Duplicate Keychain Entries in macOS Sierra
I recently upgraded one of our Mac Mini build servers to macOS Sierra. After doing so, I noticed something very strange happening when trying to sign our app builds. The signing process was failing for some reason. I went to check the keychain using the security command to see if I could see what was going on, and if it couldn’t find the relevant certificates and private keys.
Ghyston:~ iosbuilds$ security find-identity -v -p codesigning
1) 7A0DB9A50051B6DDCCB00409D9A82B118C67B301 "iPhone Developer: Build Master (FBC3BVZSH8)"
2) 8FB1A0E186254DAFA3D5ED116F77E78964278F08 "iPhone Distribution: Legacy Parts Corporation (9Q5433VBYW)"
3) 8FB1A0E186254DAFA3D5ED116F77E78964278F08 "iPhone Distribution: Legacy Parts Corporation (9Q5433VBYW)"
4) 7337E32BCB5C6E68099707B93107D55B1AD888EB "iPhone Developer: Build Master (FBC3BVZSH8)"
5) 8FB1A0E186254DAFA3D5ED116F77E78964278F08 "iPhone Distribution: Legacy Parts Corporation (9Q5433VBYW)"
5 valid identities found
What?! Where were the duplicates coming from? I tried the same command on the other build node we have, which has already been running Sierra for the past few months:
Goram:~ iosbuilds$ security find-identity -v -p codesigning
1) 7A0DB9A50051B6DDCCB00409D9A82B118C67B301 "iPhone Developer: Build Master (FBC3BVZSH8)"
2) 8FB1A0E186254DAFA3D5ED116F77E78964278F08 "iPhone Distribution: Legacy Parts Corporation (9Q5433VBYW)"
2 valid identities found
That is what I’d expect.
The very odd thing is that if I look in each of the keychains in my keychain path manually I can’t see any duplicates:
Ghyston:~ iosbuilds$ security list-keychains
"/Users/iosbuilds/Library/Keychains/iosbuilds.keychain-db"
"/Users/iosbuilds/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
Ghyston:~ iosbuilds$ security find-identity -v -p codesigning /Users/iosbuilds/Library/Keychains/iosbuilds.keychain-db
1) 7A0DB9A50051B6DDCCB00409D9A82B118C67B301 "iPhone Developer: Build Master (FBC3BVZSH8)"
2) 8FB1A0E186254DAFA3D5ED116F77E78964278F08 "iPhone Distribution: Legacy Parts Corporation (9Q5433VBYW)"
2 valid identities found
Ghyston:~ iosbuilds$ security find-identity -v -p codesigning /Library/Keychains/System.keychain
0 valid identities found
Ghyston:~ iosbuilds$ security find-identity -v -p codesigning /Users/iosbuilds/Library/Keychains/login.keychain-db
0 valid identities found
I tried exporting, deleting, re-importing the entries in my keychains. I tried creating new login keychain. Rebooting, etc. Still couldn’t work out why it was displaying the duplicate keychain entries.
After a lot of looking about, I found the issue. There was a copy of the private key for ‘Legacy Parts Corporation’ in my system keychain. Not the certificate… hence why it didn’t show up above. But for some very unknown reason, having a duplicate key in another keychain without the corresponding certificate causes macOS to get a bit confused and show the cert multiple times.
Deleting the private key from the system keychain and suddenly things look much better again:
Ghyston:~ iosbuilds$ security find-identity -v -p codesigning
1) 7A0DB9A50051B6DDCCB00409D9A82B118C67B301 "iPhone Developer: Build Master (FBC3BVZSH8)"
2) 8FB1A0E186254DAFA3D5ED116F77E78964278F08 "iPhone Distribution: Legacy Parts Corporation (9Q5433VBYW)"
2 valid identities found
And our code signing and builds now work again.