Code signing error running XCodeBuild in Jenkins

Question

[Not a duplicate of similar questions as explained further down]

I'm getting a code signing error when running XCodeBuild from within Jenkins but it will build ok from the command line or from within Xcode.

Several people have had this problem in the past and the common theme with them is that Jenkins gets run at launch time as the daemon user and thus tries to access the system keychain. The solutions that people have applied are copying credentials to the system keychain or running a command to set which keychain to use.

However in my case if I look at launchd in the Activity Manager the user is showing up as the user I am logged onto the machine as, therefore Jenkins should be running as this user and not as the daemon user.

I tried setting which keychain to use by adding this command to the Jenkins script before running XCodeBuild

security list-keychains -s /Users/[user]/Library/Keychains/login.keychain

But that did not solve the problem.

The error I am getting is:

Code Sign error: The identity 'iPhone Developer: NNNNN (9TYX5WAM63)' doesn't match any valid, non-expired certificate/private key pair in your keychains"

So I tried moving the credentials to the system keychain but now get this error in Jenkins, but its still fine from the command line:

Code Sign error: Provisioning profile 'F152C66E-B99A-47F6-B262-376CE4403D71' can't be found

Also when I move the credentials to the system keychain I am no longer able to build from within XCOde - I get the same error as the top error message above.

I've also tried editing the org.jenkins-ci.plist file to set the user as who I'm logged onto the machine as, in accordance with this, but that too had no effect.

Missing certificates and keys in the keychain while using Jenkins/Hudson as Continuous Integration for iOS and Mac development

Any ideas what I could try next?

Answer 1

I feel for you as the last time we messed with this it was quite the challenge. We did this when we set up a CI server for a project. If I remember correctly (broadly) we followed these steps:

1) Set Jenkins up as a developer on the Apple Dev account

2) Created a cert and dev provisioning profile specifically for Jenkins

3) Setup a Jenkins user on the CI Server and delete any previous certs/prov profiles from xcode for that user

4) Add the Jenkins cert to the AD-Hoc Dist Profile (If you are trying to distribute an .ipa to HockeyApp you will need to to this for an archive build.)

5) Go into the xcode project file and delete any existing references to Provisioning Profiles

6) Download and Install the certs for this user and the appropriate Prov Profiles.

7) Before the build unlock the Jenkins user keychain. Do this only if the Jenkins user is not the user running the xcode build.

Verify that Xcode shows the Prov Profile as valid in the organiser when logged in as the Jenkins user.

I know my answer is somewhat vague and my intent is to be helpful. This type of error is usually caused by one of three things. Xcode cant find the profile, Xcode cant find the cert or Xcode found more then one profile (supposed to produce a different error but doesn't always) and has a mismatch of some kind. Usually redoing the Prov Profiles is the least painful solution.

Best of luck man. You will solve it it's just a huge headache!

Answer 2

Probably not the answer you are looking for, but i gave up on the XCodeBuild plugin for a number of reasons, and running my build through "Execute Shell" step.

You said your command line build works, so you already know the commands that are required. Just put that into the shell.

xcodebuild -verbose -alltargets -configuration Debug clean build CODE_SIGN_IDENTITY="${CODE_SIGN_IDENTITY}" PROVISIONING_PROFILE=${PROVISIONING_PROFILE}
&&
/usr/bin/xcrun -sdk iphoneos PackageApplication -v "${WORKSPACE}/client_trunk/build/Debug-iphoneos/${Application}.app" -o "${WORKSPACE}/client_trunk/build/Debug-iphoneos/${Application}-Debug-${shortVer}.${revVer}.ipa" --sign "${CODE_SIGN_IDENTITY}" --embed "/Users/[youruser]/Library/MobileDevice/Provisioning Profiles/${PROVISIONING_PROFILE}.mobileprovision"

Above, ${CODE_SIGN_IDENTITY} is the one that looks like iPhone Developer: blah
And ${PROVISIONING_PROFILE} is the hex number for the profile like F152C66E-B99A-47F6-B262-376CE4403D71

Answer 3

Using Jenkins I got this error:

/Users/Shared/Jenkins/Home/jobs/ExampleTabbed-Integration/workspace/build/Debug-iphoneos/ExamplesTabbed.app: User interaction is not allowed.

Command /usr/bin/codesign failed with exit code 1

I fixed it by doing the following:

• Add Build Step before the XCode (jenkins plugin) step

• Add the following as the execute command:

  security unlock-keychain -p "passwordhere" ${HOME}/Library/Keychains/login.keychain

• In the XCode (via plugin) configuration I'm using the following:

  • Unlock Keychaing ? (unchecked)
  • Keychain path: ${HOME}/Library/Keychains/login.keychain
  • Keychain password: (empty)

It might be possible to remove the pre-step and use the actual xcode config to do it, but it's working as described with no problems.

Note this doesn't take into account using a more secure solution yet, but this was my solution to the xcode signing issue. I'm running on OSX with the Jenkins installer and running as a launchctl command, used by the default Jenkins installer application. If that helps.

Answer 4

Follow instruction on the Xcode Plugin home page :

If this prompt is not showing on the build machine, you can force it to appear by running the codesign command that failed from a terminal on the build machine: /usr/bin/codesign --force --sign "iPhone Distribution: .....

Execute failed signing command from the terminal as a Jenkins user and select "Always allow"

Answer 5

Subprocesses of Java/Jenkins will need to have unlocked access to the Keychain.

Let's say your build / code-sign / release process is working fine. The only blocker is when you try running the exact same process in Jenkins.

Chances are that the keychain is locked, not for the user, but for Jenkins sub-processes.

The security command to unlock the keychain will need to be run as a Jenkins job, just once. Even if the same logged in user has already unlocked the keychain in the terminal.

So setup a simple freestyle job in Jenkins and add the following shell command as a build phase.

security unlock-keychain -p PASSWORD /Users/your_username/Library/Keychains/login.keychain-db

(make sure you include the proper PASSWORD and path to login.keychain-db)

Once you've run this job once, try your regular release job again, it should work if you have all the required apple certificates in your login keychain.