如何添加授权以从新钥匙串对应用程序进行代码签名,而无需任何人工交互
我正在尝试使用特定证书自动化构建 iPhone 应用程序的过程。因此,想象一下,如果不同的用户将他们的证书上传到系统中,并且可以立即用于代码签名。我想在没有任何交互的情况下做到这一点。我也不想用不同的用户证书弄乱系统或登录钥匙串。为此,我已经:
- 关闭 XCODE 中要求 aa 构建进行代码签名的要求。
- 开发了一个 ruby 脚本来通过 xcodebuild 命令行工具构建应用程序
- 创建了一个脚本来自动为我的系统用户创建一个新的钥匙串
- 编写了一个脚本来对构建的 iPhone 应用程序进行代码签名。
一切正常,但当协同设计程序尝试行使签名权限时,我需要手动按 Enter 键。我的钥匙串都解锁了。奇怪的是,如果我将钥匙串设置为默认钥匙串,它会起作用,但这不可扩展,即我在任何给定时间只能进行一个构建过程。
当我手动单击“始终允许该过程”时,我在钥匙串转储中得到一个如下所示的条目:
entry 1:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: privateKey
applications (2):
0: /usr/bin/codesign (OK)
因此,我认为我需要在安全性中使用授权命令来预先自动对这些权限进行协同设计。安全手册页非常糟糕。我似乎无法使用这样的命令让它工作:
security -v Authorize -uew sign | /usr/bin/codesign [指向应用程序和特定钥匙串的代码符号变量]
有人有任何想法吗?
I'm trying to automate the process of building iphone apps with a particular certificate. So imagine if different users uploaded their cert into the system and it was immediately available to code sign against. I want to do this without any interaction. I also don't want to clutter up the system or logon keychain with different user certificates. To this end I have:
- turned off the requirement in XCODE to require code signing for a a build.
- developed a ruby script to build an application via the xcodebuild command line tool
- created a script to automatically create a new keychain for a user of my system
- written a script to code sign a built iphone app.
Everything works, but I need to manually hit enter when the codesign program tries to exercise the sign permission. My keychains are all unlocked. Oddly enough it works if I make the keychain the default keychain, but that isn't scalable ie I could only have one build process going at any given time.
When I manually click always allow for that process, I get an entry in my keychain dump that looks like this:
entry 1:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: privateKey
applications (2):
0: /usr/bin/codesign (OK)
So I'm thinking that I need to use the authorize command in security to pre-autorize codesign for those permissions. The security man page is pretty poor. I can't seem to get it to work using commands like this:
security -v authorize -uew sign | /usr/bin/codesign [code sign vars pointing to app and a specific keychain]
Does anyone have any ideas?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
如果您使用 -A 将证书导入到钥匙串中,它将允许访问尝试请求该证书的所有程序。这不是很安全,但很有效。您还可以使用 -T 将其限制为特定应用程序。查找 man security 中找到的导入参数。
If you import your certificate into your keychain with a -A it will allow access to all programs trying to request that cert. This isn't very secure but works. You can also use -T to limit it to a particular app. Look up the import param found in man security.
我想添加到此处的答案库,但也重新打开部分我认为尚未得到解答的问题。
以下命令导入身份(证书 + 私钥)并指定它应“始终允许”对其进行代码签名访问(防止“钥匙串访问”警报提示用户单击按钮):
此命令允许所有应用程序访问,而不仅仅是code sign:
security import Targets/CurrentTarget/Certificate.p12 -k #{KEYCHAIN} -P "#{cert_pwd}" -A这些命令中的任何一个都会处理每次弹出的对话框您在钥匙串中使用私钥。但是,他们不会处理您第一次请求使用私钥的权限时弹出的类似警报。此警报将在首次使用时出现,并要求您选择始终允许、拒绝或允许。此后每次(如果您使用上面的
-T或-A选项,假设密钥保留在您的钥匙串中),您将不会看到对话框。我的问题是:如何消除首次使用时出现的警报?
我考虑过使用 Apple 脚本自动点击“始终允许”按钮,但由于警报是在 xcodebuild 命令中间触发的,我不确定这是否可行。任何帮助将不胜感激!
I'd like to add to the answer pool here, but also reopen part of the question that I don't think was answered.
The following command imports an identity (cert + private key) and specifies that it should "always allow" code sign access to it (preventing Keychain Access alert from promoting user for a button click):
This command allows all applications access, rather than just code sign:
security import Targets/CurrentTarget/Certificate.p12 -k #{KEYCHAIN} -P "#{cert_pwd}" -AEither of these commands will take care of the dialogs that pop up each time you use a private key in your Keychain. HOWEVER, they will NOT take care of the similar alert that pops up the very first time you request permission to use a private key. This alert will appear on first use and ask you to choose always allow, deny or allow. Every time after that (if you use the
-Tor-Aoptions above, assuming the key remains in your keychain) you won't see a dialog.My question is: how can you eliminate the alert that appears on first use?
I've considered using Apple Script to automate tapping the always allow button but because the alert is triggered in the middle of the
xcodebuildcommand I'm not sure this would work. Any help would be much appreciated!在我的系统上,一旦钥匙串解锁
我只是让 xcodebuild 进行构建和代码签名。
如果您的钥匙串已解锁,则没有必要
使用上面的调用。
您可能还想检查命令execute-with-privileges
的安全性。
On my system, once the keychain is unlocked with
I just let xcodebuild to do both the build and the code signing.
If your keychanins are unlocked, it shouldn't be necessary
to use the above call.
You might also want to check the command execute-with-privileges
of security.
只是添加到上面的所有答案:即使您的密钥/证书没有密码保护,您也需要将
-P ""(空密码)传递给security import。Just to add to all the answers above: even even your key/certificate is not password-protected, you need to pass
-P ""(empty password) tosecurity import.在我的例子中,将登录钥匙串中的证书复制到系统钥匙串效果很好,因此您不需要执行任何命令行解锁。
Copying the certificates from the Login keychain to the System keychain works nicely in my case, and as a result you don't need to do any command-line unlocking.
关于每次在钥匙串中使用私钥时弹出的对话框,此苹果脚本将处理您第一次请求使用私钥的权限时弹出的类似警报。
Regarding dialogs that pop up each time you use a private key in your Keychain, this apple script will take care of the similar alert that pops up the very first time you request permission to use a private key.