codesign in Sierra: security set-key-partition-list not working

Question

I followed this thread instructions and managed to solve the codesigning issues we had on Sierra. The thing is that after a while we installed Sierra in a new machine and now it doesn't work anymore.

Our application is a node application that forks a process where the signing happens. The strange thing is that if you launch the forked script from Terminal (in a SSH session) it works fine but if you launch the application that forks the process, it doesn't work and the codesigning fails with "code object is not signed at all".

This same application works fine also from SSH on another machine with Sierra that was updated from El Capitan. I really don't know what might be the difference between both machines for this to happen as both have the same versions of Sierra, XCode, codesign, etc but there must be something that's affecting.

Any idea of anything that could be affecting to this strange behaviour? Anything I could try?

Thank you.

Note:

Executing:

security set-key-partition-list -S apple-tool:,apple: -s -k 'password' 'keychain'

from console and then:

codesign -vfs '$IDENTITY' '${PRODUCT}' --keychain 'keychain'

works fine but when launched from inside the node app, it always fails.

Answer 1

For everyone out there in the same situation I've finally after much debugging and looking research that the issue had to do with the fact that we were using PM2 for the node service managemente. By default PM2 Launch Daemon plist is:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>io.keymetrics.PM2</string>
    <key>UserName</key>
    <string>myusername</string>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>-c</string>
        <string>/usr/local/lib/node_modules/pm2/bin/pm2 resurrect</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>OnDemand</key>
    <false/>
    <key>LaunchOnlyOnce</key>
    <true/>
    <key>EnvironmentVariables</key>
  <dict>
    <key>PATH</key>
    <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/Cellar/node@5/5.12.0/bin</string>
    <key>PM2_HOME</key>
    <string>/Users/myusername/.pm2</string>
  </dict>
    <key>StandardErrorPath</key>
    <string>/tmp/io.keymetrics.PM2.err</string>
    <key>StandardOutPath</key>
    <string>/tmp/io.keymetrics.PM2.out</string>
</dict>
</plist>

But for the process to be able to access the keychains we need to add a SessionCreate key:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>io.keymetrics.PM2</string>
    <key>UserName</key>
    <string>myusername</string>
    <key>SessionCreate</key>
    <key>ProgramArguments</key>
    <array>
        <string>/bin/sh</string>
        <string>-c</string>
        <string>/usr/local/lib/node_modules/pm2/bin/pm2 resurrect</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>OnDemand</key>
    <false/>
    <key>LaunchOnlyOnce</key>
    <true/>
    <key>EnvironmentVariables</key>
  <dict>
    <key>PATH</key>
    <string>/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/Cellar/node@5/5.12.0/bin</string>
    <key>PM2_HOME</key>
    <string>/Users/myusername/.pm2</string>
  </dict>
    <key>StandardErrorPath</key>
    <string>/tmp/io.keymetrics.PM2.err</string>
    <key>StandardOutPath</key>
    <string>/tmp/io.keymetrics.PM2.out</string>
</dict>
</plist>

Just restart the PM2 service and now it works. For some reason that parameter was already added in old machine.

Thanks to this answer and his author joensson for leading me to the solution.