macos-latest keychain is locked

[potatoqualitee]

Description

The macOS 11 keychain does not appear to behave like macOS 10.15.

An Action that last ran 3 months ago is no longer running sucessfully and it seems the culprit is that macOS 11 is now default and macOS 11 has a locked keychain.

When I attempt to unlock it, I'm prompted for a password.

You can see this behavior with the mkcert lines at https://github.com/potatoqualitee/azuright/runs/4214111475?check_suite_focus=true#step:6:153

This is the issue that leads me to believe this issue is with the keychain: FiloSottile/mkcert#94

Virtual environments affected

• Ubuntu 18.04
• Ubuntu 20.04
• macOS 10.15
• macOS 11
• Windows Server 2016
• Windows Server 2019
• Windows Server 2022

Image version and build link

I was unable to find this setting, please provide further details. I looked in Settings and within the Actions page itself.

Is it regression?

No response

Expected behavior

mkcert works without issue, as it does with 10.15

https://github.com/potatoqualitee/azuright/runs/4215069732?check_suite_focus=true

Actual behavior

VERBOSE: Running mkcert
Created a new local CA 💥
ERROR: failed to execute "security add-trusted-cert": exit status 1

SecTrustSettingsSetTrustSettings: errSecInternalComponent

Note: the local CA is not installed in the system trust store.
Note: the local CA is not installed in the Firefox trust store.
Note: the local CA is not installed in the Java trust store.
Run "mkcert -install" for certificates to be trusted automatically 

Repro steps

Try to use mkcert -install on macos-latest

[miketimofeev]

Hi @potatoqualitee!
Could you take a look at this PR that we created to bypass the problem with the certificates? Is it the same issue as yours?
#3311

[potatoqualitee]

Thanks for the response, @miketimofeev! MMM, maybe? Can I initiate this from my runner? Do I need to run the following code manually or is it already running?

    swiftc $HOME/image-generation/add-certificate.swift
    sudo ./add-certificate $HOME/AppleWWDRCAG3.cer
    rm add-certificate

I don't know enough to say for sure, my apologies.

[miketimofeev]

@potatoqualitee yes, you need to compile the code using swiftc:

swiftc add-certificate.swift

and then use the binary to add a certificate

sudo ./add-certificate YourCertName.cer

[potatoqualitee]

Ahh, that looks like something mkcert should take care of. I'll let them know, thank you.

[potatoqualitee]

I had an issue with implementing the swift script -- it would just say that my mkcert generated root cert couldn't be read.

So I ended up smashing sudo security authorizationdb write com.apple.trust-settings.admin allow into the script (as suggested here) and it worked 😆 According to the post, this allows all users to access keychain and bypasses the GUI prompt. While I wouldn't run that on my macbook, it seems reasonable in the context of a CI/CD process.

[potatoqualitee]

Hello @miketimofeev -- did you all have to do anything to the runner to get your script to work? @FiloSottile is having a hard time reproducing the non-interactiveness for mkcert.

[miketimofeev]

@potatoqualitee well, we have some permissions enabled in TCC.db, but I can't remember anything that is related to this script. Maybe something has changed in the macOS 12.3.1 and we are just not aware of it?