Mac亚特兰西安竹提供的密钥链证书

Question

我有一个竹子计划来构建一个包，我想用我的开发者证书来签署这个包。在我的构建脚本中，我有以下内容：

productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

从命令行运行此脚本就像预期的那样工作。但是，在运行竹脚本时，我总是会得到以下错误：

productsign: error: Could not find appropriate signing identity for "Name of my certificate"

我认为这肯定是因为构建脚本在从竹运行时运行的上下文。如何使证书在竹子中可用？它安装在System中，而不是login中。

Answer 1

如果您需要以root的形式运行竹，那么需要使用keychain (应用程序>实用程序)将适当的证书从登录密钥链复制到系统密钥链。

话虽如此，但最好还是以用户身份运行竹而不是root。例如，如果您需要使用移动配置文件在同一台服务器上对任何iOS构建进行签名，则root将无法工作。

Answer 2

你试过做手术了吗？

即：

sudo productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

由于密钥在系统密钥链中(也许它不适用于您的用例？)，您可能无法作为“常规”用户访问它，尽管通过设计您可以访问其中的证书。

Answer 3

我的建议是将您需要的密钥存储在一个单独的密钥链中。这将使找到和管理它们变得更加容易。只需创建一个新的密钥链并将您的证书移动到其中；将其保存在方便的地方即可。然后以这种方式签名(我使用的是codesign，但--productsign是相同的)。我不构建为根，也不使用sudo作为这一点。

# Keychain that holds all the required signing certificates
# To create a keychain like this, create it in "Keychain Access" and copy all your certificates into it
# Then set its timeout to infinite (so it doesn't re-lock itself during the build):
#    security set-keychain-settings <path>
# Passing no "-t" option means "no timeout."
# Generally you should just be able to copy this file from build host to build host as needed. Then
# add it to the available keychains using Keychain Access, File>Add Keychain…. If you don't add it to
# Keychain Access, you'll receive signing error CSSMERR_TP_NOT_TRUSTED, since it won't recognize the
# entire chain
keychain=~/Library/Keychains/MyProduct.keychain
keychain_password=somepassword # If you have one on the keychain
cert_identifier='My Signing Name'
...

# We assume the keychain has an infinite timeout, so we just unlock it once here.
if ! security unlock-keychain -p "${keychain_password}" ${keychain} ; then
  echo "Cannot unlock keychain. Cannot sign on this host."
  exit 1
fi

sign()
{
  name=$1 ; shift
  paths=$*

  if ${sign} ; then
    echo "** SIGNING $name **"
    chmod u+w $paths
    codesign --keychain ${keychain} -f -s ${cert_identifier} $paths
  fi
}

sign "The Whole Package" something.pkg