CodeSign在开发人员和企业分发之间的冲突 [英] CodeSign collisions between Developer and Enterprise Distribution
问题描述
我的公司使用一个构建机器(一个Mac Mini)作为CI节点来构建我们的iOS应用程序。我们目前在微型上构建Ad-Hoc和App Store配置。我们最近注册了企业计划,并希望开始构建企业配置。然而,我们的构建过程现在失败了,因为我们现在有两个证书称为iPhone分发:小部件公司。一个是AdHoc / AppStore的分发证书,一个是Enterprise(苹果公司称为内部)。
我已经尝试修改迷你的钥匙串, cert是在登录钥匙串中,一个是在一个叫做企业的新钥匙串中,但是这只是从构建开始就改变了错误:
CodeSign错误:证书身份iPhone分发:Widget公司在钥匙串中出现多次。
到版本结尾:
iPhone分发:Widget Corporation:ambiguous(匹配iPhone Distribution:Widget Corporation在/Users/hudson.admin/Library/Keychains/login.keychain和iPhone Distribution:Widget Corporation /Users/hudson.admin/Library/Keychains/enterprise.keychain)
我的问题是有一个方法来正确沙箱的两个证书,所以我可以在同一台机器上构建Ad-Hoc,App Store和内部版本的应用程序。我还没有尝试的唯一可能的解决方案是实际捆绑的证书与源和使用 security 添加和删除证书,因为我需要它们;
/ div>
在与Apple Developer技术支持讨论后,他们建议创建单独的钥匙串以容纳不同的证书,然后将 - keychain filename 参数传递到 codesign 步骤指向相应的文件。您可以使用 OTHER_CODE_SIGN_FLAGS 选项将此参数传递到Xcode或xcodebuild中。例如:
xcodebuild -target< targetname>配置< configname> \
PROVISIONING_PROFILE = A3A47A82-E91F-4E95-8559-601C6C857053 \
OTHER_CODE_SIGN_FLAGS = - keychain = / Users / username / Library / Keychains / enterprise.keychain\
build
此外,在创建新的钥匙串后,似乎默认在5分钟后重新锁定 - 您可能想如果您的构建需要一段时间,请更改此设置。
My company uses one build machine (a Mac Mini) as a CI node to build our iOS app. We currently build an Ad-Hoc and an App Store config on the mini. We've recently enrolled in the Enterprise Program and want to start building an Enterprise config as well. However, our build process now fails, because we now have two certificates called "iPhone Distribution: Widget Corporation". One is the distribution cert for AdHoc/AppStore, and one is for Enterprise (Apple calls it In-House).
I've tried modifying the mini's keychains such that one cert is in the login keychain and one is in a new keychain called "enterprise", but this just shifted the error from the start of the build:
CodeSign error: Certificate identity 'iPhone Distribution: Widget Corporation' appears more than once in the keychain.
to the end of the build:
iPhone Distribution: Widget Corporation: ambiguous (matches "iPhone Distribution: Widget Corporation" in /Users/hudson.admin/Library/Keychains/login.keychain and "iPhone Distribution: Widget Corporation" in /Users/hudson.admin/Library/Keychains/enterprise.keychain)
My question is whether or not there's a way to properly sandbox the two certificates so I can build Ad-Hoc, App Store, and In-House versions of the app on the same machine. The only possible solution I've yet to try is to actually bundle the certs along with the source and use security to add and delete the certificates as I need them; clearly that solution isn't very pretty and poses security risks.
Any ideas?
After discussing with Apple Developer Technical Support, they've advised creating separate keychains to house the different certificates and then pass the --keychain filename argument into the codesign step to point at the appropriate file. You can pass this argument into Xcode or xcodebuild using the OTHER_CODE_SIGN_FLAGS option. eg:
xcodebuild -target "<targetname>" -configuration "<configname>" \
PROVISIONING_PROFILE=A3A47A82-E91F-4E95-8559-601C6C857053 \
OTHER_CODE_SIGN_FLAGS="--keychain=/Users/username/Library/Keychains/enterprise.keychain" \
build
Also, after creating a new keychain it seems to default to relocking after 5 minutes - you might want to change this if you have builds that take a while.
这篇关于CodeSign在开发人员和企业分发之间的冲突的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
