无法使用Keychain访问导入代码签名公钥或私钥(Mac OS X Mavericks) [英] Can't import Code-signing Public or Private keys using Keychain access (Mac OS X Mavericks)
问题描述
在尝试构建iOS项目(在XCode中)时,我需要导入我同事的公钥和私钥以获取代码签名身份,但我无法这样做,因为我在Keychain Access中收到错误,说发生错误。无法导入项目./无法检索此项目的内容
In an attempt to build an iOS project (in XCode), I need to import my colleague's public and private keys for the code signing identity, but I am unable to do so because I get an error in Keychain Access that says "An error has occurred. Unable to import an item. / The contents of this item cannot be retrieved"
详细信息:
我的同事的计算机上有两把钥匙,从钥匙扣中将它们作为两个文件导出:
I have got two keys from my colleague's computer, exported them from his Keychain as two files:
Roomer Inc.p12(私钥)
Roomer Inc.p12 (the private key)
Roomer Inc.pem(公钥)
Roomer Inc.pem (the public key)
当他输出这些密码时,他将密码留空了(虽然我们也是尝试使用密码test并获得相同的结果)。
When he exported these, he left the password blank (Although we also tried with a password of "test" and got the same results).
当我双击Roomer Inc.p12(私钥)时,它会在Keychain Access中打开,并让我选择钥匙串(登录由默认)
When I double-click Roomer Inc.p12 (for the private key), it opens in Keychain Access and promts me to choose the keychain ("login" is selected by default)
我点击添加,然后提示我输入钥匙串的密码(我留空)
I click "Add" and then I am prompted for the password to the keychain (which I leave blank)
接下来我总是在Keychain访问中看到此消息:
Next I always see this message in Keychain access:
然而,尽管出现此消息,但当我单击确定,我看到Roomer Inc的新私钥条目。请注意,此条目是登录键链中的私钥,正如我所料,但没有过期日期(应该吗?)
However, despite this message appearing, when I click OK, I see a new private key entry for "Roomer Inc". Note that this entry is a private key in the "login" key chain as I would expect, but has no expiration date (should it?)
接下来,对于Roomer Inc.pem文件(公钥)我被要求选择钥匙串(登录),然后我点击添加
Next, for the Roomer Inc.pem file (the public key) I am asked to choose the keychain ("login") and I click Add
然后,我也得到了错误已经发生。无法导入项目。/该项目的内容也无法检索公钥的消息。但是在这种情况下(与私钥不同),我没有看到任何与我刚刚添加的内容相对应的条目。
Then, I also get the "An error has occurred. Unable to import an item. / The contents of this item cannot be retrieved" message for the public key as well. In this case however (unlike the Private key), I do not see any entry corresponding for what I just added.
因此,看起来私钥条目可能是或者可能不正常(我无法验证),并且没有此错误消息,无法在钥匙串中安装Roomer的公钥条目。请注意,我还尝试使用security import命令导入公钥:
So, it appears that the private key entry may or may not be OK (I have no way to verify), and the public key entry for Roomer cannot be installed in the keychain without this error message. Please note that I also tried using the security import command to import the public key :
$ security import Roomer \ Inc.pem -f pkcs12~ / Library / Keychains / login.keychain
$ security import Roomer\ Inc.pem -f pkcs12 ~/Library/Keychains/login.keychain
导入1个密钥。
当我这样做时,虽然命令返回1 key import 我在Keychain Access窗口中看不到Roomer Inc的公钥(我关闭了Keychain Access并重新打开它)。
When I do this, although the command returns "1 key imported" I do not see a public key for "Roomer Inc" in my Keychain Access window (I closed out Keychain Access and re-opened it).
无论哪种方式,我们已经确定这是我们的拦截器。 (当然,症状是XCode项目不会为AdFoc配置文件构建,以便与TestFlight一起使用)。我没有关于XCode构建和TestFlight设置的其他步骤,因为我们认为核心问题与导入密钥有关,如上所述。
Either way, we have identified that this is our blocker. (The symptom of course is that the XCode project won't build for the AdHoc provisioning profile to be used with TestFlight). I have left off the additional steps regarding the XCode build and TestFlight setup, because we believe the core problem has to do with importing the keys as explained above.
推荐答案
我们发现了问题所在,我在这里发布了答案,以便其他人可以发现它有用。
We figured out our problem, and I am posting my answer here so that others may find it helpful.
这个问题实际上是Keychain Access的UX问题。让我备份并给出一些上下文:当您使用Apple创建分发证书时,您可以基于PRIVATE KEY和基于应用程序的权限创建它。
The problem is really a UX problem with Keychain Access. Let me back up and give a little context: when you create a distribution certificate with Apple, you create it based on a PRIVATE KEY and App-based permissions.
在Keychain中在Access中,分发证书在其创建的私钥名称下面列为子级。这里有一个问题:当您在Keychain访问中使用搜索框时(在我的情况下,我们输入Roomer,因为这是我们的分发证书上的名称),它不会查找具有该名称的证书,它将查找附加到该名称的私钥的证书。
In Keychain Access, the distribution certificate is listed as a child below the name of the private key that it was created from. Here's the catch: When you use the search box in Keychain access (in my case we were typing in "Roomer" because that's the name on our distribution certificate), it won't look for a certificate with that name, it will look for a certificate attached to a private key for that name.
因此,我的同事根据名为Jorge Davila(他的名字)的私钥创建了分发证书,即使分发证书被命名为iPhone Distribution:Roomer Inc。
So my colleague had create a distribution certificate based on a private key that was named "Jorge Davila" (his name), even though the distribution certificate was named "iPhone Distribution: Roomer Inc."
当他在Keychain Access中搜索Roomer时,正确的一个未显示在搜索结果,因为此证书创建的密钥名为Jorge Davila而不是Roomer。因此,他出口了错误的证书并没有意识到,因为有其他人(有些已过期)有这个名字。
When he searched for "Roomer" in Keychain Access, the correct one was NOT displayed in the search results because the key this certificate was created from was named "Jorge Davila" not "Roomer". Thus, he was exporting the wrong certificate and didn't realize because there were others (some expired) with that name.
以下是正确的看法:
Here's how the correct one looks:
这是一个相对细微的问题,钥匙串访问的用户体验和事实搜索工具没有为您提供您期望的结果。我发布这个答案,希望其他人可能觉得它有用。
This is a relatively nuanced problem with the UX of Keychain Access and the fact that the search tool doesn't give you the results you expect it to. I am posting this answer in the hope that others may find it useful.
这篇关于无法使用Keychain访问导入代码签名公钥或私钥(Mac OS X Mavericks)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
