How do I add certificates for OS X Server 3.2.1 with Xcode 6.0.1

Asked 18/9, 2014 at 13:13 Answered 22/6, 2015 at 21:2

After I have upgraded both Xcode (to 6.0.1) and OS X Server (to 3.2.1) I can't figure out how to add certificates for the provisioning profiles so the Xcode bot can find them.

I have successfully added the provisioning file by copying the .mobileprovision file to /Library/Developer/XcodeServer/ProvisioningProfiles

But the error I get in the log is now:

CodeSign /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Products/Server\ build-iphoneos/Test.app
    cd /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/Source/TEST
    export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
    export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin"

Signing Identity:     "iPhone Distribution: Greener Pastures ApS"
Provisioning Profile: "Greener Pastures Enterprise TEST"
                      (03F7CD73-FB25-422E-22A4-A80F12041005)

    /usr/bin/codesign --force --sign 746ADC85C62D54BEC9FA874A8D777A38D4DB95CA --keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain --resource-rules=/Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Products/Server\ build-iphoneos/Fnug.app/ResourceRules.plist --entitlements /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Intermediates/Fnug.build/Server\ build-iphoneos/Fnug.build/Fnug.app.xcent /Library/Developer/XcodeServer/Integrations/Caches/017d83d8975db54bc8279c2fcc0304a6/DerivedData/Build/Products/Server\ build-iphoneos/Fnug.app

746ADC85C62D54BEC9FA874A8D777A38D4DB95CA: no identity found
Command /usr/bin/codesign failed with exit code 1

Which looks like: "I can't find the certificate for the specified provisioning profile".

And it looks like the certificate should be in the file /Library/Developer/XcodeServer/Keychains/Portal.keychain – which, unfortunately I am unable to edit.

I have tried adding the certificate to the file by using

sudo security import "/Users/administrator/Desktop/Greener Pastures Enterprise Distribution TEST Certificate.p12" -k /Library/Developer/XcodeServer/Keychains/Portal.keychain -A -T /usr/bin/codesign -T /usr/bin/xcodebuild -T /usr/bin/pkgbuild

But that prompts me for the "keychain password". Which I don't have (no, it is not the administrator account's password or the certificate password).

Does anyone know how to fix this?

Leavy answered 18/9, 2014 at 13:13 Comment(0)

Try to add your server to the developer portal first and remove all restrictions like explicit provisioning files from your project.

If this doesn't work, file a Radar explaining your configuration and why you think it should be supported by Apple.

If you are really, really sure it's a good idea to hack your server, possible breaking it, open a terminal on your server from an account with administrator privileges and:

Copy the Portal keychain to your desktop:

> sudo cp /Library/Developer/XcodeServer/Keychains/Portal.keychain ~/Desktop/

Password: your-administrator-password

> sudo chown `whoami`:staff ~/Desktop/Portal.keychain

Set the Portal keychain password to “123”

> security set-keychain-password -o "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain

New Password: 123

Retype New Password: 123

Open the Keychain in Keychain Access:

> open -b com.apple.keychainaccess ~/Desktop/Portal.keychain

Unlock the “Portal” keychain using password “123”
Copy the needed keys from your personal “login” keychain to the “Portal” keychain.
Make sure the private keys have the right access rights (in the “Access Control” tab), “xcsbuildd”, “xcscontrol”, “xcodebuild” and “codesign” should be listed
Lock the “Portal” keychain, quit “Keychain Access”
Reset the Portal keychain password:
```
> security set-keychain-password -p "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain 
```
Password: your-administrator-password (optional step)

Old Password: 123

It may or may not ask you for your administrator password again, pay attention to the prompt.

Copy the Portal keychain back

> sudo chown _xcsbuildd:_xcs ~/Desktop/Portal.keychain
> sudo cp ~/Desktop/Portal.keychain /Library/Developer/XcodeServer/Keychains/

Since the system caches open keychains, restart you computer.

Don't just blindly copy keys to the Portal keychain. Try other solutions first and ask on stack overflow if you need help. Only follow this procedure after filing a Radar, not just because “things don't work”. You will destroy your system when you are not exactly sure what you're doing here.

Alternate procedure (for the advanced):

Copy the following script as importP12.sh:

#!/bin/sh

importP12()
{
P12FILE="$1"
XCS="/Library/Developer/XcodeServer";
XCBIN="$XCS/CurrentXcodeSymlink/Contents/Developer/usr/bin";
PORTALKC="$XCS/Keychains/Portal.keychain"
PORTALKCS="$XCS/SharedSecrets/PortalKeychainSharedSecret"
sudo security -i <<IMPORT
unlock-keychain -p "`sudo cat $PORTALKCS`" $PORTALKC
import "$P12FILE" -k $PORTALKC -T "$XCBIN/xcsbuildd" -T "$XCBIN/xcscontrol" -T "$XCBIN/xcodebuild" -T /usr/bin/codesign
lock-keychain $PORTALKC
IMPORT
}

echo "Please enter your account password:"
for p12 in "$@"
do
  importP12 "$p12"  
done

And do

> importP12.sh your-P12-file.p12

Password: your-administrator-password

A dialog asking you for the P12 import password should appear and you are set.

