开发人员和企业分发之间的 CodeSign 冲突 [英] CodeSign collisions between Developer and Enterprise Distribution

问题描述

我的公司使用一台构建机器(Mac Mini)作为 CI 节点来构建我们的 iOS 应用程序.我们目前在 mini 上构建了 Ad-Hoc 和 App Store 配置.我们最近加入了企业计划，并希望开始构建企业配置.但是，我们的构建过程现在失败了，因为我们现在有两个名为iPhone Distribution: Widget Corporation"的证书.一个是 AdHoc/AppStore 的分发证书，一个是 Enterprise(Apple 称之为 In-House).

My company uses one build machine (a Mac Mini) as a CI node to build our iOS app. We currently build an Ad-Hoc and an App Store config on the mini. We've recently enrolled in the Enterprise Program and want to start building an Enterprise config as well. However, our build process now fails, because we now have two certificates called "iPhone Distribution: Widget Corporation". One is the distribution cert for AdHoc/AppStore, and one is for Enterprise (Apple calls it In-House).

我尝试修改 mini 的钥匙串，使一个证书在登录钥匙串中，一个在名为企业"的新钥匙串中，但这只是从构建开始时转移了错误:

I've tried modifying the mini's keychains such that one cert is in the login keychain and one is in a new keychain called "enterprise", but this just shifted the error from the start of the build:

CodeSign error: Certificate identity 'iPhone Distribution: Widget Corporation' appears more than once in the keychain.

到构建结束:

iPhone Distribution: Widget Corporation: ambiguous (matches "iPhone Distribution: Widget Corporation" in /Users/hudson.admin/Library/Keychains/login.keychain and "iPhone Distribution: Widget Corporation" in /Users/hudson.admin/Library/Keychains/enterprise.keychain)

我的问题是，是否有办法将这两个证书正确沙盒化，以便我可以在同一台机器上构建应用程序的 Ad-Hoc、App Store 和内部版本.我尚未尝试的唯一可能的解决方案是将证书与源代码捆绑在一起，并根据需要使用 security 添加和删除证书；显然，该解决方案不是很漂亮，并且会带来安全风险.

My question is whether or not there's a way to properly sandbox the two certificates so I can build Ad-Hoc, App Store, and In-House versions of the app on the same machine. The only possible solution I've yet to try is to actually bundle the certs along with the source and use security to add and delete the certificates as I need them; clearly that solution isn't very pretty and poses security risks.

有什么想法吗?

推荐答案

在与 Apple 开发者技术支持讨论后，他们建议创建单独的钥匙串来存放不同的证书，然后传递 --keychain 文件名 参数到 codesign 步骤以指向适当的文件.您可以使用 OTHER_CODE_SIGN_FLAGS 选项将此参数传递给 Xcode 或 xcodebuild.例如:

After discussing with Apple Developer Technical Support, they've advised creating separate keychains to house the different certificates and then pass the --keychain filename argument into the codesign step to point at the appropriate file. You can pass this argument into Xcode or xcodebuild using the OTHER_CODE_SIGN_FLAGS option. eg:

xcodebuild -target "<targetname>" -configuration "<configname>" 
  PROVISIONING_PROFILE=A3A47A82-E91F-4E95-8559-601C6C857053 
  OTHER_CODE_SIGN_FLAGS="--keychain=/Users/username/Library/Keychains/enterprise.keychain" 
  build  

此外，在创建新钥匙串后，它似乎默认在 5 分钟后重新锁定 - 如果您的构建需要一段时间，您可能需要更改此设置.

Also, after creating a new keychain it seems to default to relocking after 5 minutes - you might want to change this if you have builds that take a while.

这篇关于开发人员和企业分发之间的 CodeSign 冲突的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！