Common Code Signing Errors (codesign failed with exit code 1)

Oh the errors you’ll see (setting up a CI server)

This post contains solutions that may save you hours of debugging weird code signing errors.

codesign failed with exit code 1

Huh?

If you see this, you’re probably scripting your iOS build process for a Continuous Integration (CI) Server like Jenkins, TravisCI, Bitrise, Nevercode, BuddyBuild or Circle CI. (Unnecessarily long list for that sweet SEO). You’re probably already tried Google-fu and ended up digging through pages of Stack Overflow posts that are outdated or otherwise unhelpful. You’re not alone.

codesign failed with exit code 1 is the PC Load Letter for the mobile generation

PCLoad Letter? What does that mean (NSFW Language)

So why isn’t it working?

From the codesign docs:

“If a signing or verification operation fails, the exit code is 1”

Well, isn’t that helpful! But what could the error be? Here are some options.

You didn’t unlock the keychain

For most of our builds, Xcode handles unlocking the keychain. But when you’re ssh’ing into the box you’ll need to do it your self. How do I fix it?

$ security unlock-keychain /Users/Jenkins/Library/Keychains/login.keychain

security documentation here.

Your keychain unlock timed out

Long build cycles can cause your keychain to lock before your build is complete. You can use the security command we mentioned earlier to give it a longer timeout.

$ security set-keychain-settings -l -u -t 1200 /Users/Shared/Jenkins/Library/Keychains/login.keychain

https://ss64.com/osx/security-keychain-settings.html

User interaction is not allowed

Codesign needs permission to do its thing. MacOS would normally pop up a dialog and prompt for your admin password. This wonâ€™t work when youâ€™re connected via ssh. if youâ€™re running in command line mode it just exits with an error.

How do I fix it?

First make sure your Certificate is installed and code sign has permission to use it

$ sudo security add-trusted-cert -d -r trustRoot -k "/Users/Shared/Jenkins/Library/Keychains/login.keychain" â€œ/path/to/your-certificate.cerâ€

Next you have to give the codesign tool permission to access your private key. You can do this through the MacOS Keychain Access app.

Codesign returned unknown error -1=ffffffffffffffff

Â¯\_(ãƒ„)_/Â¯

This can be related to the above private key permissions. Some people have had luck doing this by using the set-key-partition-list options of the security tool. Iâ€™ve never been able to resolve anything with this using macOS Sierra. Other users have reported success with previous versions. Did you notice set-key-partition-list in the documentation for the security tool? I didnâ€™t either!

Did you notice set-key-partition-list in the documentation for the security tool? I didnâ€™t either! It’s undocumented.

Anyway, here’s some info on set-key-partition-list.

CSSMERR_TP_NOT_TRUSTED

You may be using an older build machine that doesnâ€™t have a current certificate from apple. Mac Mini’s haven’t been updated that much in years so this is possible.

Instructions here.

The Fine Print

Code signing has been know to break between different MacOS releases. These techniques were useful to me as of MacOS Sierra (10.2). Future versions may not behave as described.

Didn’t help? Want to learn more?

If all these terms are confusing. The team at obj.io have put together some excellent resources

https://www.objc.io/issues/17-security/inside-code-signing/

Fastlane has provided a list of tips that can help even if you’re not using Fastlane:

https://docs.fastlane.tools/codesigning/common-issues/

If you’re working through Xcode, you’re better off looking here: https://developer.apple.com/library/content/technotes/tn2407/_index.html

If you’re digging into this stuff on a regular basis. You’re better off learning the fundamentals rather than hunting down errors with google-fu. The above links provide a good base.

Don’t want to deal with this? We can handle this stuff for you.

Fix My Build

Also published on Medium.