我有一个Bamboo计划来构建一个包,我想用我的开发者证书签署该包。在我的构建脚本中,我有这个:
productsign --sign "Name of my certificate" "input.pkg" "output.pkg"
从命令行运行此脚本按预期工作。但是,从Bamboo运行脚本,我总是得到错误:
productsign: error: Could not find appropriate signing identity for "Name of my certificate"
我认为这必须是因为从Bamboo运行时运行构建脚本的上下文。如何在Bamboo中使证书可用?它安装在System,而不是login。
答案 0 :(得分:2)
如果您需要以root格式运行Bamboo,则需要使用Keychain将登录钥匙串中的相应证书复制到系统钥匙串访问(应用程序>实用程序)。
话虽如此,将Bamboo作为用户而不是root运行可能会更好。例如。如果您需要使用移动设置配置文件在同一台服务器上签署任何iOS版本,则root将无效。
答案 1 :(得分:1)
你试过sudo'ing手术吗?
即:
sudo productsign --sign "Name of my certificate" "input.pkg" "output.pkg"
由于密钥在系统密钥链中(可能不适用于您的用例?),您可能无法以“常规”用户身份访问它,即使[设计]您有访问其中的证书。
答案 2 :(得分:0)
我的建议是将您需要的密钥存储在单独的钥匙串中。这样可以更容易地找到并管理它们。只需创建一个新的钥匙串并将您的证书移入其中;将它存放在方便的地方。然后我以这种方式签名(我正在使用codesign,但--productsign是相同的)。我没有以root身份构建,也没有使用sudo。
# Keychain that holds all the required signing certificates
# To create a keychain like this, create it in "Keychain Access" and copy all your certificates into it
# Then set its timeout to infinite (so it doesn't re-lock itself during the build):
# security set-keychain-settings <path>
# Passing no "-t" option means "no timeout."
# Generally you should just be able to copy this file from build host to build host as needed. Then
# add it to the available keychains using Keychain Access, File>Add Keychain…. If you don't add it to
# Keychain Access, you'll receive signing error CSSMERR_TP_NOT_TRUSTED, since it won't recognize the
# entire chain
keychain=~/Library/Keychains/MyProduct.keychain
keychain_password=somepassword # If you have one on the keychain
cert_identifier='My Signing Name'
...
# We assume the keychain has an infinite timeout, so we just unlock it once here.
if ! security unlock-keychain -p "${keychain_password}" ${keychain} ; then
echo "Cannot unlock keychain. Cannot sign on this host."
exit 1
fi
sign()
{
name=$1 ; shift
paths=$*
if ${sign} ; then
echo "** SIGNING $name **"
chmod u+w $paths
codesign --keychain ${keychain} -f -s ${cert_identifier} $paths
fi
}
sign "The Whole Package" something.pkg