only the latest should be enough, though it in any case its emission last month seems to be related to this issue. Devilishly hard to debug indeed.