Jenkins - Xcode Build Works Codesign Fails

Jenkins - Xcode build works codesign fails

We don't use Jenkins but I've seen this in our build automation before. Here's how we solved it:

1) Create your build Keychain. This will contain the private key/certificate used for codesigning:

security create-keychain -p [keychain_password] MyKeychain.keychain

The keychain_password is up to you. You'll use this later to unlock the keychain during the build.

2) Import the private key (*.p12) for your CodeSign identity:

security import MyPrivateKey.p12 -t agg -k MyKeychain.keychain -P [p12_Password] -A

The key here is the "-A" flag. This will allow access to the keychain without warning. This is why you're seeing the "User interaction is not allowed" error. If you were attempting this build via the Xcode UI, this is the point where it would prompt you to "Allow access" to your keychain.

3) However you're saving the Keychain (e.g.: checking it in to source control), make sure it's writeable and executable by your build user.

When you're ready to build, add the following prior to running xcodebuild:

# Switch keychain
security list-keychains -s "/path/to/MyKeyhain.keychain"
security default-keychain -s "/path/to/MyKeychain.keychain"
security unlock-keychain -p "[keychain_password]" "/path/to/MyKeychain.keychain"

If you're running locally, you may want to add something at the end of your build script that switches back to the login keychain (~/Library/Keychains/login.keychain), e.g.:

# Switch back to login keychain
security list-keychains -s "~/Library/Keychains/login.keychain"
security default-keychain -s "~/Library/Keychains/login.keychain"

Give that a try. We create a separate Keychain for each identity we use (our own plus builds on behalf of customers). In our company's case, we have both an AppStore and Enterprise account. This can result in naming conflicts while codesigning (e.g.: both accounts resolve to "iPhone Distribution: ACME Corporation"). By keeping these identities in separate keychains we avoid this conflict.

Code Sign Failing from Jenkins for iOS application

Adding this to the build step in Jenkins job solved the problem for me.

security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k ${JENKINS_PWD} ~/Library/Keychains/login.keychain-db

Code signing error running XCodeBuild in Jenkins

I feel for you as the last time we messed with this it was quite the challenge. We did this when we set up a CI server for a project. If I remember correctly (broadly) we followed these steps:

1) Set Jenkins up as a developer on the Apple Dev account

2) Created a cert and dev provisioning profile specifically for Jenkins

3) Setup a Jenkins user on the CI Server and delete any previous certs/prov profiles from xcode for that user

4) Add the Jenkins cert to the AD-Hoc Dist Profile (If you are trying to distribute an .ipa to HockeyApp you will need to to this for an archive build.)

5) Go into the xcode project file and delete any existing references to Provisioning Profiles

6) Download and Install the certs for this user and the appropriate Prov Profiles.

7) Before the build unlock the Jenkins user keychain. Do this only if the Jenkins user is not the user running the xcode build.

Verify that Xcode shows the Prov Profile as valid in the organiser when logged in as the Jenkins user.

I know my answer is somewhat vague and my intent is to be helpful. This type of error is usually caused by one of three things. Xcode cant find the profile, Xcode cant find the cert or Xcode found more then one profile (supposed to produce a different error but doesn't always) and has a mismatch of some kind. Usually redoing the Prov Profiles is the least painful solution.

Best of luck man. You will solve it it's just a huge headache!

---

Related Topics