我有一个Bamboo计划,用于构建一个软件包,我想使用我的开发者证书对该软件包进行签名。在我的构建脚本中,我有以下内容:
productsign --sign "Name of my certificate" "input.pkg" "output.pkg"
从命令行运行此脚本的效果符合预期。但是,从Bamboo运行脚本时,我总是遇到错误:
productsign: error: Could not find appropriate signing identity for "Name of my certificate"
我推测这可能是由于在Bamboo运行构建脚本时所运行的上下文导致的。如何使证书在Bamboo中可用?它安装在System而非login中。
root身份运行Bamboo,那么您需要使用钥匙串访问(应用程序>实用工具)将适当的证书从您的登录钥匙串复制到系统钥匙串中。root身份运行Bamboo。例如,如果您需要在同一服务器上签署任何iOS构建的移动配置文件,则无法使用root身份运行。I.e.:
sudo productsign --sign "Name of my certificate" "input.pkg" "output.pkg"
我的建议是将您需要的密钥存储在单独的密钥链中。这将使查找和管理它们变得更加容易。只需创建一个新的密钥链并将您的证书移动到其中;将其存储在方便的位置。然后我以这种方式签署东西(我正在使用codesign,但--productsign相同)。我不以root身份构建,也不使用sudo进行此操作。
# Keychain that holds all the required signing certificates
# To create a keychain like this, create it in "Keychain Access" and copy all your certificates into it
# Then set its timeout to infinite (so it doesn't re-lock itself during the build):
# security set-keychain-settings <path>
# Passing no "-t" option means "no timeout."
# Generally you should just be able to copy this file from build host to build host as needed. Then
# add it to the available keychains using Keychain Access, File>Add Keychain…. If you don't add it to
# Keychain Access, you'll receive signing error CSSMERR_TP_NOT_TRUSTED, since it won't recognize the
# entire chain
keychain=~/Library/Keychains/MyProduct.keychain
keychain_password=somepassword # If you have one on the keychain
cert_identifier='My Signing Name'
...
# We assume the keychain has an infinite timeout, so we just unlock it once here.
if ! security unlock-keychain -p "${keychain_password}" ${keychain} ; then
echo "Cannot unlock keychain. Cannot sign on this host."
exit 1
fi
sign()
{
name=$1 ; shift
paths=$*
if ${sign} ; then
echo "** SIGNING $name **"
chmod u+w $paths
codesign --keychain ${keychain} -f -s ${cert_identifier} $paths
fi
}
sign "The Whole Package" something.pkg
xcodebuild仍然无法访问钥匙串中的密钥。我不得不将密钥从“登录”钥匙串移动到“系统”中,这对我有用。 - i4niac