Develop Reference

iOS - Running script '[CP] Embed Pods Frameworks' stuck in Github Actions

I'm setting up a CI pipeline for an iOS application using GitHub Actions.
When executing a build command:
xcodebuild \
-workspace xxx.xcworkspace \
-scheme SecureImage \
clean build | xcpretty
It gets stuck on Running script '[CP] Embed Pods Frameworks' until it times out based on the 2 hour time out I've set.
▸ Compiling Main.storyboard
▸ Compiling Albums.storyboard
▸ Processing Info.plist
▸ Running script '[CP] Embed Pods Frameworks'
Error: The operation was canceled.
After a lot of googling, I suspect the only thing that could be, is something to do with the keychain but I can't see what.
This is my script for adding the certificates after decrypting them:
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp ./.github/secrets/Provisioning.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/Provisioning.mobileprovision
security create-keychain -p "" ~/Library/Keychains/build.keychain
security import ./.github/secrets/Certificates.p12 -t agg -k ~/Library/Keychains/build.keychain -P "" -A
security list-keychains -s ~/Library/Keychains/build.keychain
security default-keychain -s ~/Library/Keychains/build.keychain
security unlock-keychain -p "" ~/Library/Keychains/build.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" ~/Library/Keychains/build.keychain
I'm completely stuck.

i think you need to install pods before building
- name: Install CocoaPod Dependencies
run: pod install

iOS build fails on GitHub Actions (without fastlane), but it works intermittently

I have slightly different approach for building iOS apps. Instead of putting a bunch of code in the .yaml file, I prefer to put most stuff in a shell script and have a simpler .yaml file... is there any problem in this approach?
My build gets stuck in the "Build app" step. The other steps work fine.
Intermittently, like once every 15 times it just magically works, but most of the time it fails. It gets stuck and I can't see the log, until I cancel the job, but the log doesn't say anything useful. Running the scripts in my local machine works 100% of time. It seems to be something very particular to GitHub actions.
Is there any problem, limitation on using this approach (bash script) in GitHub actions?
Why would this fail?
I am not using using fastlane.
Here is my YAML file:
name: Build iOS
on:
push:
branches:
- master
jobs:
build:
runs-on: macOS-latest
steps:
- uses: actions/checkout#v2
- name: Switch XCode Version
run: sudo xcode-select -s /Applications/Xcode_11.2.app
- name: Get dependencies
run: source .github/ios/build.sh && get_dependencies
- name: Decrypt secrets
run: source .github/ios/build.sh && decrypt_secrets ${{ secrets.SECRET_KEY }}
env:
SECRET_KEY: ${{ secrets.SECRET_KEY }}
- name: Set up code signing
run: source .github/ios/build.sh && setup_code_signing
- name: Build app
run: source .github/ios/build.sh && build_app
- name: Upload artifacts
run: source .github/ios/build.sh && upload_artifacts
and the script
#!/bin/bash
PROVISIONING_PROFILE="MyApp"
CODE_SIGN_IDENTITY="Apple Development: MyApp (XXXXXXXXXX)"
DOMAIN="MyApp.com"
PRODUCT_BUNDLE_IDENTIFIER="com.MyApp.app"
# Get dependencies
function get_dependencies()
{
yarn
cd ios
pod install
cd ..
}
function decrypt
{
INPUT=$1
OUTPUT="${1%.*}"
openssl aes-256-cbc -salt -a -d -in $INPUT -out $OUTPUT -pass pass:$SECRET_KEY
}
# Decrypt secrets
function decrypt_secrets
{
export SECRET_KEY=$1
decrypt .github/ios/secrets/MyApp.mobileprovision.encrypted
decrypt .github/ios/secrets/MyApp.p12.encrypted
decrypt .github/ssh/id_rsa.encrypted
}
# Set up code signing
function setup_code_signing()
{
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
# provisioning
cp .github/ios/secrets/MyApp.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/$PROVISIONING_PROFILE.mobileprovision
# keychain
security create-keychain -p "MyApp" build.keychain
security import ./.github/ios/secrets/MyApp.p12 -t agg -k ~/Library/Keychains/build.keychain -P "" -A
security list-keychains -s ~/Library/Keychains/build.keychain
security default-keychain -s ~/Library/Keychains/build.keychain
security unlock-keychain -p "MyApp" ~/Library/Keychains/build.keychain
security set-key-partition-list -S apple-tool:,apple: -s -k "MyApp" ~/Library/Keychains/build.keychain
}
# Build
function build_app()
{
# dev environment
echo "API_URL=https://backend.$DOMAIN/" > .env
# build number
BUILD_NUMBER=${GITHUB_RUN_NUMBER:-1}
# ExportOptions.plist
sed -e "s/__BUILD_NUMBER__/$BUILD_NUMBER/g" \
-e "s/__PRODUCT_BUNDLE_IDENTIFIER__/$PRODUCT_BUNDLE_IDENTIFIER/g" \
-e "s/__CODE_SIGN_IDENTITY__/$CODE_SIGN_IDENTITY/g" \
.github/ios/ExportOptions.plist > ios/ExportOptions.plist
cd ios
set -e
set -o pipefail
# archive
xcodebuild archive \
-workspace MyApp.xcworkspace \
-scheme MyApp \
-sdk iphoneos13.2 \
-configuration Release \
-archivePath "$PWD/build/MyApp.xcarchive" \
PRODUCT_BUNDLE_IDENTIFIER="$PRODUCT_BUNDLE_IDENTIFIER" \
PROVISIONING_PROFILE="$PROVISIONING_PROFILE" \
CODE_SIGN_IDENTITY="$CODE_SIGN_IDENTITY" \
CURRENT_PROJECT_VERSION="$BUILD_NUMBER"
# export
xcodebuild \
-exportArchive \
-archivePath "$PWD/build/MyApp.xcarchive" \
-exportOptionsPlist "$PWD/ExportOptions.plist" \
-exportPath "$PWD/build"
}
# Upload artifacts
function upload_artifacts()
{
chmod 600 .github/ssh/id_rsa
BUILD_PATH="www/app/builds/$GITHUB_RUN_NUMBER"
ssh -i .github/ssh/id_rsa -o 'UserKnownHostsFile=/dev/null' -o 'StrictHostKeyChecking=no' ubuntu#MyApp.dev "mkdir -p $BUILD_PATH"
scp -i .github/ssh/id_rsa -o 'UserKnownHostsFile=/dev/null' -o 'StrictHostKeyChecking=no' -r ios/build/Apps/* ubuntu#MyApp.dev:$BUILD_PATH
scp -i .github/ssh/id_rsa -o 'UserKnownHostsFile=/dev/null' -o 'StrictHostKeyChecking=no' -r ios/build/manifest.plist ubuntu#MyApp.dev:$BUILD_PATH
}
Most of the time, the log gets stuck on this line:
/usr/bin/codesign --force --sign F4D55F28BEBE840ADF175A67B471FFBF2E27B222 --entitlements /Users/runner/Library/Developer/Xcode/DerivedData/MyApp-fhnolcbrhrsoglcxtgrffszyvmwz/Build/Intermediates.noindex/ArchiveIntermediates/MyApp/IntermediateBuildFilesPath/MyApp.build/Release-iphoneos/MyApp.build/MyApp.app.xcent --timestamp=none /Users/runner/Library/Developer/Xcode/DerivedData/MyApp-fhnolcbrhrsoglcxtgrffszyvmwz/Build/Intermediates.noindex/ArchiveIntermediates/MyApp/InstallationBuildProductsLocation/Applications/MyApp.app

Kudos to the answers from here:
Jenkins - Xcode build works codesign fails
The problem that happened to me is that I was trying to follow the first only the first answer from Jamieson (the accepted one), but maybe it is not up to date anymore.
I used the answer from Stephen Quan and it worked perfectly!
My final keychain part now is:
# Create temporary keychain
KEYCHAIN="MyApp$$.keychain"
KEYCHAIN_PASSWORD="MyApp"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
# Append keychain to the search list
security list-keychains -d user -s "$KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
security list-keychains
# Unlock the keychain
security set-keychain-settings "$KEYCHAIN"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN"
# Import certificate
security import .github/ios/secrets/MyApp.p12 -k "$KEYCHAIN" -P "" -T "/usr/bin/codesign"
# Detect the iOS identity
IOS_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN" | head -1 | grep '"' | sed -e 's/[^"]*"//' -e 's/".*//')
IOS_UUID=$(security find-identity -v -p codesigning "$KEYCHAIN" | head -1 | grep '"' | awk '{print $2}')
# New requirement for MacOS 10.12+
security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASSWORD $KEYCHAIN

xcodebuild error - SecKey API returned: -25308

I'm receiving the error below while trying to build my iOS app. This error only occurs while building for the Release configuration. Also, I'm using CocoaPods for my third-party dependencies and these builds are running on Jenkins through SSH.
SecKey API returned: -25308, (null)/Users/iosbuilder/Library/Developer/Xcode/DerivedData/*/Build/Intermediates/ArchiveIntermediates/Production/InstallationBuildProductsLocation/Applications/*.app/Frameworks/AFNetworking.framework:
unknown error -1=ffffffffffffffff
Command /bin/sh failed with exit code 1
I've tried unlocking the keychain on the build server to make sure there isn't a UI block for keychain permissions, but the issue still persists...
Any idea why this is occurring and how I might fix the issue?

