Login/Register
Mac OS X - Making Keychain Certificates available to Atlassian Bamboo
Asked Answered
Solved macosinstallationcode-signingbamboo
A

3

8

I have a Bamboo plan which builds a package, and I want to sign that package with my developer certificate. In my build script, I have this:

productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

Running this script from the command line works as expected. However, running the script from Bamboo, I always get the error:

productsign: error: Could not find appropriate signing identity for "Name of my certificate"

I presume this must be because of the context that the build script is run in when run from Bamboo. How do I make the certificate usable in Bamboo? It is installed in System, not login.

Angeloangelology answered 15/8, 2013 at 14:30 Comment(0)
G
3

If you need to run Bamboo as root, then you'll need to copy the appropriate certificates from your login keychain to your System keychain using Keychain Access (Applications > Utilities).

Having said that, it would probably be better to run Bamboo as a user instead of root. E.g. if you need to use mobile provisioning profiles to sign any iOS builds on the same server, being root will not work.

Ginkgo answered 13/11, 2013 at 17:11 Comment(2)
If you are running the Bamboo agent from a LaunchDaemon, you can specify Bamboo to run by adding the UserName field to your LaunchDaemon plist (<key>UserName</key><string>yourusername</string>)Angeloangelology
I have Bamboo agent configured to launch as LaunchDaemon and I specified UserName as well, but still xcodebuild couldn't access keys in keychain. I had to move keys from login keychain to System, that worked for me.Dabble
S
1

Have you tried sudo'ing the operation?

I.e.:

sudo productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

As the key is in the System keychain (which maybe it shouldn't be for your use case?), you likely don't have access to it as a 'regular' user, even though [by design] you have access to the certificates in it.

Saxophone answered 26/8, 2013 at 10:16 Comment(2)
I had already tried this but unfortunately, you get the same errorAngeloangelology
That would have been too easy, right? What about exporting the key and importing it back to the login keychain? If the CN you're using to identify the key is correct, there's little else which should be standing in the way of the signature processing.Saxophone
J
0

My recommendation is to store the keys you need in a separate keychain. That will make it much easier to find them and manage them. Just create a new keychain and move your cert into it; store it somewhere convenient. Then I sign things this way (I'm using codesign, but --productsign is the same). I do not build as root, nor do I use sudo for this.

# Keychain that holds all the required signing certificates
# To create a keychain like this, create it in "Keychain Access" and copy all your certificates into it
# Then set its timeout to infinite (so it doesn't re-lock itself during the build):
#    security set-keychain-settings <path>
# Passing no "-t" option means "no timeout."
# Generally you should just be able to copy this file from build host to build host as needed. Then
# add it to the available keychains using Keychain Access, File>Add Keychain…. If you don't add it to
# Keychain Access, you'll receive signing error CSSMERR_TP_NOT_TRUSTED, since it won't recognize the
# entire chain
keychain=~/Library/Keychains/MyProduct.keychain
keychain_password=somepassword # If you have one on the keychain
cert_identifier='My Signing Name'
...

# We assume the keychain has an infinite timeout, so we just unlock it once here.
if ! security unlock-keychain -p "${keychain_password}" ${keychain} ; then
  echo "Cannot unlock keychain. Cannot sign on this host."
  exit 1
fi

sign()
{
  name=$1 ; shift
  paths=$*

  if ${sign} ; then
    echo "** SIGNING $name **"
    chmod u+w $paths
    codesign --keychain ${keychain} -f -s ${cert_identifier} $paths
  fi
}

sign "The Whole Package" something.pkg
Jerrodjerrol answered 13/11, 2013 at 17:22 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.