passenger 5.1.1 → 5.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e732defdfa61deaff680b48bf2fd783134050c1b
-  data.tar.gz: f8d8c05559321f7f6d6059789be3d6623993b58d
+  metadata.gz: 5d85fbc3f95f6d5fa631a5a5a2a0750087bda1f9
+  data.tar.gz: f257bced65450de07314089bb532424d29b29bf0
 SHA512:
-  metadata.gz: aa29f680f64378dacedb351de1f1674b731a01233da13347c932bf83d38157782d2451dc4b64f966c402d7f265c01bf53cef7863ab58a57618e89f95ad1c33bb
-  data.tar.gz: dba2a004f2557967fcf5c49680af2487a654e4d0c843f2e5fe12c49e93d2839ae4fa6ae68463f61051886f586a79ccde5bd1ece95941cbf3787e7a78862b8fdc
+  metadata.gz: e52abbcbbd0d9412d11e75f683173169b991a8215106a8ec9f4802d807029dd9bebe8894587f855204fb57f8cb46ff25bcd8319443b93f1b4f6b80a3ad567491
+  data.tar.gz: 75a975eac87498c43ebfa2e57a22f3374386d74a20a5ab956b3d94a3da528f079bb3ed02abd6019b4b001f46cb2641416cb729d43b3c782391deba7a0fcaddb0

data/CHANGELOG

@@ -1,3 +1,14 @@
+Release 5.1.2
+-------------
+
+ * Improve curl check for passenger-install- scripts to catch (very old) curl versions that won't compile against 5.1+.
+ * Fixes remaining false positives (logging) from the new Meteor cluster warning system. Closes GH-1905.
+ * Create a private keychain on macOS when the system keychain is defaulted to, this avoids a permissions issue with the system keychain when performing the Security Update Check. This is necessary because the system keychain is the default keychain of daemon users and root on macOS.
+ * Improve `passenger-memory-stats` to include JRuby processes that fail to rename as expected. Closes GH-1878.
+ * [Standalone] Don't download or compile Nginx when using the builtin engine. Closes GH-1910.
+ * [Standalone] Fixes `--nginx-tarball` option of `passenger start` and `passenger-config install-standalone-runtime` (wasn't working). Also verifies that `--nginx-version` is explicitly specified as it should be.
+
+
 Release 5.1.1
 -------------
 
@@ -39,6 +50,7 @@ Release 5.1.0
  * [Nginx] The preferred Nginx version is now 1.10.2 (previously 1.10.1).
  * RPM pkg builder fix for breaking SELinux change in RHEL 7.3.
  * RPM pkg builder fix for RHEL6/CentOS6 incompatibility and replacement in Passenger.
+ * Adds Ubuntu 16.10 "Yakkety" packages.
 
 
 Release 5.0.30
@@ -61,6 +73,7 @@ Release 5.0.29
  * [Nginx] The preferred Nginx version is now 1.10.1 (previously 1.10.0).
  * [Nginx] The preferred PCRE version is now 8.39 (previously 8.34).
  * [Standalone] Passenger Standalone now supports /dev/stdout and /dev/stderr as log file path (via `--log-file` or Passengerfile.json). This is especially useful in Docker containers. In previous versions logging to those paths did not work, resulting in nothing getting logged at all.
+ * Adds Ubuntu 16.04 "Xenial" packages, deprecates Ubuntu 15.10 “Wily” packages (in accordance with LTS support policy).
 
 
 Release 5.0.28

data/CONTRIBUTING.md

@@ -17,7 +17,7 @@
    * [Ruby coding style](#ruby_coding_style)
    * [Systems programming fundamentals](#systems_programming_fundamentals)
    * [Further reading](#further_reading)
- * [Git structure](#git_structure)
+ * [Pull requests](#pull_requests)
 
 Thank you for your interest in Phusion Passenger. Phusion Passenger is open source so your contributions are very welcome. Although we also provide a [commercial version](https://www.phusionpassenger.com/enterprise) and [commercial support](https://www.phusionpassenger.com/commercial_support), the core remains open source and we remain committed to keep it that way. This guide gives you an overview of the ways with which you can contribute, as well as contribution guidelines.
 
