使用Jenkins / Hudson作为iOS和Mac开发的持续集成时，缺少钥匙串中的证书和密钥 [英] Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development

问题描述

我正在努力改进iOS的Hudson CI，并在系统启动后立即启动Hudson。为此，我使用以下launchd脚本：

I'm trying to improve Hudson CI for iOS and start Hudson as soon as system starts up. To do this I'm using the following launchd script:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Label</key>
    <string>Hudson CI</string>
    <key>ProgramArguments</key>
    <array>
    <string>/usr/bin/java</string>
    <string>-jar</string>
    <string>/Users/user/Hudson/hudson.war</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>UserName</key>
    <string>user</string>
</dict>
</plist>

这个工作正常但是当由Hudson启动的xcodebuild尝试签署应用程序时它会失败，因为它无法在钥匙串中找到合适的钥匙/证书。但是密钥/证书对是存在的，因为如果我从命令行启动Hudson它正常工作。

This works OK but when xcodebuild, which is started by Hudson, tries to sign an app it fails because it cant find the proper key/certificate in the keychain. However key/certificate pair is there since it's working correct if I start Hudson from command line.

你有什么想法吗？

推荐答案

在这个问题上花费了数小时和数天后，我找到了一个相当简单的解决方案。如果您在启动配置中有如上所述的用户名，则无关紧要：

After spending hours and days with this issue I found a fairly easy solution to this. It doesn't matter if you have a distinct username in your launchd configuration as stated above:

<key>UserName</key>
<string>user</string>

缺少的证书和密钥必须在系统密钥链上（ / Library /Keychains/System.keychain ）。在我设置了一个执行多个 security shell调用的jenkins作业后，我发现了这一点。有趣的是安全列表 - 钥匙串：

The missing certificates and keys have to be on the system keychain (/Library/Keychains/System.keychain). I found this after I setup a jenkins job which executes several security shell calls. The one which's interesting is security list-keychains:

+ security list-keychains
    "/Library/Keychains/System.keychain"
    "/Library/Keychains/applepushserviced.keychain"
    "/Library/Keychains/System.keychain"

这是jenkins搜索证书和密钥的钥匙链，因此他们应该在那里。在我移动我的证书后，它工作。确保您还将Apple全球开发者关系认证中心证书复制到系统钥匙串，否则您将从代码签名中看到 CSSMERR_TP_NOT_TRUSTED 错误。

That are the keychains jenkins will search the certificates and keys for so they should be there. After I moved my certs there it works. Make sure you also copy the »Apple Worldwide Developer Relations Certification Authority« certificate to the system keychain, otherwise you will see a CSSMERR_TP_NOT_TRUSTED error from codesign.

还可以使用安全列表-keychains -s [其他钥匙串的路径]注册更多钥匙串。我没有尝试过，但像安全列表-keychains -s $ HOME / Library / Keychains / login.keychain 之类的东西可能会起作用，因为jenkins中的预构建shell执行可能会起作用。

It is also possible to register more keychains with security list-keychains -s [path to additional keychains]. I haven't tried it but something like security list-keychains -s $HOME/Library/Keychains/login.keychain as a pre-build shell execution in jenkins might work.

编辑：我尝试使用 -s 但我无法让它工作。所以现在，我们必须将我们的证书和密钥复制到系统密钥链中。

I've tried to add a user keychain to the search path with -s but I wasn't able to get it to work. So for now, we have to copy our certs and keys into the system keychain.

编辑^ 2：阅读并使用joensson'解决方案而不是我的，他设法访问用户的钥匙串而不仅仅是系统钥匙串。

EDIT^2: Read and use joensson' solution instead of mine, he managed it to access the users keychain instead of just the system keychain.

这篇关于使用Jenkins / Hudson作为iOS和Mac开发的持续集成时，缺少钥匙串中的证书和密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！