A while ago I needed to re-sign an iOS application from the command line. This is a pretty straightforward process, but I hit a small snag along the way. As anyone familiar with codesigning can attest to, the first time a signing identity is used to generate a signature, you are prompted with a modal dialog saying that codesign is attempting to use your private key. You can either deny access to the key, allow once, or grant codesign access every time it attempts to use the key. Usually it’s not a big deal to select the ‘always allow’ option and move on, but I needed to find a way to grant this permission without user interaction.

After some research I discovered that you can manually import signing identities via the security import command, and what’s more, there are two options that allow you to grant an application access to the identity at the time of import. The options are:

-A  Allow any application to access the imported key without warning (insecure, not recommended!)
-T  Specify an application which may access the imported key (multiple -T options are allowed)

Now, seeing that the -A option is ‘not recommended!’ I decided to try -T instead. Since I was importing the key into the login keychain, my import statement ended up looking something like:

security import signing_id.p12 -k login.keychain -T /usr/bin/codesign

This seemed like it was the correct approach, but I was still being prompted to manually grant access when codesign attempted to use the key. It turned out that since I had already imported this particular signing identity without granting codesign access, further attempts to import the key did not update the access control settings. As far as I can tell there is currently no way to alter access control for an existing private key via the security tool. These settings can manually be changed through the Keychain Access app by inspecting a private key and editing the list of programs in the ‘Access Control’ menu. After I deleted the existing private key and re-imported the signing identity, codesign was able to use the key from the command line without any further issues.