Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce TART_EXECUTOR_KEYCHAIN_UNLOCK environment flag #107

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Introduce TART_EXECUTOR_KEYCHAIN_UNLOCK environment flag #107

wants to merge 2 commits into from

Conversation

marcusfreisleben
Copy link

This PR introduces a way to ensure the macOS keychain is unlocked in preparation of the run stage.

We've found that running macOS VMs over tart leads to somewhat misleading error messages from the git credential manager when it attempts to cache the git credentials via the (default) osxkeychain credential helper:

Preparing the "custom" executor
Using Custom executor...
2025/03/04 10:20:49 Pulling the latest version of macos-sonoma...
2025/03/04 10:20:49 Cloning and configuring a new VM...
2025/03/04 10:20:49 Waiting for the VM to boot and be SSH-able...
2025/03/04 10:21:00 Was able to SSH!
2025/03/04 10:21:00 VM is ready.
Preparing environment
Running on admins-Virtual-Machine.local...
Getting source from Git repository
Fetching changes with git depth set to 20...
Initialized empty Git repository in (...)
Created fresh repository.
fatal: Interaction with the Security Server is not allowed. [0xffff9d24]
Checking out 8ea123fd as detached HEAD (ref is foo)...
Skipping Git submodules setup
(...)

While the message is ultimately inconsequential, this functionality might also prove useful for other cases where access to the keychain is needed. Let me know what you think.

@edigaryev
Copy link
Contributor

Hi Marcus 👋

Thanks for your contribution!

I wonder if you can perform sudo security unlock-keychain directly from your .gitlab-ci.yml?

It feels to me that setting the TART_EXECUTOR_KEYCHAIN_UNLOCK environment variable instead just adds an extra layer of indirection to the process.

Perhaps, we can simply document this in the README.md?

@marcusfreisleben
Copy link
Author

Hey, thats also a possibility - yes.

My goal was minimizing the differences to a shell-Runner job you might be migrating from (I'm not observing the keychain being locked on our shell-Runners, and seems to even happen when running with TART_EXECUTOR_HEADLESS=false), and possibly not having to lug around a sudo password (if the base image does not have passwordless sudo enabled).

@edigaryev
Copy link
Contributor

possibly not having to lug around a sudo password (if the base image does not have passwordless sudo enabled)

Is there a need to use sudo at all?

I think you can just do security unlock-keychain -p <PASSWORD>.

@marcusfreisleben
Copy link
Author

marcusfreisleben commented Mar 4, 2025
edited
Loading

Removed sudo.

I think you can just do security unlock-keychain -p <PASSWORD>.

That still means the build job needs knowledge of credentials it otherwise might now require, though.

@edigaryev
Copy link
Contributor

That still means the build job needs knowledge of credentials it otherwise might now require, though.

But doesn't the build job already have knowledge of the credentials due to TART_EXECUTOR_SSH_USERNAME TART_EXECUTOR_SSH_PASSWORD?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marcusfreisleben @edigaryev