The command you need to use is as follows:
security set-key-partition-list -S apple-tool:,apple: -s -k keychainPass keychainName
Please have in mind that this command line tool works like the list-keychains’s way of modification. If you execute set-key-partition-list with a single value it will overwrite all partitionIDs in the certificates. It won’t validate the values passed.
What this command does is that it sets the PartitionIDs (items after -S separated by comma) for keys that can sign (-s) for a specific keychain.
The actual partitionID that allows the codesigning is apple:
.
I am not aware what apple-tool:
is doing as it is not documented, but it was there after importing the key with security import
so I’m keeping it in order to avoid breaking people who copy-paste the command.
This change was introduced with Mac OS Sierra and is not documented (or at least I could not find documentation). As of Oct 16 the man page for security still doesn’t list this command.
For more information you can refer to this bug report – http://www.openradar.me/28524119