xcode 如何在没有任何人工交互的情况下添加授权以从新钥匙串对应用程序进行代码签名
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3864770/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How do I add authorizations to code sign an app from new keychain without any human interaction
提问by cmos
I'm trying to automate the process of building iphone apps with a particular certificate. So imagine if different users uploaded their cert into the system and it was immediately available to code sign against. I want to do this without any interaction. I also don't want to clutter up the system or logon keychain with different user certificates. To this end I have:
我正在尝试自动化使用特定证书构建 iphone 应用程序的过程。所以想象一下,如果不同的用户将他们的证书上传到系统中,并且它可以立即用于代码签名。我想在没有任何交互的情况下做到这一点。我也不想用不同的用户证书弄乱系统或登录钥匙串。为此,我有:
- turned off the requirement in XCODE to require code signing for a a build.
- developed a ruby script to build an application via the xcodebuild command line tool
- created a script to automatically create a new keychain for a user of my system
- written a script to code sign a built iphone app.
- 关闭了 XCODE 中要求对 aa 构建进行代码签名的要求。
- 开发了一个 ruby 脚本来通过 xcodebuild 命令行工具构建一个应用程序
- 创建了一个脚本来为我的系统用户自动创建一个新的钥匙串
- 编写了一个脚本来对构建的 iphone 应用程序进行代码签名。
Everything works, but I need to manually hit enter when the codesign program tries to exercise the sign permission. My keychains are all unlocked. Oddly enough it works if I make the keychain the default keychain, but that isn't scalable ie I could only have one build process going at any given time.
一切正常,但是当 codesign 程序尝试行使签名权限时,我需要手动按 Enter。我的钥匙串都解锁了。奇怪的是,如果我将钥匙串设为默认钥匙串,它就可以工作,但这是不可扩展的,即我在任何给定时间只能进行一个构建过程。
When I manually click always allow for that process, I get an entry in my keychain dump that looks like this:
当我手动单击始终允许该过程时,我在钥匙串转储中得到一个条目,如下所示:
entry 1:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: privateKey
applications (2):
0: /usr/bin/codesign (OK)
So I'm thinking that I need to use the authorize command in security to pre-autorize codesign for those permissions. The security man page is pretty poor. I can't seem to get it to work using commands like this:
所以我想我需要在安全性中使用授权命令来预先自动为这些权限进行协同设计。安全手册页很差。我似乎无法使用这样的命令让它工作:
security -v authorize -uew sign | /usr/bin/codesign [code sign vars pointing to app and a specific keychain]
安全-v 授权-uew 标志| /usr/bin/codesign [指向应用程序和特定钥匙串的代码符号变量]
Does anyone have any ideas?
有没有人有任何想法?
回答by cmos
If you import your certificate into your keychain with a -A it will allow access to all programs trying to request that cert. This isn't very secure but works. You can also use -T to limit it to a particular app. Look up the import param found in man security.
如果您使用 -A 将证书导入钥匙串,它将允许访问所有尝试请求该证书的程序。这不是很安全,但有效。您还可以使用 -T 将其限制为特定应用程序。查找在 man security 中找到的导入参数。
回答by dwery
On my system, once the keychain is unlocked with
在我的系统上,一旦钥匙串被解锁
security unlock-keychain
安全解锁钥匙串
I just let xcodebuild to do both the build and the code signing.
我只是让 xcodebuild 进行构建和代码签名。
If your keychanins are unlocked, it shouldn't be necessary to use the above call.
如果您的钥匙链已解锁,则不需要使用上述调用。
You might also want to check the command execute-with-privileges of security.
您可能还想检查命令 execute-with-privileges of security。
回答by Alfie Hanssen
I'd like to add to the answer pool here, but also reopen part of the question that I don't think was answered.
我想在这里添加到答案池中,但也重新打开我认为没有回答的部分问题。
The following command imports an identity (cert + private key) and specifies that it should "always allow" code sign access to it (preventing Keychain Access alert from promoting user for a button click):
以下命令导入身份(证书 + 私钥)并指定它应该“始终允许”代码签名访问它(防止钥匙串访问警报提升用户单击按钮):
`security import Targets/CurrentTarget/Certificate.p12 -k #{KEYCHAIN} -P "#{cert_pwd}" -T /usr/bin/codesign`
This command allows all applications access, rather than just code sign:
此命令允许所有应用程序访问,而不仅仅是代码签名:
security import Targets/CurrentTarget/Certificate.p12 -k #{KEYCHAIN} -P "#{cert_pwd}" -A
security import Targets/CurrentTarget/Certificate.p12 -k #{KEYCHAIN} -P "#{cert_pwd}" -A
Either of these commands will take care of the dialogs that pop up each time you use a private key in your Keychain. HOWEVER, they will NOT take care of the similar alert that pops up the very first time you request permission to use a private key. This alert will appear on first use and ask you to choose always allow, deny or allow. Every time after that (if you use the -Tor -Aoptions above, assuming the key remains in your keychain) you won't see a dialog.
这些命令中的任何一个都会处理每次您在钥匙串中使用私钥时弹出的对话框。但是,他们不会处理您第一次请求使用私钥的权限时弹出的类似警报。此警报将在首次使用时出现,并要求您选择始终允许、拒绝或允许。每次之后(如果您使用上面的-T或-A选项,假设钥匙保留在您的钥匙串中),您将不会看到对话框。
My question is: how can you eliminate the alert that appears on first use?
我的问题是:如何消除首次使用时出现的警报?
I've considered using Apple Script to automate tapping the always allow button but because the alert is triggered in the middle of the xcodebuildcommand I'm not sure this would work. Any help would be much appreciated!
我已经考虑使用 Apple Script 来自动点击始终允许按钮,但是因为警报是在xcodebuild命令中间触发的,所以我不确定这是否可行。任何帮助将非常感激!
回答by Jacek Lampart
Just to add to all the answers above: even even your key/certificate is not password-protected, you need to pass -P ""(empty password) to security import.
只是为了补充上面的所有答案:即使您的密钥/证书不受密码保护,您也需要将-P ""(空密码)传递给security import.
回答by malhal
Regarding dialogs that pop up each time you use a private key in your Keychain, this apple script will take care of the similar alert that pops up the very first time you request permission to use a private key.
关于每次在钥匙串中使用私钥时弹出的对话框,这个苹果脚本将处理您第一次请求使用私钥的权限时弹出的类似警报。
#!/usr/bin/osascript
tell application "System Events"
tell window 1 of process "SecurityAgent"
click button "Always Allow" of group 1
end tell
end tell
回答by brack
Copying the certificates from the Login keychain to the System keychain works nicely in my case, and as a result you don't need to do any command-line unlocking.
将证书从登录钥匙串复制到系统钥匙串在我的情况下效果很好,因此您不需要进行任何命令行解锁。
