CLI：切换钥匙串以签署 xcodebuild

发布于 2024-12-21 11:39:52 字数 458 浏览 5 评论 0原文

我正在尝试打开某个钥匙串，然后关闭另一个钥匙串。我需要这个，因为我们的企业和应用商店标识的名称相同。

现在，我执行“安全解锁钥匙串”，然后执行“安全默认钥匙串”以打开正确的钥匙串，并在我不想使用的钥匙串上执行“安全锁定钥匙串”。

但 xcodebuild 仍然看到两个钥匙串中的条目并放弃。

iPhone Distribution: Company name.: ambiguous (matches "iPhone Distribution: Company name." in /Users/user/Library/Keychains/login.keychain and "iPhone Distribution: Company name" in /Users/user/Library/Keychains/enterprise.keychain)

如何防止系统找到我锁定的钥匙串中的条目？

原文

I am trying to switch on a certain keychain, and close another one.
I need this because our enterprise & appstore identities are called the same.

Right now, I do a "security unlock-keychain" followed by a "security default-keychain" to open the correct keychain and do a "security lock-keychain" on the keychain I wish not to use.

But xcodebuild still sees the entries in both keychains and gives up.

iPhone Distribution: Company name.: ambiguous (matches "iPhone Distribution: Company name." in /Users/user/Library/Keychains/login.keychain and "iPhone Distribution: Company name" in /Users/user/Library/Keychains/enterprise.keychain)

How do I prevent the system from finding the entry in the keychain that I lock?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

孤凫 2024-12-28 11:39:52

您可以告诉 Xcode 使用哪个钥匙串：

xcodebuild "OTHER_CODE_SIGN_FLAGS=--keychain '$PATH_TO_KEYCHAIN'"

或者，如果您直接调用codesign：

codesign --keychain "$PATH_TO_KEYCHAIN"

如果您使用 PackageApplication，则无法设置它。然而，PackageApplication 是一个非常简单的脚本，可以在必要时重新实现（如果您要与更大的系统/脚本集成，则非常有用）。

You can tell Xcode which keychain to use:

xcodebuild "OTHER_CODE_SIGN_FLAGS=--keychain '$PATH_TO_KEYCHAIN'"

Or, if you call codesign directly:

codesign --keychain "$PATH_TO_KEYCHAIN"

If you use PackageApplication, there isn't a way to set this. However, PackageApplication is a pretty simple script that can be reimplemented if necessary (very useful if you're integrating with a larger system/script).

回复收藏 0 原文

情深已缘浅 2024-12-28 11:39:52

解决方案：
我已将所有与应用程序商店相关的内容放入登录钥匙串中，并将企业内容放入单独的钥匙串文件中。

在构建脚本中，我按如下方式在它们之间切换：

    # 1. Only activate the System and either the Appstore(=login) or Enterprise keychain.
security list-keychains -s $KEYCHAIN_NAME $SYSTEM_KEYCHAIN

# 2. Loop through App Schema's
for APP_SCHEME in ${APP_SCHEMES[@]}; do
    echo "--=  Processing $APP_SCHEME  =--"
    xcodebuild -scheme "${APP_SCHEME}" archive
done ### Looping through App Schema's

# 3. Restore login & system keychains
security list-keychains -s $APPSTORE_KEYCHAIN $ENTERPRISE_KEYCHAIN $SYSTEM_KEYCHAIN

Solution:
I've put all the appstore related stuff in the login keychain, and the enterprise stuff in a seperate keychain file.

In the buildscript, I switch between those as follows:

    # 1. Only activate the System and either the Appstore(=login) or Enterprise keychain.
security list-keychains -s $KEYCHAIN_NAME $SYSTEM_KEYCHAIN

# 2. Loop through App Schema's
for APP_SCHEME in ${APP_SCHEMES[@]}; do
    echo "--=  Processing $APP_SCHEME  =--"
    xcodebuild -scheme "${APP_SCHEME}" archive
done ### Looping through App Schema's

# 3. Restore login & system keychains
security list-keychains -s $APPSTORE_KEYCHAIN $ENTERPRISE_KEYCHAIN $SYSTEM_KEYCHAIN

回复收藏 0 原文

才能让你更想念 2024-12-28 11:39:52

xcode 版本 6 及更低版本的另一个解决方案：通过 SHA1 而不是通过（不明确的）名称指定您的证书。来自“man codesign”：

 If identity consists of exactly forty hexadecimal digits, it is instead
 interpreted as the SHA-1 hash of the certificate part of the desired iden-
 tity.  In this case, the identity's subject name is not considered.

以及来自“security help find-certificate”

-Z  Print SHA-1 hash of the certificate

不幸的是，此方法需要使用 PackageSign 脚本，该脚本已在 Xcode 7 中已弃用

Another solution for xcode version 6 and below: specify your certificate by SHA1 instead of by (ambiguous) name. From "man codesign":

 If identity consists of exactly forty hexadecimal digits, it is instead
 interpreted as the SHA-1 hash of the certificate part of the desired iden-
 tity.  In this case, the identity's subject name is not considered.

And from "security help find-certificate"