Jenkins on OS X: xcodebuild gives Code Sign error

Question

Summary:

Setting up Jenkins on OS X has been made significantly easier with the most recent installer (as of 1.449 - March 9, 2012), however managing the pr

Answer 1

If you have sudo, you can use passwd to change the Jenkins user's password. Then you can get the Jenkins password.

Also, I'm not sure if this is the issue for you, but the ANT Script I use via Jenkins has this :

<target name="unlock_keychain">
    <exec executable="security">
        <arg value="-v"/>
        <arg value="unlock-keychain"/>          
        <arg value="-p"/>
        <arg value="<My Password>"/>
        <arg value="/Users/macbuild/Library/Keychains/login.keychain"/>
    </exec>
</target>

Answer 2

Could also install & launch JenkinsCI as a OS X user instead of a daemon:

1. install jenkins using the official installer (https://jenkins-ci.org/)
   • Click next
   • Click "Customize"
   • Unselect "Start at boot as 'jenkins'" - * IMPORTANT * this option normally allows a headless jenkins which doesn't work well with keychain access
2. Launch http://127.0.0.1:8080
   • verify it DOESN'T launch
   • may need to stop jenkins sudo launchctl unload /Library/LaunchDaemons/org.jenkins-ci.plist
3. Double click /Applications/Jenkins/jenkins.war
   • of course this should be automated to start @ start up
4. Open http://127.0.0.1:8080
   • verify it's now running

Answer 3

Suppose you also want to do ad hoc distribution through Jenkins, this necessitates that Jenkins has access to a Distribution certificate, and the team admin identity, in addition to the provisioning profiles.

Using an exported identity in a .cer file, you can programmatically import it like so, the -A switch is to allow all programs access to this entry. Alternatively, you could use several -T /path/to/program switches to allow codesign and xcodebuild access.:

$ security import devcertificate.cer -k jenkins.keychain -A

Of course, we should also have the Apple WWDCRA certificate, imported in pretty much the same way:

$ security import AppleWWDRCA.cer -k jenkins.keychain -A

However, we also need the private key for the devcertificate.cer. To do this, you need to export the corresponding private key as a .p12 key and set a password. Put it somewhere you can access it from your Jenkins shell, unlock the keychain, and import it:

$ security unlock-keychain -p YourKeychainPass jenkins.keychain
$ security import devprivatekey.p12 -k login.keychain -P ThePasswordYouSetWhenExporting -A

Importing the distribution certificate works the same way. I don't know why you need to unlock the keychain for importing a .p12 and not for a .cer, but well.

You will also need access to the provisioning profiles, I will edit those instructions into this post shortly.

Answer 4

For people having problems with keychains, I would recommend you try my alternative Jenkins installer at https://github.com/stisti/jenkins-app, downloads at https://github.com/stisti/jenkins-app/downloads

Jenkins.app runs Jenkins in your user session, so keychain access issues are not an issue :)

Answer 5

For some reason, "security" utility wasn't working for me on Lion with fresh Jenkins install.

After "sudo su jenkins" it was able to create new keychain, but silently ignored all "default-keychain -s ..." or "unlock" commands returning zero exit status and printing nothing to the console. Listing default or login keychains gave nothing, keychains search list was containing only system keychain, and I couldn't change this whatever I type.

After I logged in to that user's desktop and launched Keychain Utility, it did show my created keychain and after that everything worked as described in upper posts.

I am wondering whether some of initial keychains behavior changed in Lion, or am I missing something?