问题
I'm trying to improve Hudson CI for iOS and start Hudson as soon as system starts up. To do this I'm using the following launchd script:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>Hudson CI</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/java</string>
<string>-jar</string>
<string>/Users/user/Hudson/hudson.war</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>user</string>
</dict>
</plist>
This works OK but when xcodebuild, which is started by Hudson, tries to sign an app it fails because it cant find the proper key/certificate in the keychain. However key/certificate pair is there since it's working correct if I start Hudson from command line.
Do you have any ideas why it happens?
回答1:
After spending hours and days with this issue I found a fairly easy solution to this. It doesn't matter if you have a distinct username in your launchd configuration as stated above:
<key>UserName</key>
<string>user</string>
The missing certificates and keys have to be on the system keychain (/Library/Keychains/System.keychain). I found this after I setup a jenkins job which executes several security shell calls. The one which's interesting is security list-keychains:
+ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/applepushserviced.keychain"
"/Library/Keychains/System.keychain"
That are the keychains jenkins will search the certificates and keys for so they should be there. After I moved my certs there it works. Make sure you also copy the »Apple Worldwide Developer Relations Certification Authority« certificate to the system keychain, otherwise you will see a CSSMERR_TP_NOT_TRUSTED error from codesign.
It is also possible to register more keychains with security list-keychains -s [path to additional keychains]. I haven't tried it but something like security list-keychains -s $HOME/Library/Keychains/login.keychain as a pre-build shell execution in jenkins might work.
EDIT: I've tried to add a user keychain to the search path with -s but I wasn't able to get it to work. So for now, we have to copy our certs and keys into the system keychain.
EDIT^2: Read and use joensson' solution instead of mine, he managed it to access the users keychain instead of just the system keychain.
回答2:
I have found a solution giving me access to the regular keychains for my Jenkins user.
In addition to specifying the UserName element in the plist as the accepted answer suggests, the trick to get access to the normal keychains for the user you specified in UserName is to also add a SessionCreate element with value true to the plist file - /Library/LaunchDaemons/org.jenkins-ci.plist :
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnvironmentVariables</key>
<dict>
<key>JENKINS_HOME</key>
<string>/Users/Shared/Jenkins/Home</string>
</dict>
<key>GroupName</key>
<string>wheel</string>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>org.jenkins-ci</string>
<key>ProgramArguments</key>
<array>
<string>/bin/bash</string>
<string>/Library/Application Support/Jenkins/jenkins-runner.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>jenkins</string>
<key>SessionCreate</key>
<true />
</dict>
Then restart the daemon and try running a job in Jenkins that calls security list-keychains - and you should no longer see System.keychain as the only entry but the regular login and any custom key chains you might have added to the list of keychains for the "jenkins" user.
I am now using codesigning certificates from a custom keychain on my Jenkins build server - I have not installed any certificates or keys in my System keychain.
回答3:
We had the same problem with a hudson slave started as a launchdaemon on Mac OSX Lion. It worked, when we started the slave with webstart. The only difference we spotted was a different environment variable.
com.apple.java.jvmTask=WebStart
works, if we started the slave without webstart the variable was
com.apple.java.jvmTask=CommandLine.java
We found no way to influence the value upfront. I suggest you create a new node in Hudson, running on the same machine and started by webstart. For starting the slave we use the following launchdaemon configuration:
<?xml version"1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
<key>Label</key>
<string>jenkins</string>
<key>UserName</key>
<string>apple</string>
<key>Program</key>
<string>/usr/bin/javaws</string>
<key>ProgramArguments</key>
<array>
<string>-verbose</string>
<string>-wait</string>
<string>http://<hudson-hostname>:8080/computer/<node-name>/slave-agent.jnlp</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>WorkingDirectory</key>
<string>/Users/apple</string>
</dict>
</plist>
回答4:
You could try my Jenkins.app, https://github.com/stisti/jenkins-app, an alternative way to run Jenkins. It runs Jenkins in the user session, so Keychain access is not a problem.
回答5:
I faced the same problem, and tried changing the user name in /Library/LaunchDaemons/org.jenkins-ci.plist as described in one of the other posts. However, it still did not work, and some obscure NullPointerException did not help me identify the problem. Therefore, I would just share my solution: I had to also change the owner of the JENKINS_HOME directory (defined in org.jenkins-ci.plist as well):
chown -R myBuildUser /Users/Shared/Jenkins
myBuildUser is the user that has the certificates installed, and this is the user that I specified in the plist file.
This solution was quite obvious when I finally realized it - but it took me a couple of hours to find out about this, so hopefully this post can save the time for somebody else :-)
回答6:
We faced exactly the same issue on Lion as well as on SnowLeopard. We had to start a Tomcat/Hudson with xcodebuild jobs as a service. While starting from command line, the xcodebuild could access the login.keychain to use the certificate contained. But after reboot of the box, the login.keychain wasnt visible to xcodebuild and therefore the signing failed.
Since we needed to provide our company certificate by a keychain, the system keychain wasnt an option. Instead, we solved the issue by a simple workaround. We removed the user name, so that the launch daemon launches the process under root.
<plist version="1.0">
<dict>
<key>Label</key>
<string>${LAUNCH_LABEL}</string>
<key>Disabled</key>
<false/>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>${INSTALL_DIR}/start.sh</string>
</array>
<key>StandardOutPath</key>
<string>${INSTALL_DIR}/tomcat-stdout.log</string>
<key>StandardErrorPath</key>
<string>${INSTALL_DIR}/tomcat-stderr.log</string>
</dict>
</plist>
The launch daemon called a simple script (start.sh), simulation a full login and running the program wanted
su -l username -c program
Now, even after booting, the xcodebuild can access the login.keychain. This works on Snow Leopard too, but, if you close the user specific login.keychain in a parallel session (like vnc login/logout) the keychain gets lost. Lion behaves different. Seems that Lion decouples the keychain from the user and assigns it to a login-session.
回答7:
To keep a compartmentalized keychain for Jenkins/Hudson, I moved the launchctl item from
/Library/LaunchDaemons/org.jenkins-ci.plist
to
/Users/Shared/Jenkins/Home/Library/LaunchAgents/org.jenkins-ci.plist
And that allows me to access the private keychain created for Jenkins.
回答8:
Adding SessionCreate and setting lots of certificates to 'always trust' in keychain manager worked for me with buildbot started from plist... but at some point, codesign started failing with CSSMERR_TP_NOT_TRUSTED. I recovered by setting the iPhone Distribution cert to 'use system defaults' in keychain manager. Even after a reboot, without logging in, the buildbot slave was then able to sign code, whew.
回答9:
Adding this since I had the same problem, but none of these solutions worked for me.
My problem was caused when after the signing certificate needed to be updated, after it had expired. After the update, xcode and running xcodebuild manually worked fine, BUT Jenkins could not sign the app.
Here is how I fixed it:
Look into Keychain and search for the key. For some reason that I don't understand this gave us different results.
Make sure that the private key is in the System level (if it isn't then drag and drop it to the System icon on the left.
回答10:
For Manual Signing Move your certificate from login to System in keychain. Login not accessible during archive and generating iPA.
来源:https://stackoverflow.com/questions/6827874/missing-certificates-and-keys-in-the-keychain-while-using-jenkins-hudson-as-cont