@@ -350,11 +350,7 @@ A good and comprehensive, but rather large source for learning POSIX is the [POS
 
  * [Coding Tips and Pitfalls](https://github.com/phusion/passenger/blob/master/doc/CodingTipsAndPitfalls.md)
 
-<a name="git_structure"></a>
-### Git structure
+<a name="pull_requests"></a>
+### Pull requests
 
-The **master** branch is the main development branch, containing the latest and greatest code that was tested and accepted for inclusion into passenger (usually merged in from loose development branches that are deleted afterwards). This branch may not be stable enough yet for production.
-
-Branches like **stable-4.0**, **stable-5.0** are production quality branches (split off from master) for major versions. Each production branch has tags for minor versions, whereby **tag x.0.1** represents the first production-ready version on a branch (there may be some release candidates before that). For example: branch stable-5.0, tagged 5.0.1 is the first release of the 5.0 line that is ready for production.
-
-In general we apply fixes to the respective stable branch and merge these into the master, so it is easiest if you submit pull requests to the stable branches (unless of course you are working with the unstable master). Conversely, new features always go to the master and are then cherrypicked from one or more branches.
+Pull requests should normally be submitted against the latest **stable** branch (e.g. **stable-5.1**), because once tested & accepted, we want users to benefit from the work as soon as possible. The stable branch is constantly tested, contains both bugfix and feature commits, and we periodically tag it to produce a new release. 

data/CONTRIBUTORS

@@ -26,6 +26,7 @@ David Keller
 David Sissitka
 Dirk Mueller
 Dmitry Galinsky
+dr.dimitru
 Dylan Vaughn
 Eric Covener
 Erik Ogan

data/INSTALL.md

@@ -4,4 +4,4 @@ Please read README.md for installation instructions.
 
 If you're having trouble installing Phusion Passenger, please refer to [the documentation](https://www.phusionpassenger.com/).
 
-Documentation and support resources are also available on [the website](https://www.phusionpassenger.com/documentation_and_support).
+Documentation and support resources are also available on [the website](https://www.phusionpassenger.com/support).

data/README.md

@@ -6,13 +6,13 @@ What makes it so fast and reliable is its **C++** core, its **zero-copy** archit
 
 <a href="http://vimeo.com/phusionnl/review/80475623/c16e940d1f"><img src="http://blog.phusion.nl/wp-content/uploads/2014/01/gameofthrones.jpg" height="300"></a><br><em>Phusion Passenger used in Game of Thrones Ascent</em>
 
-**Learn more:** [Website](https://www.phusionpassenger.com/) | [Documentation](https://www.phusionpassenger.com/documentation_and_support) | [Support resources](https://www.phusionpassenger.com/documentation_and_support) | [Github](https://github.com/phusion/passenger) | [Twitter](https://twitter.com/phusion_nl) | [Blog](http://blog.phusion.nl/)
+**Learn more:** [Website](https://www.phusionpassenger.com/) | [Documentation & Support](https://www.phusionpassenger.com/support) | [Github](https://github.com/phusion/passenger) | [Twitter](https://twitter.com/phusion_nl) | [Blog](http://blog.phusion.nl/)
 
 <a href="https://www.phusionpassenger.com"><center><img src="http://blog.phusion.nl/wp-content/uploads/2012/07/Passenger_chair_256x256.jpg" width="160" height="160" alt="Phusion Passenger"></center></a>
 
 ## Installation
 
-Please follow [the installation instructions on the website](https://www.phusionpassenger.com/download).
+Please follow [the installation instructions on the website](https://www.phusionpassenger.com/get_it_now).
 
 ### Installing the source directly from git
 

data/build/misc.rb

@@ -137,6 +137,7 @@ task :contributors do
   entries.push "Sean Wilkinson"
   entries.push "Yichun Zhang"
   entries.delete "OnixGH"
+  entries.delete "onix"
   entries.push "Ruslan Ermilov (NGINX Inc)"
   File.open("CONTRIBUTORS", "w") do |f|
     f.puts(entries.sort{ |a, b| a.downcase <=> b.downcase }.join("\n"))

