I have problem with using Export function in Xcode ("Your account already have distribution certificate") so I used solution with xcodebuild. It produce IPA file but I see this in console:
### Checking original app
+ /usr/bin/codesign --verify -vvvv /.../My.app
Program /usr/bin/codesign returned 1 : [/.../My.app: resource envelope is obsolete
]
Codesign check fails : /.../My.app: resource envelope is obsolete
Is it a problem from my side and how to solve it?
If you are using Mac OSX 10.9.5 or later, then there is an issue with OS codesigning with V2 signature.
So, use --no-strict flag with codesign --verify to getover this error.
If you're using PackageApplication to create an .ipa file, then
Edit the PackageApplication perl script tool using vi PackageApplication command and update codesign function occurrences to pass "--no-strict" parameter.
Example:
my $result = runCmd("/usr/bin/codesign", "--verify", "--no-strict",
"-vvvv", , $plugin );
I was facing same and got following response from Apple Dev Team. The issue is resolved for me.
The command line tool “codesign” has changed in 10.9.5 and 10.10, you need to pass “--no-strict” option to the command, (the problem has been reported and will be fixed).
To workaround the problem, please save a copy and modify PackageApplication to pass “—no-strict” to codesign, you can locate PackageApplication by running the following:-
xcrun -sdk iphoneos -f PackageApplication
Related
I have a jenkins server connecting to a remote mac mini through ssh to execute a shell script that has to build an IPA from a unity project.
When the shell script is executed locally on the mac mini everything goes fine. But when the shell script is ran from jenkins (with the exact same parameter and the same user) it fails codesigning the archive.
I will share with you the obfuscated shell script as well as the build log.
Thank you for your help in advance.
The shell script :
#!/bin/bash
# Consider directory paths initialized in parameter here
#
#
# Consider git cleaning / fetching commit here
#
#
# Consider environment / version and build name controls here
#
#
# Start Unity Build :
/Applications/Unity2017.4.10f1/Unity.app/Contents/MacOS/Unity -batchmode -quit -projectPath "$SOURCE_PATH" -executeMethod "BuildManager.BuildPlayer" -logFile "$BUILD_LOG_FILE" -buildEnvironment "$ENVIRONMENT" -buildPlatform "IOS" -buildPath "$TARGET_BUILD_DIR" -overrideVersion "$OVERRIDE_VERSION"
if [ ! -d "${TARGET_BUILD_DIR}/Unity-iPhone.xcodeproj" ]
then
echo "[ERR]Exporting unity project to Xcode failed."
exit 1
else
echo "Build successfull"
fi
#
#
# Consider initializing a param for the provisioning profile file path
#
#
# Consider initializing a param for the plist file path
cd $TARGET_BUILD_DIR
# archive generated xcode project
xcodebuild -scheme "Unity-iPhone" -archivePath "${DEPLOY_DIR_ROOT}/${BUILD_NAME}_${FILE_FORMAT_VERSION}/archive.xcarchive" -sdk iphoneos -configuration Release PROVISIONING_PROFILE="${PROVISIONING_PROFILE_PATH}" archive
if [ $? != 0 ]; then
echo "FAILED ARCHIVING XCODE PROJECT"
exit 1
fi
# export ipa from archive
xcodebuild -exportArchive -archivePath "${DEPLOY_DIR_ROOT}/${BUILD_NAME}_${FILE_FORMAT_VERSION}/archive.xcarchive" -exportOptionsPlist "${PLIST_PATH}" -exportPath "${DEPLOY_DIR_ROOT}/${BUILD_NAME}_${FILE_FORMAT_VERSION}"
if [ $? != 0 ]; then
echo "FAILED EXPORTING IPA FROM ARCHIVE"
exit 1
fi
#
# Section reserved for uploading the ipa to relevant remote storage
#
exit 0
So everything works like a charm (even the build can be installed on a device) when the shell script is ran locally from the terminal on the mac mini.
When it comes to run the shell script remotely through ssh it fails to codesign the archive. The user used over ssh is the same than the one used locally to run the script.
Here is the error :
CodeSign
/#######/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/InstallationBuildProductsLocation/Applications/#########.app
(in target: Unity-iPhone) cd /#########/xcodeProjPath export
CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
Signing Identity: "#########" Provisioning Profile: "iOS Team
Provisioning Profile: #########"
(#########)
/usr/bin/codesign --force --sign ######### --entitlements
/#########/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/IntermediateBuildFilesPath/Unity-iPhone.build/Release-iphoneos/Unity-iPhone.build/#########.app.xcent
--timestamp=none /#########/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/InstallationBuildProductsLocation/Applications/#########.app
/#########/Library/Developer/Xcode/DerivedData/Unity-iPhone-#########/Build/Intermediates.noindex/ArchiveIntermediates/Unity-iPhone/InstallationBuildProductsLocation/Applications/#########.app:
errSecInternalComponent
Command CodeSign failed with a nonzero exit code
** ARCHIVE FAILED **
I m kind of stuck right now since all my attempts didn't work at all ...
