xcodebuild OTHER_CODE_SIGN_FLAGS --keychain search order

Hi,

I am posting this in the hopes that it may save someone with a similar problem some time.


A build was failing with the following error:


Code Signing Error: Provisioning profile "FooBar" doesn't include signing certificate "iPhone Developer: foo bar (xxxxxxxxxxx)".


The build was done on the command line with:


xcodebuild OTHER_CODE_SIGN_FLAGS='--keychain /Users/me/Library/Keychains/Buildsystem' (and other parameters)


Before each build we create the Buildsystem keychain and import the certificates needed fo the build into it. The keychain is then removed after the build.


I could do the build locally and it would work, it was only on our build machine under jenkins that it failed.


After spending a lot of time on this I found the cause was that there was another certificate in the builds machine's login keychain that was being used for the code signing even though we had provided a keychain with the correct certificate and told the codsigning to use it. After deleting the bad certificate from teh login keychain everything worked.


So it looks like the -keychain has no effect or that codesigning searched the login keychain before the specified one.


Is there anyway to change this behavior?


The idea of using a special keychain for the build process was to avoid things like this.

Up vote post of BarryLeslie Down vote post of BarryLeslie
5.4k views
Posted by
BarryLeslie
Reply
Add a Comment

Replies

I'm experiencing the same issues. No matter how I format OTHER_CODE_SIGN_FLAGS arguments I cannot convince xcodebuild to use a custom keychain.


As far as I can tell from `xcodebuild -help` and searching online OTHER_CODE_SIGN_FLAGS is the only way to set a custom keychain.


I would love to hear from someone else if they have alternate solutions.

Posted by
yadam.servicenow
Up vote reply of yadam.servicenow Down vote reply of yadam.servicenow
Add a Comment
Hi guys

I was having the exact same issue and was able to find a solution by creating a separate keychain for the certificate, then using the below shell command extract the SHA-1 hash of the certificate.

Code Block 
security find-identity -v -p codesigning <keychain_path> | awk -F' ' 'NR==1{print $2}'


You can then use xcodebuild to pass this certificate sha1 hash for the key CODE_SIGN_IDENTITY into the OTHER_CODE_SIGN_FLAGS like below:

Code Block 
xcodebuild -workspace Project.xcworkspace -scheme <ProjectScheme> -configuration <ProjectConfigiguration>
OTHER_CODE_SIGN_FLAGS='--keychain=<Keychain_Path>' CODE_SIGN_IDENTITY=<SHA1_HASH_FOR_CERTIFICATE clean archive


Hope this helps you overcome this issue.

Posted by
m-miscampbell
Post not yet marked as solved Up vote reply of m-miscampbell Down vote reply of m-miscampbell

  • Thanks for mentioning this trick with figuring out CODE_SIGN_IDENTITY, @m-miscampbell! Unfortunately, I could not get it working because it looks like it conflicts with automatic code-signing.

    grigorye
Add a Comment