Cuttle answered 19/9, 2014 at 12:42 Comment(5)

For those looking... "xcsbuildd", "xcscontrol", and "xcodebuild" are inside the Xcode binary... "/Applications/Xcode.app/Contents/Developer/usr/bin" while "codesign" is "usr/bin/codesign" and you add these to the ACL list via the "Get Info" menu item (or contextual menu) on the private key associated with the certificate(s) you've added. – Respite 23/9, 2014 at 21:31

Have you filed a Radar, and if so is it worth mentioning the number here so it can be duped? – Respite 23/9, 2014 at 21:32

I havent' filed a Radar yet. I'll update with the number when I do – Leavy 24/9, 2014 at 7:29

I followed the above procedure twice. It works. But it has some interesting side effects. In one case, I had to reboot twice instead of once. I had to re-add the Xcode app in the Xcode service of the Server. The latter action creates 3 ghost "Admin" accounts in the system. Since one, after a 'switch user', revealed itself to be "xcsbuildd" I tried to restart the _whole procedure without adding in the Access Rights of the private key. The archive still succeeds, but my 3 ghosts accounts are still created at time of adding Xcode app to Server.app. Deleting ghosts imm. prevent bots to function. – Abstinence 25/9, 2014 at 9:12

Works for me! Thanks. As a note to others, I combined this with this answer below (stackoverflow.com/a/25980385) omitting the use of the KeychainAccess GUI. Importing the identity was more stable using the CLI for my part. – Sargassum 25/9, 2014 at 22:53

This answer from Matt Moriarity brought me to a solution: https://devforums.apple.com/message/1022214#1022214

I just re-connected the build server with our development team. This made the Xcode-service to re-initialize all certificates and provisioning profiles it needs. Now the integration builds run without errors.

In Server > Xcode > Settings > Builds > Development Teams click on Edit...
Remove your development team(s) from the list and press OK
After ther Server.app finished its work, there should be no entry behinde "Development Teams" and the list of devices is also empty.
Now open Server > Xcode > Settings > Builds > Development Teams > Edit... again and add your development team
After your team and devices re-appeared, you can start the integration build

It's important not to use your own provisioning profiles. Take the "iOS Developer (Automatic)" setting.

Mcdevitt answered 24/9, 2014 at 10:28 Comment(0)

If you had it working with the old osx server and xcode 5. You just do:

$ mv /Library/Developer/XcodeServer/Keychains/Portal.keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain.bkp

$ ln -s /Library/Keychains/System.keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain

The old server used the system keychain.

Kamakura answered 22/9, 2014 at 7:54 Comment(1)

This worked for me as well. The sign out and sign back in process did not work for me. – Siding 8/10, 2014 at 19:31

When you export a .p12 file Keychain Access will ask you for a password. Try adding the password for the p12 file to your command. Like so,

sudo security import "/Users/administrator/Desktop/Greener Pastures Enterprise Distribution TEST Certificate.p12" -P PASSWORD -k /Library/Developer/XcodeServer/Keychains/Portal.keychain -A -T /usr/bin/codesign -T /usr/bin/xcodebuild -T /usr/bin/pkgbuild

I have a script on our build server that imports p12 files from a drop off folder. The import line looks like this:

security import $_ -k /Library/Developer/XcodeServer/Keychains/Portal.keychain -P PASSWORD -A

Lipase answered 22/9, 2014 at 18:3 Comment(2)

Great work! I combined the response from eik above (stackoverflow.com/a/25934218) with this one for a successful approach. I found that importing the identity using the CLI was more reliable. – Sargassum 25/9, 2014 at 22:51

I got this to work by first unlocking the Portal keychain: sudo security unlock-keychain -p 'cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret' /Library/Developer/XcodeServer/Keychains/Portal.keychain (replace ' with ` in the cat command) – Formyl 28/11, 2014 at 11:11

I had the same issue. I fixed it through the following methods :

Xcode > Preferences > Accounts > View Details > And just refresh the Provisioning Profile 

Then Restart the Xcode and Clean & Build.

View Details

Otherworld answered 21/10, 2014 at 7:40 Comment(0)

For OX X Server 4.0 and XCode 6.1 is a much easier way:

Open your Project with XCode on the Server add your Developer Account to "Accounts" and download all required provisioning profiles.
Copy your Privisioning Profiles from /Users//Library/MobileDevices/Provisioning Profiles/ into /Library/Developer/XcodeServer/ProvisioningProfiles/
Give read and write access for administrators for the folder /Library/Developer/XcodeServer/ProvisioningProfiles/
Open KeyChaine Access double click on the provisioning profile keys (for example iOS Developer: XY) and allow access for all apps.

Done.

Lytta answered 18/11, 2014 at 15:21 Comment(0)

Install certificates(*.p12) to keychain on machine with Xcode server
In Keychain.app copy "Login-My Certificates" to "System-My Certificates"

Nessi answered 22/6, 2015 at 21:2 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Alternate procedure (for the advanced):

Recommended topics

Hot tags