data/build/packaging.rb

@@ -404,7 +404,7 @@ task 'package:initiate_binaries_building' do
   request = Net::HTTP::Post.new(uri.request_uri)
   request.set_form_data("token" => jenkins_token)
   response = http.request(request)
-  if response.code != 201
+  if response.code != '201'
     abort "*** ERROR: Cannot initiate building of binaries:\n" +
       "Status: #{response.code}\n\n" +
       response.body
@@ -451,7 +451,7 @@ task 'package:initiate_debian_building' do
   request = Net::HTTP::Post.new(uri.request_uri)
   request.set_form_data("token" => jenkins_token)
   response = http.request(request)
-  if response.code != 201
+  if response.code != '201'
     abort "*** ERROR: Cannot initiate building of Debian packages:\n" +
       "Status: #{response.code}\n\n" +
       response.body
@@ -498,7 +498,7 @@ task 'package:initiate_rpm_building' do
   request = Net::HTTP::Post.new(uri.request_uri)
   request.set_form_data("token" => jenkins_token)
   response = http.request(request)
-  if response.code != 201
+  if response.code != '201'
     abort "*** ERROR: Cannot initiate building of RPM packages:\n" +
       "Status: #{response.code}\n\n" +
       response.body

data/dev/ci/run_travis.sh

@@ -89,6 +89,13 @@ function apt_get_update() {
 	fi
 }
 
+function brew_update() {
+	if [[ "$brew_updated" = "" ]]; then
+		brew_updated=1
+		run brew update
+	fi
+}
+
 function rake_test_install_deps()
 {
 	# We do not use Bundler here because the goal might be to
@@ -108,6 +115,9 @@ function rake_test_install_deps()
 	bundle_path=`dirname "$bundle_path"`
 	echo "Adding bundle path $bundle_path to GEM_PATH"
 	export GEM_PATH="$bundle_path:$GEM_PATH"
+	if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+		run brew install ccache
+	fi
 }
 
 function install_test_deps_with_doctools()
@@ -122,6 +132,9 @@ function install_base_test_deps()
 {
 	if [[ "$install_base_test_deps" = "" ]]; then
 		install_base_test_deps=1
+		if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+			run brew install ccache
+		fi
 		retry_run 3 rake_test_install_deps BASE_DEPS=yes
 	fi
 }
@@ -131,24 +144,47 @@ function install_node_and_modules()
 	if [[ "$install_node_and_modules" = "" ]]; then
 		install_node_and_modules=1
 		if [[ -e /host_cache ]]; then
-			if [[ ! -e /host_cache/node-v0.10.20-linux-x64.tar.gz ]]; then
-				run curl --fail -L -o /host_cache/node-v0.10.20-linux-x64.tar.gz \
-					https://nodejs.org/dist/v0.10.20/node-v0.10.20-linux-x64.tar.gz
+			if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+				if [[ ! -e /host_cache/node-v4.7.2-darwin-x64.tar.gz ]]; then
+					run curl --fail -L -o /host_cache/node-v4.7.2-darwin-x64.tar.gz \
+					https://nodejs.org/dist/v4.7.2/node-v4.7.2-darwin-x64.tar.gz
+				fi
+				run tar xzf /host_cache/node-v4.7.2-darwin-x64.tar.gz
+			else
+				if [[ ! -e /host_cache/node-v4.7.2-linux-x64.tar.gz ]]; then
+					run curl --fail -L -o /host_cache/node-v4.7.2-linux-x64.tar.gz \
+					https://nodejs.org/dist/v4.7.2/node-v4.7.2-linux-x64.tar.gz
+				fi
+				run tar xzf /host_cache/node-v4.7.2-linux-x64.tar.gz
 			fi
-			run tar xzf /host_cache/node-v0.10.20-linux-x64.tar.gz
 		else
-			run curl --fail -L -O https://nodejs.org/dist/v0.10.20/node-v0.10.20-linux-x64.tar.gz
-			run tar xzf node-v0.10.20-linux-x64.tar.gz
+			if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+				run curl --fail -L -O https://nodejs.org/dist/v4.7.2/node-v4.7.2-darwin-x64.tar.gz
+				run tar xzf node-v4.7.2-darwin-x64.tar.gz
+			else
+				run curl --fail -L -O https://nodejs.org/dist/v4.7.2/node-v4.7.2-linux-x64.tar.gz
+				run tar xzf node-v4.7.2-linux-x64.tar.gz
+			fi
+		fi
+		if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+			export PATH=`pwd`/node-v4.7.2-darwin-x64/bin:$PATH
+		else
+			export PATH=`pwd`/node-v4.7.2-linux-x64/bin:$PATH
 		fi
-		export PATH=`pwd`/node-v0.10.20-linux-x64/bin:$PATH
 		retry_run 3 rake_test_install_deps NODE_MODULES=yes
 	fi
 }
 