Thank you in advance for your help.
EDIT:
mac mini on macOS High Sierra Version 10.13.6 (17G65)
xcode Version 10.0 (10A255)
Ok so for all of you guys struggling around this tricky subject ( totally invisible if we don't know enough about macOS ) there is kind of security system that still makes the difference between a local user and a remote access to a user.
So the keychain handling your keys and certificates ( used by codesign to sign your build ) is not usable out of the box for the remote user. Its needs to be unlocked first !!!
To know about the available keychains on your system just type in on your terminal :
security list-keychains
You should see something like :
"/Users/'YOURUSER'/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
And you guessed it right there, you have to unlock the keychain of your user ! Juste run this :
security unlock-keychain -p 'USER_PASSWORD' 'PATH_TO_USER_KEYCHAIN'
And that's it.
N.B:
Please let me know if I understood something wrong about all this.
I try to parameterize my application build script when running into this behaviour:
the app already has been build (with 'cordova build ios --release') and is available.
when calling:
$ xcrun ... -sign "iPhone Developer: XXX" -embed ...
everything goes fine. so far so good :)
now i instead want to use a variable in the call like:
$ identity="iPhone Developer: XXX"
$ xcrun ... -sign $identity -embed ...
where i later pass the $identity parameter to my build script
doing the 'xcrun ...' like above logically results in the fact that the 'codesign' command only gets "iPhone" as parameter and fails (of course:)
thus i'm trying to mask the $identity
closest call for success is to use
$ xcrun ... -sign \""$identity"\" -embed ...
which results into a 'codesign' call by the xcrun like
$ xcrun ... -sign \""$identity"\" -embed ...
[...]
/usr/bin/codesign ... --sign "iPhone Developer: XXX" ...
Program /usr/bin/codesign returned 1 : ["iPhone Developer: XXX": no identity found
]
interestingly enough executing the command directly from shell (/bin/bash) works okay !!?
i tried as well to define $identity already having double-quotes but that runs into the initial behaviour with no quotation at all. using single-quotes in various combinations didn't help either so far.
any idea why xcrun is getting it wrong ? ... or, how to do it differently?
like said: the goal is to have a parameterized build script
-------- system parameters ---------
$ uname -a
Darwin allianz 13.0.0 Darwin Kernel Version 13.0.0: Thu Sep 19 22:22:27 PDT 2013; root:xnu-2422.1.72~6/RELEASE_X86_64 x86_64
$ xcrun -version
xcrun version 22.
Okay, this weirdness seems to be due to the fact that I assembled the command line like
xcrun -sdk iphoneos PackageAppliction $package -o $ipafile -sign \"$identity
\" -embed $profile
doing it the way to assemble the parts (option1 $variable1 option2 $variable2 ... etc.) to just one string first, like
assembledstring="-sdk iphoneos PackageAppliction $package -o $ipafile -sign \"$identity
\" -embed $profile"
and only then doing a
sh -c "xcrun $assemledstring"
sorts the issue.
I am using phonegap CLI 3.1 and XCode5. I am trying to generate the build for release mode through Phonegap CLI and Xcrun. I don't want to use Phonegap Build to upload the mobileprovision or whatever the process of them. I want to do it by xcrun to assign the mobileprovison to release build.
1) cordova build ios --release
Compiling app on platform "ios" via command
"/Applications/MAMP/htdocs/MyTest/MyTestApp/platforms/ios/cordova/build" --release
Platform "ios" compiled successfully.
2) sudo xcrun -sdk iphoneos PackageApplication -v "ios/build/emulator/MyTestApp.app" -o "/Users/mymac/Desktop/Testnew/MyTestApp.ipa" --sign "iPhone Distribution: NAME (TEAM_ID)" --embed "MyTestApp_Dis.mobileprovision"
Packaging application: 'ios/build/emulator/MyTestApp.app'
Arguments: embed=MyTestApp_Dis.mobileprovision verbose=1 output=/Users/mymac/Desktop/Testnew/MyTestApp.ipa sign=iPhone Distribution: NAME (TEAM_ID)
Environment variables:
HOME = /Users/mymac
SUDO_GID = 20
SDKROOT = /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS7.0.sdk
VERSIONER_PERL_PREFER_32_BIT = no
MAIL = /var/mail/root
SSH_AUTH_SOCK = /tmp/launch-zsBMC8/Listeners
LANG = en_US.UTF-8
USER = root
LOGNAME = root
__CF_USER_TEXT_ENCODING = 0x0:0:0
USERNAME = root
PATH = /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/git/bin
SUDO_USER = mymac
SHELL = /bin/bash
TERM = xterm-256color
SUDO_COMMAND = /usr/bin/xcrun -sdk iphoneos PackageApplication -v ios/build/emulator/MyTestApp.app -o /Users/mymac/Desktop/Testnew/MyTestApp.ipa --sign iPhone Distribution: NAME (TEAM_ID) --embed MyTestApp_Dis.mobileprovision
SUDO_UID = 501
VERSIONER_PERL_VERSION = 5.12
Output directory: '/Users/mymac/Desktop/Testnew/MyTestApp.ipa'
Temporary Directory: '/tmp/W81FhZ9VAH' (will NOT be deleted on exit when verbose set)
+ /bin/cp -Rp ios/build/emulator/MyTestApp.app /tmp/W81FhZ9VAH/Payload
Program /bin/cp returned 0 : []
Checking original app
/usr/bin/codesign --verify -vvvv ios/build/emulator/MyTestApp.app
Program /usr/bin/codesign returned 1 : [ios/build/emulator/MyTestApp.app: code object is not signed at all
In architecture: i386
]
Codesign check fails : ios/build/emulator/MyTestApp.app: code object is not signed at all
In architecture: i386
Done checking the original app
Embedding 'MyTestApp_Dis.mobileprovision'
/bin/rm -rf /tmp/W81FhZ9VAH/Payload/MyTestApp.app/embedded.mobileprovision
Program /bin/rm returned 0 : []
/bin/cp -rp MyTestApp_Dis.mobileprovision /tmp/W81FhZ9VAH/Payload/MyTestApp.app/embedded.mobileprovision
Program /bin/cp returned 0 : []
/usr/bin/codesign -d --entitlements /tmp/W81FhZ9VAH/entitlements_rawixGWnKhi /tmp/W81FhZ9VAH/Payload/MyTestApp.app
Program /usr/bin/codesign returned 1 : [/tmp/W81FhZ9VAH/Payload/MyTestApp.app: code object is not signed at all
]
error: Failed to read entitlements from '/tmp/W81FhZ9VAH/Payload/MyTestApp.app'
Hmmh, I'm having a similar problem like Shashi.
When running 'cordova buld ios [--release]' from shell and then doing a 'xcrun ...' afterwards it works for me okay.
BUT: When running this sequence from within a script, I receive a "Codesign check fails ..." error too ...
If I insert (like) a "wait" cycle inside my script between the cordova and the xcrun call, it works.
So - to me - it seems, as if cordova returns to shell while it isn't completely finished (?)
Fact is if I code my script like
#!/bin/bash
cordova build ios --release
sleep 5
sh -c "xcrun ..."
it's working for me.
Question: Is it a bug in cordova/phonegap ???
So, finally I got everything to work okay ... :D
The problem of Jenkins complaining about a failed 'codesign ...' run is a MacOS (configuration) issue
The crucial thing is to allow the Jenkins access to the keychain of the system. The allowed access for the Login-shell of the Jenkins user is different from the Jenkins server process running under the Jenkins user account (!)
For now I realize this by running the unlock of the login.keychain within the Jenkins job before running my build script
like: in the Jenkins job for "execute shell"
security unlock-keychain -p password /Users/Shared/Jenkins/Library/Keychains/login.keychain
echo ##### building now ######################
./buildit.sh ios --release -v
This may not be the 100% nicest solution - but for now it works :P
See as well: [1]: Keychain won't unlock from Jenkins script unless user logged in
Meanwhile I found:
Fact is, that - when cordova exits and returns to shell - cordova related activities are NOT completed yet!
It takes a while after the cordova exit, for the 'platforms/ios/AppName/_CodeSignature/CodeResources' file to show up. This file obviously is essential for the 'codesign' which is started by xcrun command to succeed.
So I do in my script (which i call 'buildit.sh')
#!/bin/bash
[...]
cordova build ios --release
signaturefile="platforms/ios/build/device/$appname/_CodeSignature/CodeResources"
echo DEBUG:signatur file is $signaturefile
while [ ! -f $signaturefile ]
do
echo waiting
sleep 1
done
xcrun ...
Then the whole build/packaging process in one script succeeds.
However: Running the script from my ContinuousIntegration server Jenkins, I observe that this criteria may be essential, but not enough. From the CI I still get a
/usr/bin/codesign --verify -vvvv [...]
Program /usr/bin/codesign returned 1 : [...] code object is not signed at all
error!??
EDIT (05.12.2013): This is due to the fact that the Jenkins service couldn't access the keychain. E.g. doing in the Jenkins job an unlock of the keychain prior running the build script sorts it. (May not be the most elegant solution, but at least it prooves the problem not to be in the scripting :)
In order to skip the code signing you can perform a manual build from the console like this:
xcodebuild clean build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO
Use additionally the -configuration, -target and -sdk parameters in order to define your build settings.
To Disable Code Signing:
*Go to /Applications.
Right click on XCode and select 'Show Package Contents'.
Copy Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS5.1.sdk/SDKSettings.plist to your desktop. (Make sure to actually copy and paste. No drag and drop)
Open it and under DefaultProperties set CODE_SIGNING_REQUIRED to NO.
Copy it back and replace the original file.
Restart XCode.
Open your project.
In Project Navigator select your project and open Build Settings section of your porject (and not any particular target)
Under Code Signing find Code Signing Identity and for both Debug and Release modes set Any iOS SKD to Don't Code Sign.
Now you should be able to build your project without any errors.*
To make an IPA:
In 'Project Navigator' select Products
Right click on [NameOfYourProject].app and select 'Show in Finder'.
Create a folder and name it Payload
Move [NameOfYourProject].app to Payload.
Compress Payload and rename it to [NameOfYourProject].ipa
I'm having trouble packaging an app as an IPA with PackageApplication. Codesign verification fails with "does not satisfy its designated Requirement":
+ /usr/bin/codesign --verify -vvvv -R=anchor apple generic and (certificate 1[field.1.2.840.113635.100.6.2.1] exists and (certificate leaf[field.1.2.840.113635.100.6.1.2] exists or certificate leaf[field.1.2.840.113635.100.6.1.4] exists)) /var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app
Program /usr/bin/codesign returned 3 : [/var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app: valid on disk
/var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app: does not satisfy its designated Requirement
/var/folders/8j/n5d5y1bj6wz3l8gs_djqn3400000gn/T/8xonyTiAuP/Payload/Planner.app: explicit requirement satisfied
What requirement is designated here?!?
I'm building with xcodebuild:
xcodebuild -workspace MyWorkspace.xcworkspace -scheme Planner -ask iphoneos clean build archive
which creates an Xcode archive for me inside ~/Library/Developer/Xcode/Archives So far so good.
Then I've read that people use PackageApplication but that fails for me:
xcrun -sdk iphoneos PackageApplication -v path/to/Planner.app -o Planner.ipa --sign 9990807058544973D70EA9A9F3BB3949D51C0983 --embed my_profile.mobileprovision
with the above error.
What part am I missing here? Is there another way to do this?
This is Xcode 4.5.
You can check what the designated requirements for your .app file are by running the following command:
codesign -d -r- path/to/file.app
Your output should include a line that starts with designated =>. What follows after are your designated requirements. An example of this output would be:
designated => identifier "com.organization.project" and certificate root = H"abcdef0123456789abcdef0123456789abcdef12"
The -d flag displays information and the -r- flag writes the requirements to stdout.
You can use Apple's page on Code Signing Requirement Language to interpret what these requirements mean.
If you want to narrow down which particular requirement is failing, you can run the tests individually by entering the following command:
codesign -v -R="certificate root = H\"abcdef0123456789abcdef0123456789abcdef12\"" /path/to/file.app
The -v flag performs verification on your app and the -R flag passes in an explicit requirement to test.
I am using xcodebuild command line tool to build iOS app.
After instaling Xcode45-DP1 it is automatically using 6.0 SDK from the new Xcode45-DP1 app bundle for building applications. There are 2 issues when submitting this app to AppStore.
The app is now automatically built with latest SDK (6.0), which is note yet supported, so app cannot be submitted.
SOLUTION: I copied the old-current SDK (5.1) to Xcode45-DP.app and in command line specified -sdk iphoneos5.1
Second problem is that when ApplicationLoader is verifying app, is sees that SDK is used from unsupported version of Xcode (45-DP1) and rejects to upload app.
SOLUTION: I would like to specify absolute path for SDK, like: xcodebuild -sdk /path/to/5.1sdk...
The problem is that xcodebuild always says that SDK "/path/to/iPhoneOS5.1.sdk/" cannot be located.
Does anyone have an experience with how to use absolute path to sdk and what file/directory should it point to?
Thanks in advance.
I have been searching for this for a while as well and there does not appear to be a direct way of getting the full absolute path to a specific SDK. However, if you set the -sdk switch and -find-library for an arbitrary library and strip the last few path parts off you can get the full sdk path like so:
[ 13:02 jon#MacBookPro ~ ]$ export SYS_ROOT=`xcodebuild -sdk iphoneos6.0 -find-library system`
[ 13:02 jon#MacBookPro ~ ]$ echo "${SYS_ROOT/\/usr\/lib\/libsystem.dylib/}"
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS6.0.sdk
[ 13:02 jon#MacBookPro ~ ]$ export SYS_ROOT=`xcodebuild -sdk iphonesimulator6.0 -find-library system`
[ 13:02 jon#MacBookPro ~ ]$ echo "${SYS_ROOT/\/usr\/lib\/libsystem.dylib/}"
/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator6.0.sdk