Keychain private keys gotcha when running build on vsts build agent on Mac OSX

I recently had a challenge. To create a Visual Studio Team Serices (VSTS) build agent running on Mac OSX. It was required to allow us to build our mobile projects. We had previously used the Hosted Mac OS agents, but always seemed to run out of minutes every month.

  1. Install or buy a Mac OS X
  2. Make sure the machine has a reachable public IP address (or see here.
  3. Ensure you have a registered account on VSTS. Click on the Getting Started button on the link at the top of this page.
  4. Follow these instructions. Of course you need to ensure you have a token (PAT) available to complete this process.
  5. Create your mobile application build in VSTS.
  6. Ensure you have provisioning profiles/certificates setup for your application.
  7. Run the build.

At this point you may receive any error like this that fails your build:

Codesign returns unknown error after "replacing existing signature" or something similar.

The reason for this is, as explained here. The build agent doesn't have access to the private keys contained in the local KeyChain. It is trying to prompt for access, but can't (it is a service running after all).

To resolve this problem either:

  • Go to the KeyChain on the Mac OS system, find the keys associated with the App and explicitly Allow All access or
  • open a Terminal on the same machine and manually run the build. This will lead to a prompt on the machine similar to this .
    Select Always Allow.

Then you are good to go. Re-run your build and it should succeed.