Keys & cryptography

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

macOS keychainKeychain AccessLogin keychainSystem keychain

The keychain is macOS's encrypted store for secrets. Every Apple Developer certificate you import on a Mac lands in a keychain, paired with the private key that signs builds for it. Xcode and the codesign command both look up signing identities in keychains, so a misconfigured keychain is the most common cause of mystery signing failures on CI.

Keychains you will see

Login keychain: Unlocked automatically when a user logs in. Most developer Macs store signing identities here.
System keychain: Available to every user on the machine. Often used on CI runners so the signing process does not depend on a particular user being logged in.
Custom keychain: A keychain file you create explicitly (`security create-keychain`). CI scripts often build a throwaway keychain per job and delete it at the end.

Why CI builds fail with 'no signing certificate' errors

The certificate was imported into a keychain that is not in the user's keychain search list.
The keychain is locked, so codesign cannot read the private key. `security unlock-keychain` is the fix.
The 'codesign' partition list on the imported key forbids non-interactive access. Run `security set-key-partition-list` to grant it.
A different keychain on the runner has an expired certificate of the same type and codesign picks that one first.

Keep reading

Related terms

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Read definition

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Read definition

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

Read definition

Next step

Help articles on this topic

Run the CLI in CI with machine credentials

Provision a service credential, drop the client ID and secret into your pipeline, and let the CLI swap to machine mode automatically.

5 min readRead article

Fetch signing material before xcodebuild

A simple, repeatable CI pattern: download the right certificate and provisioning profile by ID, import them, run xcodebuild.

5 min readRead article

Fix a failed App Store Connect sync

Diagnose why a sync failed, read the error in the sync history, and know when to rotate the API key vs. retry.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Keys & cryptography

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

macOS keychainKeychain AccessLogin keychainSystem keychain

Keychains you will see

Login keychain: Unlocked automatically when a user logs in. Most developer Macs store signing identities here.
System keychain: Available to every user on the machine. Often used on CI runners so the signing process does not depend on a particular user being logged in.
Custom keychain: A keychain file you create explicitly (`security create-keychain`). CI scripts often build a throwaway keychain per job and delete it at the end.

Why CI builds fail with 'no signing certificate' errors

The certificate was imported into a keychain that is not in the user's keychain search list.
The keychain is locked, so codesign cannot read the private key. `security unlock-keychain` is the fix.
The 'codesign' partition list on the imported key forbids non-interactive access. Run `security set-key-partition-list` to grant it.
A different keychain on the runner has an expired certificate of the same type and codesign picks that one first.

Keep reading

Related terms

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Read definition

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

Read definition

Code signing certificate

Read definition

Code signing

The process of attaching a cryptographic signature to a binary so the operating system can verify who built it and that nothing has changed since. Required for every app shipped on Apple platforms.

Read definition

Next step

Help articles on this topic

Run the CLI in CI with machine credentials

Provision a service credential, drop the client ID and secret into your pipeline, and let the CLI swap to machine mode automatically.

5 min readRead article

Fetch signing material before xcodebuild

A simple, repeatable CI pattern: download the right certificate and provisioning profile by ID, import them, run xcodebuild.

5 min readRead article

Fix a failed App Store Connect sync

Diagnose why a sync failed, read the error in the sync history, and know when to rotate the API key vs. retry.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.