My company is using software based on Signing Manager called Identity Manager. We use gitlab CI for some of our build jobs. We synced certs using Identity Manager during an interactive session using our ci account. Then we set up the gitlab runner using the same account, but we ran into problems with the default setup, because we want to run over ssh, so we did some manual manipulation to have the runner run by a daemon (under the root account) as our ci account. That is, the daemon is configured to run gitlab-runner as our ci account.
We can see the runner from gitlab and when we check the process on our server, we can see the runner running as our ci user (started by a LaunchDaemon). As long as we are also logged into an interactive session (using VNC) as our ci user, everything seems to be working. However, if we close the interactive session (or even just lock it), we can no longer see the certificates provided by Identity Manager (the Signing Manager derivative).
Is it possible to allow our ci user to run codesign using the certificates provided by Signing Manager without having an active interactive session?
For reference: