Code Sign error when the job is built via Jenkins - jenkins

Referring to Jenkins on OS X: xcodebuild gives Code Sign error and the steps mentioned in Problem 1, step 5:
5.security create-keychain .keychain
When I run this command, it asks for password. I entered my system password.
But it is not accepting. What should be the password here?
Basically, I have installed Jenkins and it has been installed as a separate user under /Users/Shared/Jenkins. Due to being this as a separate user, my code signing fails when I run the build job via Jenkins.

The password is the keychain password, which is usually the same as the password for the user who created the keychain, which is the Jenkins user. It may be possible to use a separate password for this, since you unlock it later in security unlock-keychain step, but I wouldn't bother.
Also, make sure you name the keychain, the line above indicates:
security create-keychain .keychain
you need something like:
security create-keychain signing.keychain

Related

Allow certain apps to access the keychain using command line

I am trying to automate a cert installation on a bunch of different Mac boxes so that I can build on any of them using Jenkins. I've seen that you can do an import:
sudo security import certName -P password
And you can also allow applications to use the keychain at installation time:
sudo security import certName -P password -T /usr/bin/codesign
But is there a way to modify existing installations from the command line so I don't have to reimport all the certs that I have imported already? Or is it okay to just reimport everything by running the second command on all the boxes, and it will just update the existing cert installation?
Basically, the overall problem I'd like to solve is to prevent the prompts asking for passwords every time I run a build that say "codesign would like to access the keychain", etc. And then I have to enter the password and click "Always Allow" to prevent it again. But every time I update the cert, I have to go through this process again.
Has anyone ever automated this entire process before? Installing the cert and allowing apps to access the keychain without prompting for a password.
I'd also be happy with allowing any applications to access the keychain without a password. I'm not sure if a flag like that even exists, but it would be a big help if this was possible.
It seems that these three lines were what I needed (answer found here: security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission):
security unlock-keychain -p password kaychainName.keychain
security set-keychain-settings keychainName.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k password keychainName.keychain

Installing Jenkins the first time and do not know the default user name

I tried using Jenkins or my admin username as user and password. For password, I tried to update using sudo passwd jenkins, so I am fine on that. However, I am skeptical about the user name. How do I confirm the username for Jenkins? Can someone pls help me?
During the initial run of Jenkins a security token is generated and printed in the console log. The username is admin
The token should look something like,
*************************************************************
Jenkins initial setup is required. A security token is required to proceed.
Please use the following security token to proceed to installation:
41d2b60b0e4cb5bf2025d33b21cb
*************************************************************
For me the initial admin password was in a log at ~/.jenkins/secrets/initialAdminPassword
after installing with homebrew.
source
If you pod is running in a Kubernetes cluster, just look at the running process … Your initial password will be shown…
e.g.
--argumentsRealm.passwd.admin=**3kJQtPDkhk** --argumentsRealm.roles.admin=admin
Username: admin
For password,
cat /Users/$(whoami)/.jenkins/secrets/initialAdminPassword
you will get similar to this token 2762710d8dab4c88a59fea0a2e559069

Unable to unlock the keychain

Building a new Jenkins for an iOS app CI story.
I created a keychain named build in KeyChainAccess to hold the dev certificate.
I set a password for the keychain.
On Jenkins, Manage Jenkins --> Keychains and Provisioning Profiles Management -> choose the build.keychain file and upload.
I filled in the password (the same as what I set earlier). I filled in the certificate (by copy the common name of the certificate info in KeyChain access).
I created a Jenkins job using the Keychain and Code Signing Identity, filled in the password.
But when I build the project by Jenkins, it throw the following error in Console Output:
[ProjectName] $ /usr/bin/security unlock-keychain -p ******** /Users/Shared/Jenkins/Home/jobs/JobName/workspace/build.keychain
security: SecKeychainUnlock /Users/Shared/Jenkins/Home/jobs/JobName/workspace/build.keychain: The user name or passphrase you entered is not correct.
FATAL: Unable to unlock the keychain.
I checked the password, I can unlock the build keychain in KeyChain Access using the password. I am not sure what username it asks for, Jenkins?
It's been a long time since you asked this question but I think it's worth it to answer it!
The output error The username or passphrase you entered is not correct. can be caused by several things but one of the common errors is a wrong keychain path.
To solve it the first thing you need to be sure is that your keychain was created and get its correct path. Run the following command in your console:
security list-keychains
The output should return all the keychains you have, something like this:
"/Users/jenkins/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"
If your build keychain is not there something were wrong during its creation and you need to create it again. In case you keychain is the above list you need to copy the path where the keychain is located.
If for some reason the name of your keychain is duplicated in that list be sure to remove the duplicated keychains running the following command:
security list-keychains -s pathOfTheKeychainDuplicated
Then with the path and the password of the user with access to this keychain you can unlock it using the following command:
security unlock-keychain -p ****** /Users/jenkins/Library/Keychains/login.keychain-db
In the above command, the path should be the one of your build keychain
I hope this helps you.
In my Mac, got a similar issue for unlock keychain command command.
I have just quit the terminal(all tabs)
Quit the keychain
Reopened the keychain -> unlocked and locked the keychains couple of times manually.
Then I executed the command, it worked! Surprising..
One more hint, got this issue after upgrading macOS from Sierra to High Sierra.
I had a similar problem running unlock-keychain from jenkins after upgrading to Mojave.
It was caused by the default keychain being set incorrectly.
I used
security default-keychain -s <name> to change the default back to the jenkins user's login keychain.

Jenkins iOS build using credentials and developer profile

We are using Jenkins as our CI server for our iOS team with the following setup:
Master server on OSX, not running any job
2 slaves on OSX running our integration jobs + UI Testing
Currently all signing identities and provisioning profiles for the apps are uploaded each slave which makes the administration a tad tedious and adding a new node to the cluster even more painful.
To work around this we've looked into using the credentials plugin with Developer profiles and import the profile as the first build step on all iOS jobs but are faced with to main issues:
The import developer profile seems to work the first time (at least for creating the keychain entries) but the job fails with a "no matching provisioning profile" error, even if the developer profile contains all the provisioning profiles required by the target.
Second run on the same job always fail with a "Keychain already exist" error
We've tried some work arounds for the second issue adding a shell build step removing the particular keychain but are still faced with the first error. If we manually install the profile on the slave the build passes but this defeat the purpose of using the credentials plugin.
What do you guys think?
I think the newest version of the credentials plugin now first removes any existing keychains with a matching name before importing, as seen in the log output below.
$ security delete-keychain jenkins-MyAppsBuildName-iOS
$ security create-keychain -p ******** jenkins-MyAppsBuildName-iOS
$ security unlock-keychain -p ******** jenkins-MyAppsBuildName-iOS
Because of this fact, I don't think you will have an issue anymore with duplicate keychain errors on the second run.
As far as the issue relating to the provisioning profile not being found, add the following line inside the execute shell command and run a build on jenkins.
security list-keychains
Take a look at the console for that specific build and you should see a list of all the keychains that are currently in the scope of the shell.
If you do not see "jenkins-MyAppsBuildName-iOS" as a listed keychain, this is why you are having the signing issue. Because the keychain is not listed, it is never even being searched through to find the proper signing identity/profile.
Solution: Warning: it's hacky
I'm not 100% sure why this is happening, but from other threads it appears to be a permissions issue.
Luckily there is an easy way around this.
In the execute shell command add the following:
security list-keychain -s jenkins-${JOB_NAME}
This will reset the keychain list to include the keychain needed to successfully build the project.
To verify that this now lists the proper keychain, you can add the following lines to the shell command:
security list-keychain
security list-keychain -s jenkins-${JOB_NAME}
security list-keychain
Now compare the output of the first list-keychain command with the second list-keychain command in the console. Make sure that the jenkin's build keychain is listed after the second security list-keychain output.
Warning: This will permanently change the keychain list on the system, so it is probably a good idea to reset the keychain after the build completes. You can accomplish this by settings the default desired keychain values in the xcode configuration inside of Jenkin's System Configuration section. After doing so, make sure to tick the check box "Restore OS X keychains after build process as defined in global configuration" under build environment inside of the Jenkins job's page.
Additional info: In my example I set the keychain-list to only include the keychain generated from Jenkins, but you may decide to also include the standard system and login keychain's by modifying the line as such:
security list-keychain -s jenkins-${JOB_NAME} login.keychain System.keychain
Keywords: Jenkins, iOS, slave, node, Xcode, plugin, credentials, .developerprofile

Granting Jenkins the permission to unlock keychain

I'm trying to set Jenkins up for xcode, and I keep getting certification errors.
In my shell script I have this command:security unlock-keychain $KEYCHAIN
But since Jenkins is running as user 'jenkins' it seem to lack authority when unlocking the keychain and prints this error:
[workspace] $ /bin/sh -xe /var/folders/lD/lDiU3VbfHpm-KUHY26PrX++++Do/-Tmp-/hudson2556417005809365518.sh
+ sh build.sh
security: SecKeychainUnlock /Users/vb_admin/Library/Keychains/login.keychain: Could not write to the file. It may have been opened with insufficient access privileges.
Any ideas to fix this problem would be appreciated.
Thanks in advance!
Either give more privileges to user 'jenkins' or in your shell script grant appropriate privileges to the file. As far as the error show it is saying that 'write' privilages are not available.
The best way to give the jenkins user access to the certificate is to install the certificate into the jenkins user's keychain rather than mess with the file system security and potentially give anyone with access to the jenkins user access to the while of the vb_admin user's keychain.
security <CERT_FILE> import -k $HOME/Library/Keychains/login.keychain -Tcodesign

Resources