• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Codesign from Buid Server
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Codesign from Buid Server


  • Subject: Re: Codesign from Buid Server
  • From: Alastair Houghton <email@hidden>
  • Date: Fri, 17 Jul 2009 09:10:58 +0100

On 14 Jul 2009, at 21:12, Richard Holliday wrote:

We have a TeamCity build server setup to produce automatic builds for our
cocoa application. We also code sign our apps but this part has to be done
on a dev box as the build agent (OS X 10.5) doesn’t recognize the
certificate in the system keychain (there is no login keychain when the
build agent runs the post-build signing script).


Has anyone else setup a build server which code signs their apps?

Yes.

If so, was there a trick to getting the certificate / keychain to play nicely.

**Don't** put certificates in the system keychain (I learned this the hard way). You can easily break Server Admin because servermgrd isn't picky about which certificate it uses from the system keychain (it just uses the first thing it comes across, it seems), but Server Admin will throw a wobbly (with some very unhelpful error messages) if the certificate it finds doesn't validate for whatever reason.


Instead, why not create a separate keychain to contain your code signing identity. This means you can lock it with a password that you only give out to users who are supposed to be able to trigger the signing step; either that, or if you want anyone to be able to do it, it means you can stick the password in a script without worrying too much (obviously set the permissions on the script according to your requirements).

Then you need to do

  security unlock-keychain <path-to-keychain>

followed by

codesign --keychain <path-to-keychain> -s <code-signing-identity> <thing-to-sign>

Obviously the unlock-keychain command is going to prompt for the password, so you'll have to arrange to feed it something appropriate. Either that, or use the "-p" option to pass the password to it (remembering that this will show up in the process list, so you had better not want the password to be secret if you do that).

Kind regards,

Alastair.

--
http://alastairs-place.net



_______________________________________________

Cocoa-dev mailing list (email@hidden)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


References: 
 >Codesign from Buid Server (From: Richard Holliday <email@hidden>)

  • Prev by Date: Re: Cells selection in NSTableView
  • Next by Date: EventRef to NSEvent
  • Previous by thread: Codesign from Buid Server
  • Next by thread: [iPhone] Custom -sizeWithFont: and CGContextRef question
  • Index(es):
    • Date
    • Thread