I have found a solution giving me access to the regular keychains for my Jenkins user.
Find this plist: /Library/LaunchDaemons/org.jenkins-ci.plist
then:
- Add the
UserName
element with a value ofjenkins
. - Add a
SessionCreate
element with a valuetrue
to the plist file. This gives access to the normal keychains for the user you specified inUserName
Example:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>JENKINS_HOME</key>
<string>/Users/Shared/Jenkins/Home</string>
</dict>
<key>GroupName</key>
<string>wheel</string>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>org.jenkins-ci</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>/Library/Application Support/Jenkins/jenkins-runner.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>jenkins</string>
<key>SessionCreate</key>
<true/>
</dict>
</plist>
Then restart the daemon and try running a job in Jenkins that calls security list-keychains
. You should no longer see System.keychain
as the only entry but the regular login and any custom key chains you might have added to the list of keychains for the “jenkins” user.
With the above setup I am able to use codesigning certificates from a custom keychain on my Jenkins build server. I don’t have to install any certificates or keys in my System keychain.