Login/Register
CLI: Switch keychains in order to sign an xcodebuild
Asked Answered
Solved xcodecode-signingkeychainxcodebuildcodesign
W

3

14

I am trying to switch on a certain keychain, and close another one. I need this because our enterprise & appstore identities are called the same.

Right now, I do a "security unlock-keychain" followed by a "security default-keychain" to open the correct keychain and do a "security lock-keychain" on the keychain I wish not to use.

But xcodebuild still sees the entries in both keychains and gives up.

iPhone Distribution: Company name.: ambiguous (matches "iPhone Distribution: Company name." in /Users/user/Library/Keychains/login.keychain and "iPhone Distribution: Company name" in /Users/user/Library/Keychains/enterprise.keychain)

How do I prevent the system from finding the entry in the keychain that I lock?

Wharfinger answered 16/12, 2011 at 14:50 Comment(0)
W
3

Solution: I've put all the appstore related stuff in the login keychain, and the enterprise stuff in a seperate keychain file.

In the buildscript, I switch between those as follows:

    # 1. Only activate the System and either the Appstore(=login) or Enterprise keychain.
security list-keychains -s $KEYCHAIN_NAME $SYSTEM_KEYCHAIN

# 2. Loop through App Schema's
for APP_SCHEME in ${APP_SCHEMES[@]}; do
    echo "--=  Processing $APP_SCHEME  =--"
    xcodebuild -scheme "${APP_SCHEME}" archive
done ### Looping through App Schema's

# 3. Restore login & system keychains
security list-keychains -s $APPSTORE_KEYCHAIN $ENTERPRISE_KEYCHAIN $SYSTEM_KEYCHAIN
Wharfinger answered 19/12, 2011 at 14:5 Comment(1)
However, this is potentially not desired option in case of parallel builds, when tasks may switch incorrect keychain concurrently. I would still prefer PackageApplication script taking option to set preferred keychain for the certificate lookup.Letrice
G
14

You can tell Xcode which keychain to use:

xcodebuild "OTHER_CODE_SIGN_FLAGS=--keychain '$PATH_TO_KEYCHAIN'"

Or, if you call codesign directly:

codesign --keychain "$PATH_TO_KEYCHAIN"

If you use PackageApplication, there isn't a way to set this. However, PackageApplication is a pretty simple script that can be reimplemented if necessary (very useful if you're integrating with a larger system/script).

Goatherd answered 27/11, 2013 at 4:1 Comment(2)
Sounds cool. I'll give that a try. Do the specified keychains need to be loaded in the keychain application, or is their presence on the file system enough?Wharfinger
I don't think the keychain needs to be added to the keychain application, but I'm not sure.Goatherd
W
3

Solution: I've put all the appstore related stuff in the login keychain, and the enterprise stuff in a seperate keychain file.

In the buildscript, I switch between those as follows:

    # 1. Only activate the System and either the Appstore(=login) or Enterprise keychain.
security list-keychains -s $KEYCHAIN_NAME $SYSTEM_KEYCHAIN

# 2. Loop through App Schema's
for APP_SCHEME in ${APP_SCHEMES[@]}; do
    echo "--=  Processing $APP_SCHEME  =--"
    xcodebuild -scheme "${APP_SCHEME}" archive
done ### Looping through App Schema's

# 3. Restore login & system keychains
security list-keychains -s $APPSTORE_KEYCHAIN $ENTERPRISE_KEYCHAIN $SYSTEM_KEYCHAIN
Wharfinger answered 19/12, 2011 at 14:5 Comment(1)
However, this is potentially not desired option in case of parallel builds, when tasks may switch incorrect keychain concurrently. I would still prefer PackageApplication script taking option to set preferred keychain for the certificate lookup.Letrice
A
0

Another solution for xcode version 6 and below: specify your certificate by SHA1 instead of by (ambiguous) name. From "man codesign":

 If identity consists of exactly forty hexadecimal digits, it is instead
 interpreted as the SHA-1 hash of the certificate part of the desired iden-
 tity.  In this case, the identity's subject name is not considered.

And from "security help find-certificate"

-Z  Print SHA-1 hash of the certificate

Unfortunately, this method requires using the PackageSign script, which has been deprecated in Xcode 7

Antiphonary answered 30/5, 2013 at 19:37 Comment(3)
Sounds promising... But I don't see how I can specify a SHA1 in xcode. I would probably have to do the signing by a script. Anyway, thanks for the hint. I'll digg into this to see if it can help us out.Wharfinger
@P5ych0 Sorry, didn't see this until now. Yes, we do the signing in script, eg with "xcrun -sdk iphoneos PackageApplication --sign <SHA1> --embed <provisioning profile>"Antiphonary
But as I can see in the PackageApplication script, there are snippets checking the --sign parameter to match "iPhone Distribution", so I gues using SHA-1 is not feasible unless this buggy script is hacked.Letrice

© 2022 - 2024 — McMap. All rights reserved.