Codesign fails when started from SSH, succeed in Mac Desktop

Question

rlecheta OP

Created May ’22

Replies 4

Boosts 0

Views 4.6k

Participants 4

Hi,

I'm using fastlane to build/sign my project and it works perfectly when I ran it in my Mac. I'm trying to setup some Jenkins CI/CD server in AWS EC2, and I started to have a problem with code sign.

I realized that it's not something related to AWS, because if I ssh to my own Mac using "ssh localhost" it's possible to simulate the problem.

To isolate the problem, I'm using this very simple project with fastlane: https://github.com/rlechetaudemy/helloios

This issue is also not related with match, because if you setup fastlane with manual signing, it returns the same error.

I also tried to use the 'setup_ci' action before build/sign but without success. setup_ci( force: true )

These are the logs:

[13:11:36]: ▸ Copying GoogleService-Info.plist [13:11:37]: ▸ Processing Info.plist [13:11:38]: ▸ ** ARCHIVE FAILED ** [13:11:38]: ▸ The following build commands failed: [13:11:38]: ▸ CodeSign /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app (in target 'HelloIOS (iOS)' from project 'HelloIOS') [13:11:38]: ▸ (1 failure) ▸ Processing Pods-HelloIOS (iOS)-Info.plist

▸ Processing Info.plist ** ARCHIVE FAILED **

The following build commands failed: CodeSign /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app (in target 'HelloIOS (iOS)' from project 'HelloIOS') (1 failure) [13:11:38]: Exit status: 65

+---------------+-------------------------+ | Build environment | +---------------+-------------------------+ | xcode_path | /Applications/Xcode.app | | gym_version | 2.205.2 | | export_method | ad-hoc | | sdk | iPhoneOS15.2.sdk | +---------------+-------------------------+

[13:11:38]: ▸ (ef0fada7-88c4-413f-a9e5-7d875f07e324) [13:11:38]: ▸ [13:11:38]: ▸ /usr/bin/codesign --force --sign CB4DB01189506EF6F172982414A36378AE18F48F --entitlements /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/IntermediateBuildFilesPath/HelloIOS.build/AdHoc-iphoneos/HelloIOS\ (iOS).build/HelloIOS.app.xcent --generate-entitlement-der /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS\ (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app [13:11:38]: ▸ /Users/user/Library/Developer/Xcode/DerivedData/HelloIOS-eibmqfokwytdeddxnnluvsuzbtlp/Build/Intermediates.noindex/ArchiveIntermediates/HelloIOS (iOS)/InstallationBuildProductsLocation/Applications/HelloIOS.app: errSecInternalComponent [13:11:38]: ▸ Command CodeSign failed with a nonzero exit code [13:11:38]: [13:11:38]: ⬆️ Check out the few lines of raw xcodebuild output above for potential hints on how to solve this error [13:11:38]: 📋 For the complete and more detailed error log, check the full log at: [13:11:38]: 📋 /Users/user/Library/Logs/gym/HelloIOS-HelloIOS (iOS).log [13:11:38]: [13:11:38]: Looks like fastlane ran into a build/archive error with your project [13:11:38]: It's hard to tell what's causing the error, so we wrote some guides on how [13:11:38]: to troubleshoot build and signing issues: https://docs.fastlane.tools/codesigning/getting-started/ [13:11:38]: Before submitting an issue on GitHub, please follow the guide above and make [13:11:38]: sure your project is set up correctly. [13:11:38]: fastlane uses xcodebuild commands to generate your binary, you can see the [13:11:38]: the full commands printed out in yellow in the above log. [13:11:38]: Make sure to inspect the output above, as usually you'll find more error information there [13:11:38]: +---------------------------+----------------------------------------------------------+ | Lane Context | +---------------------------+----------------------------------------------------------+ | DEFAULT_PLATFORM | ios | | PLATFORM_NAME | ios | | LANE_NAME | ios firebase | | KEYCHAIN_PATH | ~/Library/Keychains/fastlane_tmp_keychain | | ORIGINAL_DEFAULT_KEYCHAIN | "/Users/user/Library/Keychains/fastlane_tmp_keychain-db" | +---------------------------+----------------------------------------------------------+ [13:11:38]: Error building the application - see the log above

+------+-------------------------------+-------------+ | fastlane summary | +------+-------------------------------+-------------+ | Step | Action | Time (in s) | +------+-------------------------------+-------------+ | 1 | Verifying fastlane version | 0 | | 2 | default_platform | 0 | | 3 | Switch to ios buildAdHoc lane | 0 | | 4 | setup_ci | 0 | | 5 | cocoapods | 4 | | 💥 | build_app | 36 | +------+-------------------------------+-------------+

Boost

Answer 1

DTS Engineer OP

Apple

May ’22

I’m struggling to read the transcript you posted. In future, please create a code block for this. Either click the Code Block button or, equivalently, use triple backquote delimiters.

AFAICT the transcript is from your CI system, and that’s not something I can help you with. I recommend that you escalate that via their support channel. However, you also wrote:

if I ssh to my own Mac using ssh localhost it's possible to simulate the problem.

As your own user? Or as a different ‘CI’ user?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

rlecheta OP

May ’22

Hi,

As your own user? Or as a different ‘CI’ user?

As my own user.

Is anything related with this issue? https://developer.apple.com/forums/thread/69464

We need a better solution or recomendation from Apple, since it looks this problem happens with more people also.

0

Answer 3

DTS Engineer OP

Apple

May ’22

As my own user.

In that specific case the most common issue is:

Your signing identity is in your login keychain.
SSH is unable to unlock your login keychain when you log in [1].
The keychain is running in a non-GUI login session, so it can’t prompt the user to unlock the keychain.
So attempts to your signing identity fail.

The solution is to unlock your login keychain using the unlock-keychain subcommand of the security tool. See its man page for details.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Best practice is to use key-based authentication for SSH and, in that case, the SSH session doesn’t have access to your login password, which is necessary to unlock the login keychain.

1

Answer 4

ChuckMN OP

Jun ’22

Hey @rlecheta, I have run into this issue before and the way that I solved it was by leveraging the below command within my automation scripts. This is an implementation of what @eskimo suggested with a different flavor.

security set-key-partition-list -v -S apple-tool:,apple: -s -k [Login Keychain Password] [Login Keychain Path]

I did not figure this out on my own and had the help of many previous developers with the power of the internet. Additional reading and learning can be found at the below URLs.

https://apple.stackexchange.com/questions/255872/unable-to-unlock-login-keychain-on-sierra-in-ssh

https://stackoverflow.com/questions/24023639/xcode-command-usr-bin-codesign-failed-with-exit-code-1-errsecinternalcomponen

https://mostlikelee.com/blog-1/2017/9/16/scripting-the-macos-keychain-partition-ids

I would also suggest like @eskimo did that you use key based authentication for your remote SSH connection and leverage additional logic for protecting either your login keychain or using a separate less important keychain all together.

Hopefully this helps and happy coding!

0