Skip to content
Latchkey

macOS runner: codesign "errSecInternalComponent" in CI

codesign asked the Security framework to use a signing key and got back errSecInternalComponent. In CI this almost always means the keychain holding the key is locked, not in the search list, or the key is not accessible to the non-interactive session.

What this error means

A codesign step fails with "MyApp.app: errSecInternalComponent" right at the point it tries to use the signing identity.

codesign
MyApp.app: errSecInternalComponent

Common causes

The keychain is locked

A freshly created or imported keychain is locked, so codesign cannot read the private key and Security returns the internal component error.

The keychain is not in the search list

The custom CI keychain was never added to the user search list, so codesign does not see the identity it needs.

How to fix it

Unlock and register the keychain

  1. Create or import into a dedicated CI keychain.
  2. Unlock it and add it to the search list.
  3. Set a long lock timeout so it stays unlocked for the whole job.
Terminal
security create-keychain -p "$PW" build.keychain
security set-keychain-settings -lut 21600 build.keychain
security unlock-keychain -p "$PW" build.keychain
security list-keychains -d user -s build.keychain login.keychain

Allow codesign to use the key without a prompt

Set the partition list so the codesign tool can access the imported key non-interactively.

Terminal
security set-key-partition-list -S apple-tool:,apple: -s -k "$PW" build.keychain

How to prevent it

  • Unlock the CI keychain and set a long lock timeout before signing.
  • Add the keychain to the search list with security list-keychains.
  • Set the key partition list so codesign runs without prompts.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →