macOS runner: codesign "errSecInternalComponent" in CI
codesign asked the Security framework to use a signing key and got back errSecInternalComponent. In CI this almost always means the keychain holding the key is locked, not in the search list, or the key is not accessible to the non-interactive session.
What this error means
A codesign step fails with "MyApp.app: errSecInternalComponent" right at the point it tries to use the signing identity.
MyApp.app: errSecInternalComponentCommon causes
The keychain is locked
A freshly created or imported keychain is locked, so codesign cannot read the private key and Security returns the internal component error.
The keychain is not in the search list
The custom CI keychain was never added to the user search list, so codesign does not see the identity it needs.
How to fix it
Unlock and register the keychain
- Create or import into a dedicated CI keychain.
- Unlock it and add it to the search list.
- Set a long lock timeout so it stays unlocked for the whole job.
security create-keychain -p "$PW" build.keychain
security set-keychain-settings -lut 21600 build.keychain
security unlock-keychain -p "$PW" build.keychain
security list-keychains -d user -s build.keychain login.keychainAllow codesign to use the key without a prompt
Set the partition list so the codesign tool can access the imported key non-interactively.
security set-key-partition-list -S apple-tool:,apple: -s -k "$PW" build.keychainHow to prevent it
- Unlock the CI keychain and set a long lock timeout before signing.
- Add the keychain to the search list with
security list-keychains. - Set the key partition list so codesign runs without prompts.