• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Separate strip zapping script generated digital signatures
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Separate strip zapping script generated digital signatures

  • Subject: Separate strip zapping script generated digital signatures
  • From: Allen Cronce <email@hidden>
  • Date: Fri, 5 Mar 2010 08:58:31 -0800
Hi all,

I'm having problems getting digital signatures working with our build environment. First off, I should mention that we're using certificate credentials in a keychain file other than the local or system keychain. There are a number of reasons for doing this, including committing the credentials into source control so that all developers and build automation have access to them. Also, the root and intermediate CA's in the keychain we're using are within our own PKI, in case that information is relevant.

Unfortunately it seems that when our signing identity is in a separate keychain file as indicated above, Xcode is unable to resolve the CODE_SIGN_IDENTITY, even if the keychain file is in the known list (as evidenced via "security list-keychains"). What I see when attempting to build is this error:

Code Signing Identity 'SigningIdentity' does not match any valid, non-expired, code-signing certificate in your keychain.

I assume that Xcode simply looks in the login keychain. Or perhaps it's using some criteria for validating the identity that is failing in our case since we have our own credentials, including our own root CA. Regardless, I just assumed that this is an Xcode limitation and started seeking work arounds.

What I tried next was calling codesign directly from a script in a "Run Script" build phase at the end of the build. This works for the Debug configuration just fine. I get signed binaries without any problem.

But in the Release configuration, the signing script gets called *before* strip is invoked. The result is that the signed binary is stripped, which invalidates the digital signature. Perhaps this is due to the fact that our xcconfig's define the "Use Separate Strip" option.

In our case, all Release binaries need to be properly stripped. History has show that using "Use Separate Strip" in combination with "Deployment Postprocessing" is the reliable way to do this. Note that many, but not all, of our binaries need to be digitally signed.

What I need is some sort of detente between these options that allows us to always properly strip all Release binaries, and properly sign certain binaries that require digital signatures. I suppose that I could change our base xcconfigs to not use separate strip, change the script to do the strip when the deployment flag is set, then change all of the projects to digitally sign the executables. But I'm wondering if there's a better way.

Does anyone have any suggestions?

Best,
--
Allen Cronce _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Prev by Date: Re: Portuguese language variants
  • Next by Date: Re: XCode touches my files!
  • Previous by thread: Re: XCode touches my files!
  • Next by thread: Re: Separate strip zapping script generated digital signatures
  • Index(es):
    • Date
    • Thread