发表新帖
发表新帖

Jenkins - Xcode build works codesign fails

前端 未结
关注
11 2311
夕颜
夕颜 2020-11-30 19:14

Below is my build script (not using xcodebuild plugin).

  1. Build step works
  2. I have created a separate keychain with the required certs and private keys
相关标签:
11条回答
  • [愿得一人]
    2020-11-30 19:53

    That's a code signing error, the xcodebuild command can't access your certificate's private key since it's running through Jenkins' slave with SSH.

    Run this line in your shell script before you run the xcodebuild in order to allow access:

    security set-key-partition-list -S apple-tool:,apple: -s -k <ROOT-PASSWORD> /Users/<YOUR USER NAME>/Library/Keychains/login.keychain-db

    Hope that helps!

    0 讨论(0)
  • 佛祖请我去吃肉
    2020-11-30 19:56

    Only one thing solved this problem for me.

    What I did is setting the Private Key of the Signing Certificate in the Keychain Access to Allow all applications to access this item.

    0 讨论(0)
  • 离开以前
    2020-11-30 19:58

    FWIW... let me throw out another possible reason for this. You may have duplicate certificates floating around and codesign can't tell which one to use. When you run this command from your Jenkins slave do you see duplicate, valid certificates? Something like this:

    $ security find-identity -v -p codesigning
  1) AAAAE00066DED2FE77DF43012573AD5B6188AAAA "iPhone Developer: JOHN SMITH (XAAAAFSUSJ)"
  2) AAAAE00066DED2FE77DF43012573AD5B6188AAAA "iPhone Developer: JOHN SMITH (XAAAAFSUSJ)"
  3) BBBB5B03DB566209964247982908D3DD74D1BBBB "iPhone Distribution: Example, Inc. (TBBBBH5HUE)"
  4) BBBB5B03DB566209964247982908D3DD74D1BBBB "iPhone Distribution: Example, Inc. (TBBBBH5HUE)"
  5) BBBB5B03DB566209964247982908D3DD74D1BBBB "iPhone Distribution: Example, Inc. (TBBBBH5HUE)"
  6) AAAAE00066DED2FE77DF43012573AD5B6188AAAA "iPhone Developer: JOHN SMITH (XAAAAFSUSJ)"
  7) AAAAE00066DED2FE77DF43012573AD5B6188AAAA "iPhone Developer: JOHN SMITH (XAAAAFSUSJ)"
  8) BBBB5B03DB566209964247982908D3DD74D1BBBB "iPhone Distribution: Example, Inc. (TBBBBH5HUE)"
  8 valid identities found

    If so, I have found it useful to do the following and get back to a baseline set of signing certificates:

    • Delete all the certificates on the Jenkins slave (and other Jenkins slaves that will be running your build script).
    • Next: verify, you have 0 identifies by running $ security find-identity -v -p codesigning again.
    • Within your application's repository include a custom MyApp.keychain with the two valid certificates in it. Be sure to remove any duplicates.
    • Now, from your build script and before the codesign process runs from unlock MyApp.keychain and set it as the default. This exposes those certificates as available for codesign.
    • Finally, verify on your Jenkins slave again: $ security find-identity -v -p codesigning that you see only the certificates you bundled into MyApp.keychain and that there are no other signing identities on the system. If you still see duplicates after having done this you have other places where your Jenkins slave is being made aware of these certificates.
    0 讨论(0)
  • 攒了一身酷
    2020-11-30 19:59

    Here what worked for me:

    1. I created a new keychain and copied all entries from "login" to it, named it "jenkins_ios"
    2. Made new keychain default.
    3. Added a new "Execute shell" step in Jenkins config, it should be the first step beforecode signing, containing the following:

    KEYCHAIN=/Users/<user>/Library/Keychains/jenkins_ios.keychain
security -v list-keychains -s $KEYCHAIN
security -v unlock-keychain -p <password> $KEYCHAIN
security set-keychain-settings -t 3600 -l $KEYCHAIN

    Last step is really important, as default unlock timeout may not be enough long for your project to build properly (exactly this happened with our project, as it is huge and build step took about 5-7 minutes, and keychain became locked at the moment it was required for codesign).

    0 讨论(0)
  • 有刺的猬
    2020-11-30 19:59

    I removed duplicate keys from the key chains (login and system) and it started working. I did only have one certificate but many keys so I had to filter on keys to see them properly.

    0 讨论(0)
  • 温柔的废话
    2020-11-30 20:00

    I copied all the certs/private keys to a new keychain (you can right-click on the items and simply copy and paste). In the new keychain, right-click on each private key, Get Info -> Access Control and make the keys available to all apps.

    Importantly, in the upper left of the Keychain app is the list of keychains. Re-order them so that the new keychain is first in the list.

    Another answer I found gave the build step to unlock this keychain during the build:

    KEYCHAIN=/Users/<you>/Library/Keychains/codesign.keychain

# the -s option adds $KEYCHAIN to the search scope, while the -d option adds $KEYCHAIN to the system domain; both are needed
security -v list-keychains -d system -s $KEYCHAIN
security -v unlock-keychain -p <keychain password> $KEYCHAIN
    0 讨论(0)
 看不清?
提交回复
热议问题