1) We build over-the-air (OTA) product on Mac OSX 10.8. OTA build must be signed with the certificate. The certificate is fully installed under 'qbuser' login which is a Standard User (not Administrator).

2) Build Agent is started in service mode automatically upon reboot via /Library/LaunchDaemons/org.tanukisoftware.wrappers.quickbuild.plist with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Label</key>
        <string>org.tanukisoftware.wrapper.quickbuild</string>
        <key>ProgramArguments</key>
        <array>
            <string>/Builds/QuickBuild/buildagent/bin/./agent.sh</string>
            <string>launchdinternal</string>
        </array>
        <key>OnDemand</key>
        <true/>
        <key>RunAtLoad</key>
        <true/>
        <key>UserName</key>
        <string>qbuser</string>
    </dict>
</plist>

bin/agent.sh script has this entry:
RUN_AS_USER=qbuser

3) The first step in the build is to run 'security unlock-keychain' command. The command fails with the error:
12:04:02,152 INFO - [echo] ****************************
12:04:02,152 INFO - [echo] ** Accessing the KeyChain **
12:04:02,152 INFO - [echo] ****************************
12:04:02,159 DEBUG - [exec] Current OS is Mac OS X
12:04:02,161 DEBUG - [exec] Executing 'security' with arguments:
12:04:02,161 DEBUG - [exec] 'unlock-keychain'
12:04:02,161 DEBUG - [exec] '-p'
12:04:02,161 DEBUG - [exec] 'KEYCHAIN_PWD'
12:04:02,161 DEBUG - [exec] '/Users/svcbuildm/Library/Keychains/login.keychain'
12:04:02,161 DEBUG - [exec]
12:04:02,161 DEBUG - [exec] The ' characters around the executable and arguments are
12:04:02,161 DEBUG - [exec] not part of the command.
12:04:02,273 INFO - [exec] security: SecKeychainUnlock /Users/svcbuildm/Library/Keychains/login.keychain: The user name or passphrase you entered is not correct.
12:04:02,594 ERROR - [exec] Result: 51

Because 'security unlock-keychain' command fails, the build cannot proceed further.
--------------------------------------------
Now I stop build agent. Open the terminal window. Start build agent manually in console mode with this command:
cd /Builds/QuickBuild/buildagent/bin
. agent.sh console

Run the build and 'security unlock-keychain' command succeeds:
12:05:04,358 INFO - [echo] ****************************
12:05:04,358 INFO - [echo] ** Accessing the KeyChain **
12:05:04,358 INFO - [echo] ****************************
12:05:04,365 DEBUG - [exec] Current OS is Mac OS X
12:05:04,367 DEBUG - [exec] Executing 'security' with arguments:
12:05:04,367 DEBUG - [exec] 'unlock-keychain'
12:05:04,367 DEBUG - [exec] '-p'
12:05:04,367 DEBUG - [exec] 'KEYCHAIN_PWD'
12:05:04,367 DEBUG - [exec] '/Users/svcbuildm/Library/Keychains/login.keychain'
12:05:04,367 DEBUG - [exec]
12:05:04,367 DEBUG - [exec] The ' characters around the executable and arguments are
12:05:04,367 DEBUG - [exec] not part of the command.
----------------------------------
Quick investigation shows that these 3 environment variables are present on System Attributes tab in the console mode and are absent in service mode:
Apple_PubSub_Socket_Render /tmp/launch-imw7UO/Render
Apple_Ubiquity_Message /tmp/launch-itv7yI/Apple_Ubiquity_Message
SECURITYSESSIONID 186a6

Seems like SECURITYSESSIONID is what needed for 'security unlock-keychain' to succeed.
---------------------------------
The bottom line is that:
- build agent service mode does not have full shell environment that console mode has;
- the only workaround to be able to build OTA product is to start build agent in console mode which can only be done manually; upon accidental reboot build agent console can be restarted only manually.
Any official Apple product requires code signing; so succeeding 'security unlock-keychain' is the essential part of the build; the step currently fails in build agent service mode.