使用 Jenkins/Hudson 作为 iOS 和 Mac 开发的持续集成时,钥匙串中缺少证书和密钥 [英] Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development
问题描述
我正在尝试改进适用于 iOS 的 Hudson CI,并在系统启动后立即启动 Hudson.为此,我使用以下启动脚本:
I'm trying to improve Hudson CI for iOS and start Hudson as soon as system starts up. To do this I'm using the following launchd script:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>Hudson CI</string>
<key>ProgramArguments</key>
<array>
<string>/usr/bin/java</string>
<string>-jar</string>
<string>/Users/user/Hudson/hudson.war</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>user</string>
</dict>
</plist>
这可以正常工作,但是当由 Hudson 启动的 xcodebuild 尝试签署应用程序时失败,因为它无法在钥匙串中找到正确的密钥/证书.但是,密钥/证书对是存在的,因为如果我从命令行启动 Hudson,它可以正常工作.
This works OK but when xcodebuild, which is started by Hudson, tries to sign an app it fails because it cant find the proper key/certificate in the keychain. However key/certificate pair is there since it's working correct if I start Hudson from command line.
你知道为什么会这样吗?
Do you have any ideas why it happens?
推荐答案
在此问题上花费数小时和数天后,我找到了一个相当简单的解决方案.如上所述,您的启动配置中是否有不同的用户名并不重要:
After spending hours and days with this issue I found a fairly easy solution to this. It doesn't matter if you have a distinct username in your launchd configuration as stated above:
<key>UserName</key>
<string>user</string>
丢失的证书和密钥必须位于系统钥匙串 (/Library/Keychains/System.keychain) 上.我在设置执行多个 security shell 调用的 jenkins 作业后发现了这一点.有趣的是security list-keychains:
The missing certificates and keys have to be on the system keychain (/Library/Keychains/System.keychain). I found this after I setup a jenkins job which executes several security shell calls. The one which's interesting is security list-keychains:
+ security list-keychains
"/Library/Keychains/System.keychain"
"/Library/Keychains/applepushserviced.keychain"
"/Library/Keychains/System.keychain"
这是 jenkins 将搜索证书和密钥的钥匙串,因此它们应该在那里.在我将证书移到那里后,它就可以工作了.确保您还将»Apple Worldwide Developer Relations Certification Authority« 证书复制到系统钥匙串,否则您将看到 codesign 中的 CSSMERR_TP_NOT_TRUSTED 错误.
That are the keychains jenkins will search the certificates and keys for so they should be there. After I moved my certs there it works. Make sure you also copy the »Apple Worldwide Developer Relations Certification Authority« certificate to the system keychain, otherwise you will see a CSSMERR_TP_NOT_TRUSTED error from codesign.
还可以使用 security list-keychains -s [附加钥匙串的路径] 注册更多钥匙串.我还没有尝试过,但是像 security list-keychains -s $HOME/Library/Keychains/login.keychain 这样的东西作为 jenkins 中的预构建 shell 执行可能会起作用.
It is also possible to register more keychains with security list-keychains -s [path to additional keychains]. I haven't tried it but something like security list-keychains -s $HOME/Library/Keychains/login.keychain as a pre-build shell execution in jenkins might work.
我尝试使用 -s 将用户钥匙串添加到搜索路径,但我无法让它工作.所以现在,我们必须将我们的证书和密钥复制到系统钥匙串中.
I've tried to add a user keychain to the search path with -s but I wasn't able to get it to work. So for now, we have to copy our certs and keys into the system keychain.
EDIT^2:阅读并使用 joensson 的解决方案而不是我的,他设法它可以访问用户钥匙串,而不仅仅是系统钥匙串.
EDIT^2: Read and use joensson' solution instead of mine, he managed it to access the users keychain instead of just the system keychain.
这篇关于使用 Jenkins/Hudson 作为 iOS 和 Mac 开发的持续集成时,钥匙串中缺少证书和密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