 run uname -a
-run lsb_release -a
-run sudo tee /etc/dpkg/dpkg.cfg.d/02apt-speedup >/dev/null <<<"force-unsafe-io"
-run cp test/config.json.travis test/config.json
+if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+	run sysctl -a
+	echo '$ sed -e "s/_USER_/'$USER'/" test/config.json.travis-osx > test/config.json'
+	sed -e "s/_USER_/$USER/" test/config.json.travis-osx > test/config.json
+else
+	run lsb_release -a
+	run sudo tee /etc/dpkg/dpkg.cfg.d/02apt-speedup >/dev/null <<<"force-unsafe-io"
+	run cp test/config.json.travis test/config.json
+fi
 
 # Relax permissions on home directory so that the application root
 # permission checks pass.
@@ -178,7 +214,6 @@ fi
 
 ORIG_GEM_PATH="$GEM_PATH"
 
-
 if [[ "$INSTALL_ALL_DEPS" = 1 ]]; then
 	run rake_test_install_deps DEVDEPS_DEFAULT=yes
 	INSTALL_DEPS=0
@@ -200,13 +235,14 @@ if [[ "$TEST_USH" = 1 ]]; then
 	export PASSENGER_CONFIG="$PWD/bin/passenger-config"
 	run "$PASSENGER_CONFIG" install-standalone-runtime --auto
 
-	pushd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core
+	# RVM is bad and should feel bad
+	builtin pushd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_core
 	bundle exec rake spec:travis TRAVIS_WITH_SUDO=1
-	popd
+	builtin popd
 
-	pushd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_rails
+	builtin pushd src/ruby_supportlib/phusion_passenger/vendor/union_station_hooks_rails
 	bundle exec rake spec:travis GEM_BUNDLE_PATH="$DEPS_TARGET"
-	popd
+	builtin popd
 fi
 
 if [[ "$TEST_NODE" = 1 ]]; then
@@ -229,13 +265,30 @@ if [[ "$TEST_NGINX" = 1 ]]; then
 fi
 
 if [[ "$TEST_APACHE2" = 1 ]]; then
-	apt_get_update
-	run sudo apt-get install -y --no-install-recommends \
+	if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+		brew_update
+		run brew install pcre openssl
+		if [[ "`sw_vers -productVersion | sed 's/^10\.\(.*\)/\1>=12.0/' | bc -l`" == "1" ]] ; then
+			run brew install apr apr-util
+			run brew link apr apr-util --force
+			export APR_CONFIG=`brew --prefix`/opt/apr/bin/apr-1-config
+			export APU_CONFIG=`brew --prefix`/opt/apr-util/bin/apu-1-config
+		fi
+	else
+		apt_get_update
+		run sudo apt-get install -y --no-install-recommends \
 		apache2-mpm-worker apache2-threaded-dev
+	fi
 	install_base_test_deps
 	install_node_and_modules
 	run ./bin/passenger-install-apache2-module --auto #--no-update-config
-	run rvmsudo ./bin/passenger-install-apache2-module --auto --no-compile
+	if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+		# rvmsudo only preserves env vars matching /^(rvm|gemset|http_|PATH|IRBRC)|RUBY|GEM/
+		# https://github.com/rvm/rvm/blob/aae6505001e2d6b5e4dc9a355c18ffcbd073bab2/bin/rvmsudo#L83
+		run sudo -E ./bin/passenger-install-apache2-module --auto --no-compile
+	else
+		run rvmsudo ./bin/passenger-install-apache2-module --auto --no-compile
+	fi
 	run bundle exec drake -j$COMPILE_CONCURRENCY test:integration:apache2
 fi
 
@@ -245,8 +298,16 @@ if [[ "$TEST_STANDALONE" = 1 ]]; then
 fi
 
 if [[ "$TEST_SOURCE_PACKAGING" = 1 ]]; then
-	apt_get_update
-	run sudo apt-get install -y --no-install-recommends source-highlight
+	if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+		brew_update
+		run brew install source-highlight
+	else
+		apt_get_update
+		run sudo apt-get install -y --no-install-recommends source-highlight
+	fi
 	install_test_deps_with_doctools
 	run bundle _1.11.2_ exec rspec -f s -c test/integration_tests/source_packaging_test.rb
 fi
+if [[ "$TRAVIS_OS_NAME" == 'osx' ]]; then
+	trap - EXIT
+fi

data/src/agent/Core/CoreMain.cpp

@@ -792,7 +792,7 @@ initializeSecurityUpdateChecker() {
 		}
 		string serverVersion = options.get("server_version", false); // not set in case of standalone / builtin
 
