xcode 在 Jenkins 中运行 XCodeBuild 时出现代码签名错误
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/13614657/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Code signing error running XCodeBuild in Jenkins
提问by Gruntcakes
[Not a duplicate of similar questions as explained further down]
[不是进一步解释的类似问题的重复]
I'm getting a code signing error when running XCodeBuild from within Jenkins but it will build ok from the command line or from within Xcode.
在 Jenkins 中运行 XCodeBuild 时出现代码签名错误,但它可以从命令行或 Xcode 中正常构建。
Several people have had this problem in the past and the common theme with them is that Jenkins gets run at launch time as the daemon user and thus tries to access the system keychain. The solutions that people have applied are copying credentials to the system keychain or running a command to set which keychain to use.
过去有几个人遇到过这个问题,他们的共同主题是 Jenkins 在启动时作为守护程序用户运行,因此尝试访问系统钥匙串。人们应用的解决方案是将凭据复制到系统钥匙串或运行命令来设置要使用的钥匙串。
However in my case if I look at launchd in the Activity Manager the user is showing up as the user I am logged onto the machine as, therefore Jenkins should be running as this user and not as the daemon user.
但是,在我的情况下,如果我在活动管理器中查看 launchd,则用户显示为我登录到机器的用户,因此 Jenkins 应该以此用户身份而不是守护程序用户身份运行。
I tried setting which keychain to use by adding this command to the Jenkins script before running XCodeBuild
在运行 XCodeBuild 之前,我尝试通过将此命令添加到 Jenkins 脚本来设置要使用的钥匙串
security list-keychains -s /Users/[user]/Library/Keychains/login.keychain
But that did not solve the problem.
但这并没有解决问题。
The error I am getting is:
我得到的错误是:
Code Sign error: The identity 'iPhone Developer: NNNNN (9TYX5WAM63)' doesn't match any valid, non-expired certificate/private key pair in your keychains"
So I tried moving the credentials to the system keychain but now get this error in Jenkins, but its still fine from the command line:
因此,我尝试将凭据移动到系统钥匙串,但现在在 Jenkins 中出现此错误,但从命令行仍然可以正常工作:
Code Sign error: Provisioning profile 'F152C66E-B99A-47F6-B262-376CE4403D71' can't be found
Also when I move the credentials to the system keychain I am no longer able to build from within XCOde - I get the same error as the top error message above.
此外,当我将凭据移动到系统钥匙串时,我无法再从 XCOde 中进行构建 - 我收到与上面的顶部错误消息相同的错误。
I've also tried editing the org.jenkins-ci.plist file to set the user as who I'm logged onto the machine as, in accordance with this, but that too had no effect.
我还尝试编辑 org.jenkins-ci.plist 文件,将用户设置为我登录到机器上的用户,按照这个,但这也没有效果。
使用 Jenkins/Hudson 作为 iOS 和 Mac 开发的持续集成时,钥匙串中缺少证书和密钥
Any ideas what I could try next?
任何想法我接下来可以尝试什么?
回答by Kibitz503
I feel for you as the last time we messed with this it was quite the challenge. We did this when we set up a CI server for a project. If I remember correctly (broadly) we followed these steps:
我觉得你因为我们最后一次搞砸了,这是相当大的挑战。我们在为项目设置 CI 服务器时这样做了。如果我没记错的话(大致上)我们遵循了以下步骤:
1) Set Jenkins up as a developer on the Apple Dev account
1) 在 Apple Dev 帐户上将 Jenkins 设置为开发人员
2) Created a cert and dev provisioning profile specifically for Jenkins
2) 专门为 Jenkins 创建了一个证书和开发配置文件
3) Setup a Jenkins user on the CI Server and delete any previous certs/prov profiles from xcode for that user
3) 在 CI 服务器上设置一个 Jenkins 用户并从该用户的 xcode 中删除任何以前的 certs/prov 配置文件
4) Add the Jenkins cert to the AD-Hoc Dist Profile (If you are trying to distribute an .ipa to HockeyApp you will need to to this for an archive build.)
4) 将 Jenkins 证书添加到 AD-Hoc Dist 配置文件中(如果您尝试将 .ipa 分发到 HockeyApp,您需要将其用于存档构建。)
5) Go into the xcode project file and delete any existing references to Provisioning Profiles
5) 进入 xcode 项目文件并删除对 Provisioning Profiles 的任何现有引用
6) Download and Install the certs for this user and the appropriate Prov Profiles.
6) 下载并安装此用户的证书和适当的 Prov 配置文件。
7) Before the build unlock the Jenkins user keychain. Do this only if the Jenkins user is not the user running the xcode build.
7) 在构建之前解锁 Jenkins 用户钥匙串。仅当 Jenkins 用户不是运行 xcode 构建的用户时才执行此操作。
Verify that Xcode shows the Prov Profile as valid in the organiser when logged in as the Jenkins user.
当以 Jenkins 用户身份登录时,验证 Xcode 是否在管理器中显示 Prov 配置文件有效。
I know my answer is somewhat vague and my intent is to be helpful. This type of error is usually caused by one of three things. Xcode cant find the profile, Xcode cant find the cert or Xcode found more then one profile (supposed to produce a different error but doesn't always) and has a mismatch of some kind. Usually redoing the Prov Profiles is the least painful solution.
我知道我的回答有些含糊,我的意图是提供帮助。这种类型的错误通常是由三件事之一引起的。Xcode 找不到配置文件,Xcode 找不到证书或 Xcode 找到多个配置文件(应该会产生不同的错误,但并非总是如此)并且存在某种不匹配。通常重做 Prov Profiles 是最不痛苦的解决方案。
Best of luck man. You will solve it it's just a huge headache!
