Set default keychain instead of using list-keychains

scripts/create_self_signed_certificates_macos.sh

@@ -20,18 +20,12 @@ APPLICATION_SIGNING_ID=${APPLICATION_SIGNING_ID:-${APPLICATION_ROOT}}
 INSTALLER_ROOT="installer"
 INSTALLER_SIGNING_ID=${INSTALLER_SIGNING_ID:-${INSTALLER_ROOT}}
 
-# Installer certificates must be trusted to be found in the keychain.
-# Users will be asked for authentication.
-# On GitHub runners, the system keychain does not require authentication,
-# which is why it is unsed on the CI.
-if [[ -n "${ON_CI}" ]]; then
-    KEYCHAIN_PATH="/Library/Keychains/System.keychain"
-else
-    KEYCHAIN_PATH="${ROOT_DIR}/constructor.keychain-db"
-fi
+KEYCHAIN_PATH="${KEYCHAIN_PATH:-"${ROOT_DIR}/constructor.keychain"}"
 
-security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
-security set-keychain-settings -lut 3600 "${KEYCHAIN_PATH}"
+if [[ ! -f "${KEYCHAIN_PATH}" ]]; then
+    security create-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
+    security set-keychain-settings -lut 3600 "${KEYCHAIN_PATH}"
+fi
 security unlock-keychain -p "${KEYCHAIN_PASSWORD}" "${KEYCHAIN_PATH}"
 
 for context in ${APPLICATION_ROOT} ${INSTALLER_ROOT}; do
@@ -82,8 +76,3 @@ for context in ${APPLICATION_ROOT} ${INSTALLER_ROOT}; do
         security add-trusted-cert -d -p basic -k "${KEYCHAIN_PATH}" "${pemfile}"
     fi
 done
-
-# Add keychain at the beginning of the keychain list
-# Must be removed at a later clean-up step
-# shellcheck disable=SC2046
-security list-keychains -s "${KEYCHAIN_PATH}" $(security list-keychains | xargs)

tests/conftest.py

@@ -10,12 +10,12 @@
 
 @pytest.fixture
 def self_signed_certificate_macos(tmp_path):
-    p = subprocess.run(
-         ["security", "list-keychains"],
+    default_keychain = subprocess.run(
+         ["security", "default-keychain"],
          capture_output=True,
          text=True,
+         check=True,
     )
-    current_keychains = [keychain.strip(' "') for keychain in p.stdout.split("\n") if keychain]
     cert_root = tmp_path / "certs"
     cert_root.mkdir(parents=True, exist_ok=True)
     signing_identity = "testinstaller"
@@ -31,8 +31,15 @@ def self_signed_certificate_macos(tmp_path):
         "KEYCHAIN_PASSWORD": keychain_password,
         "ROOT_DIR": str(cert_root),
     }
+    # Installer certificates must be trusted to be found in the keychain.
+    # Users will be asked for authentication.
+    # On GitHub runners, the system keychain does not require authentication,
+    # which is why it is unsed on the CI.
     if ON_CI:
-        env["ON_CI"] = "1"
+        keychain_path = "/Library/Keychains/System.keychain"
+    else:
+        keychain_path = str(cert_root / "constructor.keychain")
+    env["KEYCHAIN_PATH"] = keychain_path
     p = subprocess.run(
         ["bash", REPO_DIR / "scripts" / "create_self_signed_certificates_macos.sh"],
         env=env,
@@ -58,11 +65,12 @@ def self_signed_certificate_macos(tmp_path):
             cert_data["signing_identity"]["sha256"] = sha256.strip()
         elif notarization_identity in identifier:
             cert_data["notarization_identity"]["sha256"] = sha256.strip()
+    subprocess.run
     yield cert_data
     # Clean up
-    p = subprocess.run(
-        ["security", "list-keychains", "-d", "user"],
-        capture_output=True,
-        text=True,
+    subprocess.run(
+         ["security", "default-keychain", "-s", default_keychain],
+         capture_output=True,
+         text=True,
+         check=True,
     )
-    subprocess.run(["security", "list-keychains", "-s", *current_keychains])