-		workingObjects->securityUpdateChecker = new SecurityUpdateChecker(workingObjects->resourceLocator, proxy, serverIntegration, serverVersion);
+		workingObjects->securityUpdateChecker = new SecurityUpdateChecker(workingObjects->resourceLocator, proxy, serverIntegration, serverVersion, options.get("instance_dir",false));
 		workingObjects->securityUpdateChecker->start(24 * 60 * 60);
 	}
 }

data/src/agent/Core/SecurityUpdateChecker.h

@@ -18,6 +18,11 @@
 #include <Utils/Curl.h>
 #include <modp_b64.h>
 
+#if BOOST_OS_MACOS
+#include <sys/syslimits.h>
+#include <unistd.h>
+#endif
+
 namespace Passenger {
 
 using namespace std;
@@ -54,6 +59,11 @@ private:
 	string serverVersion;
 	CurlProxyInfo proxyInfo;
 	Crypto *crypto;
+#if BOOST_OS_MACOS
+	SecKeychainRef defaultKeychain;
+	SecKeychainRef keychain;
+	bool usingPassengerKeychain;
+#endif
 
 	void threadMain() {
 		TRACE_POINT();
@@ -217,7 +227,8 @@ private:
 		}
 
 #if BOOST_OS_MACOS
-		if (!crypto->preAuthKey(clientCertPath.c_str(), CLIENT_CERT_PWD, CLIENT_CERT_LABEL)) {
+		// if not using a private keychain, preauth the security update check key in the user's keychain (this is for libcurl's benefit because they don't bother to authorize themselves to use the keys they import)
+		if (!usingPassengerKeychain && !crypto->preAuthKey(clientCertPath.c_str(), CLIENT_CERT_PWD, CLIENT_CERT_LABEL)) {
 			return CURLE_SSL_CERTPROBLEM;
 		}
 		if (CURLE_OK != (code = curl_easy_setopt(curl, CURLOPT_SSLCERTTYPE, "P12"))) {
@@ -281,12 +292,89 @@ public:
 	 * serverIntegration should be one of { nginx, apache, standalone nginx, standalone builtin }, whereby
 	 * serverVersion is the version of Nginx or Apache, if relevant (otherwise empty)
 	 */
-	SecurityUpdateChecker(const ResourceLocator &locator, const string &proxy, const string &serverIntegration, const string &serverVersion) {
+	SecurityUpdateChecker(const ResourceLocator &locator, const string &proxy, const string &serverIntegration, const string &serverVersion, const string &instancePath) {
 		crypto = new Crypto();
 		updateCheckThread = NULL;
 		checkIntervalSec = 0;
 #if BOOST_OS_MACOS
 		clientCertPath = locator.getResourcesDir() + "/update_check_client_cert.p12";
+		// Used to keep track of which approach we are using, false means we are preauthing the key in the running user's own keychain; true means we create a private keychain and set it as the default
+		usingPassengerKeychain = false;
+		defaultKeychain = NULL;
+		keychain = NULL;
+		OSStatus status = 0;
+		char pathName [PATH_MAX];
+		UInt32 length = PATH_MAX;
+		memset(pathName, 0, PATH_MAX);
+
+		status = SecKeychainCopyDefault(&defaultKeychain);
+		if (status) {
+			CFStringRef str = SecCopyErrorMessageString(status, NULL);
+			P_ERROR(string("Getting default keychain failed: ") +
+					CFStringGetCStringPtr(str, kCFStringEncodingUTF8) +
+					" Passenger will not attempt to create a private keychain.");
+			CFRelease(str);
+		} else {
+			status = SecKeychainGetPath(defaultKeychain, &length, pathName);
+			P_DEBUG(string("username is: ") + getProcessUsername());
+			if (status) {
+				CFStringRef str = SecCopyErrorMessageString(status, NULL);
+				P_ERROR(string("Checking default keychain path failed: ") +
+						CFStringGetCStringPtr(str, kCFStringEncodingUTF8) +
+						" Passenger may use system keychain.");
+				CFRelease(str);
+				pathName[0] = 0; // ensure the pathName compares cleanly
+			} else {
+				P_DEBUG(string("Old default keychain is: ") + pathName);
+			}
+		}
+		// we don't care so much about which user we are, what we care about is is they have their own keychain, if the default keychain is the system keychain, then we need to try and create our own to avoid permissions issues