祝你好运的人。你会解决它只是一个巨大的头痛!
回答by Slav
Probably not the answer you are looking for, but i gave up on the XCodeBuild plugin for a number of reasons, and running my build through "Execute Shell" step.
可能不是您正在寻找的答案,但由于多种原因我放弃了 XCodeBuild 插件,并通过“执行外壳”步骤运行我的构建。
You said your command line build works, so you already know the commands that are required. Just put that into the shell.
您说您的命令行构建有效,所以您已经知道所需的命令。把它放进壳里就行了。
xcodebuild -verbose -alltargets -configuration Debug clean build CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" PROVISIONING_PROFILE=${PROVISIONING_PROFILE}
&&
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${WORKSPACE}/client_trunk/build/Debug-iphoneos/${Application}.app" -o "${WORKSPACE}/client_trunk/build/Debug-iphoneos/${Application}-Debug-${shortVer}.${revVer}.ipa" --sign "${CODE_SIGN_IDENTITY}" --embed "/Users/[youruser]/Library/MobileDevice/Provisioning Profiles/${PROVISIONING_PROFILE}.mobileprovision"
Above, ${CODE_SIGN_IDENTITY}is the one that looks like iPhone Developer: blah
And ${PROVISIONING_PROFILE}is the hex number for the profile like F152C66E-B99A-47F6-B262-376CE4403D71
上面,${CODE_SIGN_IDENTITY}是一个看起来像iPhone Developer: blah
并且${PROVISIONING_PROFILE}是配置文件的十六进制数F152C66E-B99A-47F6-B262-376CE4403D71
回答by Nick N
Using Jenkins I got this error:
使用詹金斯我得到了这个错误:
/Users/Shared/Jenkins/Home/jobs/ExampleTabbed-Integration/workspace/build/Debug-iphoneos/ExamplesTabbed.app: User interaction is not allowed.
Command /usr/bin/codesign failed with exit code 1
命令 /usr/bin/codedesign 失败,退出代码为 1
I fixed it by doing the following:
我通过执行以下操作修复了它:
- Add Build Step before the XCode (jenkins plugin) step
Add the following as the execute command:
security unlock-keychain -p "passwordhere" ${HOME}/Library/Keychains/login.keychain
In the XCode (via plugin) configuration I'm using the following:
- Unlock Keychaing ? (unchecked)
- Keychain path: ${HOME}/Library/Keychains/login.keychain
- Keychain password: (empty)
- 在 XCode(jenkins 插件)步骤之前添加构建步骤
添加以下内容作为执行命令:
security unlock-keychain -p "passwordhere" ${HOME}/Library/Keychains/login.keychain
在 XCode(通过插件)配置中,我使用以下内容:
- 解锁钥匙扣?(未选中)
- 钥匙串路径:${HOME}/Library/Keychains/login.keychain
- 钥匙串密码:(空)
It might be possible to remove the pre-step and use the actual xcode config to do it, but it's working as described with no problems.
可能可以删除前置步骤并使用实际的 xcode 配置来执行此操作,但它按描述的那样工作,没有任何问题。
Note this doesn't take into account using a more secure solution yet, but this was my solution to the xcode signing issue. I'm running on OSX with the Jenkins installer and running as a launchctl command, used by the default Jenkins installer application. If that helps.
请注意,这还没有考虑使用更安全的解决方案,但这是我对 xcode 签名问题的解决方案。我使用 Jenkins 安装程序在 OSX 上运行,并作为 launchctl 命令运行,由默认的 Jenkins 安装程序应用程序使用。如果那有帮助。
回答by ?ukasz Koniecki
Follow instruction on the Xcode Plugin home page:
按照Xcode 插件主页上的说明进行操作:
If this prompt is not showing on the build machine, you can force it to appear by running the codesign command that failed from a terminal on the build machine: /usr/bin/codesign --force --sign "iPhone Distribution: .....
如果此提示未显示在构建机器上,您可以通过从构建机器上的终端运行失败的 codesign 命令来强制它出现:/usr/bin/codesign --force --sign "iPhone Distribution: .. ...
Execute failed signing command from the terminal as a Jenkins user and select "Always allow"
以 Jenkins 用户身份从终端执行失败的签名命令并选择“始终允许”
回答by ocodo
Subprocesses of Java/Jenkins will need to have unlocked access to the Keychain.
Java/Jenkins 的子进程需要解锁对钥匙串的访问。
Let's say your build / code-sign / release process is working fine. The only blocker is when you try running the exact same process in Jenkins.
假设您的构建/代码签名/发布过程运行良好。唯一的阻碍是当您尝试在 Jenkins 中运行完全相同的进程时。
Chances are that the keychain is locked, not for the user, but for Jenkins sub-processes.
钥匙串可能被锁定,不是针对用户,而是针对 Jenkins 子进程。
The security command to unlock the keychain will need to be run as a Jenkins job, just once. Even if the same logged in user has already unlocked the keychain in the terminal.
解锁钥匙串的安全命令将需要作为 Jenkins 作业运行,只需一次。即使同一登录用户已经在终端中解锁了钥匙串。
So setup a simple freestyle job in Jenkins and add the following shell command as a build phase.
因此,在 Jenkins 中设置一个简单的自由式作业并添加以下 shell 命令作为构建阶段。
security unlock-keychain -p PASSWORD /Users/your_username/Library/Keychains/login.keychain-db
(make sure you include the proper PASSWORDand path to login.keychain-db)
(确保包含正确的PASSWORD和路径login.keychain-db)
Once you've run this job once, try your regular release job again, it should work if you have all the required apple certificates in your login keychain.
运行此作业一次后,再次尝试常规发布作业,如果您的登录钥匙串中拥有所有必需的苹果证书,它应该可以工作。