It is a keychain access issue. Solution is Here
With the code in the link you can try to execute that in shell on the build config of the project

You can use the security command to lookup the error code.
In this case, it says "User interaction not allowed".
This is typical if you're trying to sign your app via SSH, script of through Jenkins.
security error -25308
Error: 0xFFFF9D24 -25308 User interaction is not allowed.
You need to do a security command to enable codesigning of your application through a non interactive shell:
security set-key-partition-list -S apple: -k <Password> -D <Identity> -t private <your.keychain>
Here is a "complete" Jenkins / SSH friendly script to signing your app:
MY_KEYCHAIN="temp.keychain"
MY_KEYCHAIN_PASSWORD="secret"
CERT="certificate.p12"
CERT_PASSWORD="certificate secret"
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Create temp keychain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g) # Append temp keychain to the user domain
security set-keychain-settings "$MY_KEYCHAIN" # Remove relock timeout
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN" # Unlock keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -T "/usr/bin/codesign" # Add certificate to keychain
CERT_IDENTITY=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | sed -e 's/[^"]*"//' -e 's/".*//') # Programmatically derive the identity
CERT_UUID=$(security find-identity -v -p codesigning "$MY_KEYCHAIN" | head -1 | grep '"' | awk '{print $2}') # Handy to have UUID (just in case)
security set-key-partition-list -S apple-tool:,apple: -s -k $MY_KEYCHAIN_PASSWORD -D "$CERT_IDENTITY" -t private $MY_KEYCHAIN # Enable codesigning from a non user interactive shell
### INSERT BUILD COMMANDS HERE ###
security delete-keychain "$MY_KEYCHAIN" # Delete temporary keychain
Shout out to Bochun Bai for spending 3 weeks with Apple support to finding the solution to the -25308 issue and posting it to https://sinofool.net/blog/archives/322

Just restarted my machine. And it worked.

Travis throws Code Sign error

▸ Check Dependencies
❌ Code Sign error: No code signing identities found: No valid signing identities (i.e. certificate and private key pair) were found.
I'm configuring Keychains in the following way:
security create-keychain -p travis ios-build.keychain
# Make the custom keychain default, so xcodebuild will use it for signing
security default-keychain -s ios-build.keychain
# Unlock the keychain
security unlock-keychain -p travis ios-build.keychain
# Set keychain timeout to 1 hour for long builds
security set-keychain-settings -t 3600 -l ~/Library/Keychains/ios-build.keychain
# Add certificates to keychain and allow codesign to access them
security import scripts/certs/apple.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
# security import scripts/certs/distribution.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security import scripts/certs/distribution.p12 -k ~/Library/Keychains/ios-build.keychain -P {pass} -T /usr/bin/codesign
echo "list keychains: "
security list-keychains
echo " ****** "
echo "find indentities keychains: "
security find-identity -p codesigning ~/Library/Keychains/ios-build.keychain
echo " ****** "
# Put the provisioning profile in place
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp "scripts/certs/AdHoc.mobileprovision" ~/Library/MobileDevice/Provisioning\ Profiles/
cp "scripts/certs/AppStore.mobileprovision" ~/Library/MobileDevice/Provisioning\ Profiles/
Have someone ideas how to fix it?
Line:
# security import scripts/certs/distribution.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
Doesn't affect for result.

It's perfectly working script. Problem was in another thing in Travis CI.
But it needs uncomment line:
security import scripts/certs/distribution.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign

A permission issue with deploy an iOS app use travis ci

.travis.yml is validated
Travis CI is build succeeded.
Xcode 7.1.1, Mac OSX El Capitan 10.11 Beta
fir:http://fir.im
Do these progress from : https://www.objc.io/issues/6-build-tools/travis-ci/#encrypt-certificates-and-profiles
** BUILD SUCCEEDED **
Then I try to deploy to fir,I received from Travis CI:
/Users/travis/build.sh: line 41: ./scripts/sign-and-upload.sh: Permission denied
I thought the file "sign-and-upload.sh" isn't been permission. So I give these files appropriate permissions:
before_install:
- chmod +x scripts/add-key.sh
- chmod +x scripts/remove-key.sh
But it still failed.
This is the add-key.sh:
#!/bin/sh
security create-keychain -p travis ios-build.keychain
security default-keychain -s ios-build.keychain
security unlock-keychain -p travis ios-build.keychain
security set-keychain-settings -t 3600 -l ~/Library/Keychains/ios-build.keychain
security import ./scripts/certs/apple.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security import ./scripts/certs/dist.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security import ./scripts/certs/dist.p12 -k ~/Library/Keychains/ios-build.keychain -P 123 -T /usr/bin/codesign
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp ./scripts/profile/$PROFILE_NAME.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles/

You are right that sign-and-upload.sh needs execute permission. But your response was to change some different files! You need to add
- chmod +x scripts/sign-and-upload.sh