+		if (strcmp(pathName, "/Library/Keychains/System.keychain") == 0) {
+			usingPassengerKeychain = true;
+			const uint size = 512;
+			uint8_t keychainPassword[size];
+			if (!crypto->generateRandomChars(keychainPassword, size)) {
+				P_CRITICAL("Creating password for Passenger default keychain failed.");
+				usingPassengerKeychain = false;
+			} else {
+				string keychainDir = instancePath;
+				if (instancePath.length() == 0) {
+					char currentPath[PATH_MAX];
+					if (!getcwd(currentPath, PATH_MAX)) {
+						P_ERROR(string("Failed to get cwd: ") + strerror(errno) + " Attempting to use relative path '.'");
+						keychainDir = ".";
+					} else {
+						keychainDir = string(currentPath);
+					}
+				}
+				// create keychain with long random password, then discard password after creation. We receive the keychain unlocked, and no-one else needs to access the keychain.
+				status = SecKeychainCreate((keychainDir + "/passenger.keychain").c_str(), size, keychainPassword, false, NULL, &keychain);
+				memset(keychainPassword, 0, size);
+				if (status) {
+					CFStringRef str = SecCopyErrorMessageString(status, NULL);
+					P_ERROR(string("Creating Passenger default keychain failed: ") +
+							CFStringGetCStringPtr(str, kCFStringEncodingUTF8) +
+							" Passenger may fail to access system keychain.");
+					CFRelease(str);
+					usingPassengerKeychain = false;
+				} else {
+					// set keychain as default so libcurl uses it.
+					status = SecKeychainSetDefault(keychain);
+					if (status) {
+						CFStringRef str = SecCopyErrorMessageString(status, NULL);
+						P_ERROR(string("Setting Passenger default keychain failed: ") +
+								CFStringGetCStringPtr(str, kCFStringEncodingUTF8) +
+								" Passenger may fail to access system keychain.");
+						CFRelease(str);
+						usingPassengerKeychain = false;
+					} else if (!crypto->preAuthKey(clientCertPath.c_str(), CLIENT_CERT_PWD, CLIENT_CERT_LABEL)) {
+						P_ERROR("Failed to preauthorize Passenger Client Cert, you may experience popups from the Keychain.");
+				 /* } else {
+						we have loaded the security update check key into the private keychain with the correct permissions, so libcurl should be able to use it. */
+					}
+				}
+			}
+		}
 #else
 		clientCertPath = locator.getResourcesDir() + "/update_check_client_cert.pem";
 #endif
@@ -312,6 +400,32 @@ public:
 		if (crypto) {
 			delete crypto;
 		}
+#if BOOST_OS_MACOS
+		// if using a private keychain, cleanup keychain on shutdown
+		if (usingPassengerKeychain) {
+			OSStatus status = 0;
+			if (defaultKeychain) {
+				status = SecKeychainSetDefault(defaultKeychain);
+				if (status) {
+					CFStringRef str = SecCopyErrorMessageString(status, NULL);
+					P_ERROR(string("Restoring default keychain failed: ") +
+							CFStringGetCStringPtr(str, kCFStringEncodingUTF8));
+					CFRelease(str);
+				}
+				CFRelease(defaultKeychain);
+			}
+			if (keychain) {
+				status = SecKeychainDelete(keychain);
+				if (status) {
+					CFStringRef str = SecCopyErrorMessageString(status, NULL);
+					P_ERROR(string("Deleting Passenger private keychain failed: ") +
+							CFStringGetCStringPtr(str, kCFStringEncodingUTF8));
+					CFRelease(str);
+				}
+				CFRelease(keychain);
+			}
+		}
+#endif
 	}
 
 	/**
@@ -544,7 +658,10 @@ public:
 		} while (0);
 
 #if BOOST_OS_MACOS
-		crypto->killKey(CLIENT_CERT_LABEL);
+		// if not using a private keychain remove the security update check key from the user's keychain so that if we are stopped/crash and are upgraded or reinstalled before restarting we don't have permission problems
+		if (!usingPassengerKeychain) {
+			crypto->killKey(CLIENT_CERT_LABEL);
+		}
 #endif
 
 		if (signatureChars) {