The hardest thing we ran into for our iOS setup is the iOS security key signing. The security key signing is essential when we automate the deployment and testing of a physical iOS device (rather than testing on the simulator, which doesn't require these extra steps). Codesign tries to ask for the keychain password in a modal dialog. This attempt fails since there is no graphical session. This is why we get the "User interaction is not allowed." error message.
In order to be able to sign Xcode applications it is required to access the certificates for signing. These certificates are stored inside a keychain. The keychain must be open in order to retrieve the certificate for the built application.
The Solution
The preferred way to open the keychain is during startup of the slave process.
But so far there is no known way to open the keychain when the slave process is launched.
The second best way to open the keychain is to unlock it inside the Hudson/Jenkins job. The example code for opening a keychain looks like:
-
#!/bin/bash
-
-
...
-
# for debug use
-
security list-keychains
-
-
keychain=<PATH_TO_KEYCHAIN_FILE> # e.g. $HOME/Library/Keychains/login.keychain
-
security unlock-keychain -p "" ${keychain} &>/dev/null
-
-
if [ $? -ne 0 ];then
-
echo "Cannot open keychain ${keychain}"
-
exit 1
-
fi
-
-
...
Security Advices
In order to secure the password contained as plain text in the shell perform the following steps
-
the umask should be set to 0077. This ensures that all files are created with access right 700. This ensures that config.xml files that contain the password in plain text cannot be accessed by other users.
-
#!/bin/bash -x must not be used. When the -x flag is used the commands are prompted into the log.
-
any output of the security call should be redirected to /dev/null
-
set the HISTSIZE to 0. (e.g. export HISTSIZE=0 inside ~/.bashrc). This prevents the password to be contained in the history.
-
Use Hudson/Jenkins security. Restrict the access rights in a way that the job configuration can only be read by authorized users.
-
Hudson/Jenkins should run under a dedicated user.
Tipps and Tricks
-
By default keychains are locked after a timeout interval. In long running builds it might happen that the keychain is closed again before the code sign step happens. The keychain will remain open infinitly after the command security set-keychain-settings . It is sufficient to execute this command once in a shell since the timeout is a property of the keychain. It is not required to put this command into the maven build jobs in order to get it executed during each and every build.
阅读(1290) | 评论(0) | 转发(0) |
