添加代码符号到没有Keychain的私钥ACL [英] Add codesign to private key ACL without Keychain

问题描述

我试图为一个稳定的iPhone应用程序设置连续构建/集成。

I'm trying to set up continuous builds/integration for a stable of iPhone apps.

我有：

• 一个专用的Mac Mini。


• 名为build的用户帐户


• Hudson 通过在/ Users / build / Library / LaunchAgents中删除plist来设置为LaunchAgent。
  
  
  
  • 作为一个运行为hudson的系统范围LaunchDaemon，但是没有访问构建用户的登录钥匙串。
  
  
  • A dedicated Mac Mini.
  • A user account named "build"
  • Hudson set up as a LaunchAgent for build, by dropping a plist in /Users/build/Library/LaunchAgents
    • Tried as a system-wide LaunchDaemon running as hudson, but then had no access to the build user's login keychain. Long story, full of heartache.

    最大的问题是代码签名和Keychain。

    The big problem is codesigning and the Keychain.

    我想把Mini放在一个黑暗的房间里，永远看不见。它，但是第一次使用开发人员身份构建时，会弹出一个GUI对话框，询问您是否始终允许codesign访问开发人员身份。

    I want to put the Mini in a deep dark room and never look at it, but the first time you build with a developer identity, a GUI dialog pops up asking if you want to always allow codesign to access the developer identity.

    假设您，该对话框修改了钥匙串访问控制列表（ACL），以便允许使用codesign。

    Assuming you do, that dialog box modifies the keychain access control list (ACL) so that codesign is allowed.

    您可以通过打开Keychain Access来访问，扩展证书，键，右键单击，选择获取信息，然后切换到访问控制选项卡。 处女键在其总是允许应用程序列表中只有钥匙串访问。

    You can view this by opening Keychain Access, expanding the certificate, selecting the private key, right-clicking, selecting Get Info, and then switching to the Access Control tab. A "virgin" key will only have Keychain Access in its "always allow" application list. One you have used and confirmed in the dialog box will have codesign as well.

    此框提供了一种添加应用程序的方法，除非您获得标准的Finder文件选择器，它隐藏Unix文件夹。没有办法导航到/ usr / bin / codesign。所以不可能手动添加！

    This box provides a way to add an application, except you get the standard Finder file picker, which hides Unix folders. There's no way to navigate to /usr/bin/codesign. So it's impossible to add manually!

    有没有人知道这个方法？

    Does anyone know of a way around this?

    我知道一个方法使用安全导入的-T开关，但是你必须指定当您首先导入密钥时，ACL，因此在Keychain GUI中添加的任何密钥必须被抛出和重新导入。

    I'm aware of one method using the -T switch of "security import" but then you must specify the ACL when you import the key in the first place, so any keys added in the Keychain GUI would have to be tossed and reimported. Not exactly very nice.

    推荐答案

    通常情况下，Keychain的Get Info对话框提供的文件系统的不允许你访问隐藏的/ usr / bin目录，但是我找到了一个办法。

    Normally the "cleansed" version of the file system that the Keychain's Get Info dialog presents to you won't allow you to access the hidden /usr/bin directory, but I found a way around this.

    
    
    1. 获取正常的Finder窗口全部文件。如果您不知道如何执行此操作，请查看此第条。
    
    
    2. 在正常的Finder窗口中，导航至/ usr / bin
    
    
    3. 将bin拖放到侧边栏中的 。
    
    
    4. 在Keychain的获取信息 - >访问控制窗格中，单击+按钮打开查找应用程序对话框。
    
    
    5. 点击此侧边栏上地方信息下方的bin。
    
    
    6. 导航到并选择代码签名。
    
    
    7. 保存更改按钮。
    
    
    1. Get normal Finder windows to show all files. If you aren't aware of how to do this, check out this article.
    2. In a normal Finder window, navigate to /usr/bin
    3. Drag bin over to the Places area in the sidebar. Now bin is a shortcut you can access from anywhere.
    4. From within the Keychain's Get Info -> Access Control pane, click the "+" button to open the find application dialog.
    5. Click the bin that is now under the Places on this sidebar.
    6. Navigate to and select codesign.
    7. Click the Save Changes button.

    这篇关于添加代码符号到没有Keychain的私钥ACL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！