如何在单独的机器上构建和签名iOS应用? [英] How to build and sign an iOS app on separate machines?
问题描述
我们有一个iOS应用程序,它使用Jenkins运行的一系列Bash脚本构建。就像今天一样,我们使用以下命令构建xcarchive:
We have an iOS app which is built using a series of Bash scripts run by Jenkins. As things are today, we build an xcarchive using this command:
xcodebuild archive -workspace "..." -scheme "..." -configuration "Release" -archivePath "..."
这将构建应用并签名它使用通过xcconfig设置的配置概要文件中指定的证书。完成后,我们使用以下命令将其转换为IPA:
This builds the app and signs it using the certs specified in the provisioning profile which is set using an xcconfig. Once it is complete, we then turn it into an IPA using:
xcodebuild -archivePath "..." -exportArchive -exportOptionsPlist "${export_options_plist}" -exportPath "..."
此IPA然后可以上传到Hockey或进入App Store,具体取决于我们使用的xcconfig(我们将它们交换出来以创建不同的版本)。
This IPA can then be uploaded to Hockey or to the App store depending on the xcconfig we use (we swap them out to create different builds).
我们现在要确保我们的证书尽可能保持安全。这意味着我们要在一台机器上执行构建,而在另一台机器上执行签名。为此,我们需要这样做:
We now want to make sure our certificates are kept safe as much as possible. This means we want to perform the build on one machine, but the signing on another. In order to do that, we need to do this:
- 创建未签名的xcarchive
- 传输将xcarchive转换为签名机
- 将xcarchive转换为已签名的IPA
步骤2可以尽管现在暂时忽略它,所以让我们只关注步骤1和3。
Step 2 can be ignored for now though, so lets just focus on steps #1 and #3.
创建未签名的xcarchive可以通过将 CODE_SIGN_IDENTITY = CODE_SIGNING_REQUIRED = NO 参数添加到 archive 命令。
Creating the unsigned xcarchive can be done by adding the arguments CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO to the archive command.
不过,签署IPA更为棘手。我们假设我们可以再次创建IPA,并使用 codesign 命令在IPA中对二进制文件进行签名。但是,这有几个问题。首先是我们对应用程序拥有的 .entitlements 文件没有得到尊重。我们必须将此作为标志传递给签名命令。然后我们意识到我们必须更正 .entitlements 文件中的所有变量,因为Xcode不再用正确的值替换它们。然后我们意识到必须对每个扩展都执行此操作。
Signing the IPA is much trickier though. We assumed we could just create the IPA again and use the codesign command to sign the binary in the IPA. This had a couple of problems though. The first is that the .entitlements file we had for the app wasn't respected. We had to pass this as a flag to the signing command. Then we realised that we had to correct all the variables in the .entitlements file since Xcode was no longer replacing them with the correct values. Then we realised that we had to do this for each extension we had.
我们终于用正确的权利完成了所有工作,替换了变量,所有内容都签名了,但是当我尝试将新签名的IPA上载到Hockey时,它拒绝了。错误消息也无济于事。
We finally got this all working, with the correct entitlements, replacing the variables and everything was signed, but when I tried uploading the new signed IPA to Hockey it rejected it. The error message wasn't helpful either.
我们将以前的系统与新系统进行了差异化,每个二进制文件都不同。我们不确定这是代码签名问题,还是只是时间戳更改,但是是否有更改。此外,我们发现我的扩展名都缺少 archived-expanded-entitlements.xcent 文件,还有更多的问题。
We diff'ed a build with the previous system with the new system and each binary was different. We're not sure if this is a codesigning issue, or just a timestamp change, but there are changes. Furthermore, we discovered that my extensions are all missing archived-expanded-entitlements.xcent files, plus possibly more issues.
看来我们似乎是走错路了。显然,我们不必只为了在另一台计算机上签名就需要重新做所有事情,那么我们在哪里出错呢?我们应该如何在一台机器上构建并在另一台机器上签名?
It definitely seems like we are going about this the wrong way. We clearly shouldn't have to re-do everything just to sign on a different machine, so where are we going wrong? How are we supposed to build on one machine and sign on another?
P.S。我们当前的工具直接使用 xcodebuild ,但是我们在构建过程的其他部分支持 fastlane ,因此我们如果需要,很高兴使用它。
P.S. Our current tools use xcodebuild directly, but we have support for fastlane for other parts of our build process, so we are happy to use it if needed.
更新:对此,我们有一个解决方案,即使用开发人员证书对发布版本进行签名,然后使用发行版之一对其进行签名。这解决了填充权限等所有问题,但仍然需要将每个二进制文件都签名,并合并了权限等。因此,我想知道是否有更好的解决方案。
Update: We have a "solution" to this which is to sign the Release builds with a dev cert, then resign them using the distribution one. This solves all the problems with entitlements being populated etc. but still requires each binary to be resigned and entitlements combined, etc. so I'm curious if there is a better solution.
推荐答案
我们与公司中的其他团队一起进行了数周的研究。我们所有人都得出相同的结论,没有比使用dev证书签名然后再使用prod证书重新签名每个二进制文件更好的选择了。这不是一个简单的过程,但这就是我们所剩下的。
We worked on this for several weeks along with other teams in the company. All of us came to the same conclusion, there is no better option than signing with a dev cert and then re-signing each and every binary with the prod cert afterwards. It's not a straight forward process, but that's what we have been left with.
这篇关于如何在单独的机器上构建和签名iOS应用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
