Reputation: 20289
Codesign issue when Jenkins is used
If I build the iOS (part of a Xamarin.Forms project) with the Jenkins web GUI (directly running on the Mac) I get the following meaningful error from the console output:
unknown error -1=ffffffffffffffff
More detailed log
[exec] _CodesignNativeLibraries:
[exec] CodesignNativeLibraries Task
[exec] AppBundleDir: bin/iPhone/Release/AppiOS.app
[exec] CodesignAllocate: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
[exec] DisableTimestamp: False
[exec] IntermediateOutputPath: obj/iPhone/Release/codesign
[exec] Keychain: <null>
[exec] SigningKey: XXX
[exec] ExtraArgs: <null>
[exec] _CodesignAppBundle:
[exec] Codesign Task
[exec] CodesignAllocate: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
[exec] DisableTimestamp: False
[exec] Entitlements: obj/iPhone/Release/Entitlements.xcent
[exec] Keychain: <null>
[exec] Resources:
[exec] bin/iPhone/Release/AppiOS.app
[exec] ResourceRules: <null>
[exec] SigningKey: XXX
[exec] ExtraArgs: <null>
[exec] IsAppExtension: False
[exec] Tool /usr/bin/codesign execution started with arguments: -v --force --sign XXX --entitlements /Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/obj/iPhone/Release/Entitlements.xcent /Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/bin/iPhone/Release/AppiOS.app
[exec] bin/iPhone/Release/AppiOS.app : error : /Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/bin/iPhone/Release/AppiOS.app: unknown error -1=ffffffffffffffff [/Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/ProjectName.iOS.csproj]
On the other side it works without an error if I build
- in Xamarin Studio
- in Visual Studio for Mac
- while connected via Mac build host
- on terminal
After some research the following solutions were mentioned:
- allow access to keychain
- revoke and create new certificates/provisioning profiles
I tried both and I'm still getting the error. The question for me is, why Jenkins launched with
launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist
can't access the certificates/provisioning profiles. This is the call from Ant in the configuration
<target name="buildIpa" depends="init" if="isMac">
<exec dir="${basedir}" executable="${msibuild}" failonerror="true">
<arg line=""/p:Configuration=Release" /p:Platform="iPhone" /p:IpaPackageDir="./bin" /t:Build ${TopLevelProject}.sln "/>
</exec>
</target>
, where msibuild is /Libary/Frameworks/Mono.framework/Versions/Current/Commands/msbuild.
The other projects (Droid, UWP) are also build and I don't know how to only build for iOS ...
How can I find out if there is a signing error, an error with the installation of Jenkins or other error?
My current setup:
Mac OS X: 10.12.6
Xcode: 9.1
Visual Studio Community 2017 for Mac: 7.2.2
Mono: 5.4.1.6
Xamarin.iOS: 11.3.0.47
Xamarin.Forms: 2.3.4.267
Xamarin Studio on Mac: 6.3
Jenkins: 2.73.3
Upvotes: 2
Views: 3526
Answers (3)
Reputation: 269
I have a Xamarin project with Automatic Provisioning setup. I could build locally on the Jenkins slave but not when running the same commands from our Jenkins Pipeline.
I found that I had to run and sh command before my build
sh 'security unlock-keychain -p "[Users Password]" /Users/[Users Name]/Library/Keychains/login.keychain-db'
to be able to sign code.
It would seem that when run from Jenkins the shell environment has its keychains locked!
Upvotes: 1
Reputation: 2490
When Jenkins is launched via launchd (controlled via the launchctl utility) the resulting process has reduced permissions to access resources in the system such as a given user's Keychain, because it is lacking an attribute set for a user who is actually logged in. You can work around this by having your Jenkins launched either via the JNLP or via an ssh slave. I suggest using the SSH slave option as the JNLP is fragile.
Here is Jenkins ssh slaves page: https://wiki.jenkins.io/display/JENKINS/SSH+Slaves+plugin
These two stack overflows will give you more help on how to accomplish setting up your profiles via the command line:
Upvotes: 3
Reputation: 119
what helps me
- Keychain: moving certificates from Login to System and manually unlock it before Xcodebuild launch
security unlock-keychain -p "<YOUR PASS HERE>" ~/Library/Keychains/login.keychain Custom xcodebuild arguments: implement manual code signing style in Jenkins with CODE_SIGN_STYLE="Manual" and using Keychains and Provisioning Profiles Plugin (just easy to operate with env variables)
CODE_SIGN_STYLE="Manual" PROVISIONING_PROFILE_SPECIFIER=${PROVISIONING_PROFILE} CODE_SIGN_IDENTITY="${CODE_SIGNING_IDENTITY}" -allowProvisioningUpdates
Upvotes: 4
Related Questions
- iOS Code Signing Fails Only For Jenkins
- Jenkins - Xcode build works codesign fails
- Building Xcode project with Jenkins gives codesign error
- Jenkins: Command /usr/bin/codesign failed with exit code 1
- Code Sign Failing from Jenkins for iOS application
- codesign --keychain gets ignored
- Xcode codesign exit code 1 in Jenkins build
- Codesign check fails : ... *.app: a sealed resource is missing or invalid > file added
- Jenkins vs. Xcode plugin - codesign troubles
- How to fix Xcode's code sign issues on Jenkins?