Certificate in a separate keychain file

[Vachik]

Hi

I am on macOS and my signing certificate is in a separate keychain file.

I though if the external keychain shows up in Keychain Access app then the certificate is accessible to pyinstaller for use.

I build one file self extract option and the only way to sign the files in the archive/executable is to specify the certificate in pyinstaller command line arguments.

However this approach does not work because pyinstaller is not able to access the certificate in the external keychain.

Any advice? there is no option/argument for keychain file even though codesign have it!

[bwoodsend]

Do you know what flags codesign needs to sign with an external keychain?

[Vachik]

yes here is the command line we use to sign with external keychain

argument is --keychain

/usr/bin/codesign --timestamp --entitlements ./scripts/entitlements.plist --force --keychain /path/to/Keychain --sign 'Developer ID Application:' build/ar/libEpCommonPyWrapper.dylib

Are you going to add the option to specify keychain in pyinstaller?

Thank you I'd would greatly appreciate it!

it would be good if you follow Xcode signing flags approach. They do have the mandatory arguments like certificate name and additional specifiers which are grouped under the single argument.

 /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild -project ./path/to/projectxcodeproj -scheme SCHEME_NAME -destination "generic/platform=macOS,name=Any Mac" -configuration Release "CODE_SIGN_IDENTITY=Developer ID Application: " "OTHER_CODE_SIGN_FLAGS=--keychain \"/PATH/TO/Keychain" --timestamp" CONFIGURATION_BUILD_DIR=./macosx/release.dynamic.64

As you can see there are 2 options in OTHER_CODE_SIGN_FLAGS ---keychain and --timestamp

We also sometimes use --force and other flags and this approach give the felixibility specifying different flags for different builds.

It can cover Windows signing options  and less coding for devs.