Using launchctl and plist to Run Scheduled macOS Tasks with Developer Certificates

When trying to trigger iOS app builds on macOS using crontab , Xcode reports a code‑signing error because the scheduled job runs without access to the user’s keychain where the developer certificate is stored.

The solution starts with understanding the macOS Keychain Access system, which holds passwords, private keys, and certificates. You can list the available code‑signing identities with the command:

security find-identity -v -p codesigning

Running this command directly in a terminal shows the identities, but executing it from a crontab job returns no identities because the job lacks the user’s security context.

Apple recommends using launchctl and a launchd daemon (defined by an XML plist file) instead of crontab . The daemon runs under launchd, which can inherit the proper user namespace when configured correctly.

A typical plist includes keys such as Label , UserName , GroupName , KeepAlive , RunAtLoad , Program , and ProgramArguments . The file must be placed in one of the launchd directories, e.g., /Library/LaunchDaemons for system‑wide daemons.

Example launchctl commands to manage the daemon are:

launchctl list

launchctl load /Library/LaunchDaemons/com.example.app.plist

launchctl unload /Library/LaunchDaemons/com.example.app.plist

launchctl start com.example.app

launchctl stop com.example.app

To make the developer certificate available, add the following key to the plist:

<key>SessionCreate</key>

This tells launchd to create a new user session namespace, which includes the security context (keychain) of the logged‑in user. Without it, launchd uses the global bootstrap namespace that lacks the certificate, leading to the same code‑signing error.

Images in the original article illustrate the command outputs and the namespace explanation.