Re: Separate strip zapping script generated digital signatures
Re: Separate strip zapping script generated digital signatures
- Subject: Re: Separate strip zapping script generated digital signatures
- From: Jim Wintermyre <email@hidden>
- Date: Mon, 8 Mar 2010 18:12:24 -0800
It does look like the stripping happens after all other build phases.
I guess I'd suggest taking your approach of moving the strip into a
command line in the script phase.
Or, for the release config, move the code signing out of the script
build phase, and do your build manually from a script (i.e. in a
script you run from the terminal, use xcodebuild to build the
project, then do your code signing step). This means you can't build
a signed release binary from within the IDE, but maybe that's OK if
as a dev you're normally building the debug config, which you can
still build signed from the IDE.
Jim
Hi all,
I'm having problems getting digital signatures working with our
build environment. First off, I should mention that we're using
certificate credentials in a keychain file other than the local or
system keychain. There are a number of reasons for doing this,
including committing the credentials into source control so that all
developers and build automation have access to them. Also, the root
and intermediate CA's in the keychain we're using are within our own
PKI, in case that information is relevant.
Unfortunately it seems that when our signing identity is in a
separate keychain file as indicated above, Xcode is unable to
resolve the CODE_SIGN_IDENTITY, even if the keychain file is in the
known list (as evidenced via "security list-keychains"). What I see
when attempting to build is this error:
Code Signing Identity 'SigningIdentity' does not match any valid,
non-expired, code-signing certificate in your keychain.
I assume that Xcode simply looks in the login keychain. Or perhaps
it's using some criteria for validating the identity that is failing
in our case since we have our own credentials, including our own
root CA. Regardless, I just assumed that this is an Xcode limitation
and started seeking work arounds.
What I tried next was calling codesign directly from a script in a
"Run Script" build phase at the end of the build. This works for the
Debug configuration just fine. I get signed binaries without any
problem.
But in the Release configuration, the signing script gets called
*before* strip is invoked. The result is that the signed binary is
stripped, which invalidates the digital signature. Perhaps this is
due to the fact that our xcconfig's define the "Use Separate Strip"
option.
In our case, all Release binaries need to be properly stripped.
History has show that using "Use Separate Strip" in combination with
"Deployment Postprocessing" is the reliable way to do this. Note
that many, but not all, of our binaries need to be digitally signed.
What I need is some sort of detente between these options that
allows us to always properly strip all Release binaries, and
properly sign certain binaries that require digital signatures. I
suppose that I could change our base xcconfigs to not use separate
strip, change the script to do the strip when the deployment flag is
set, then change all of the projects to digitally sign the
executables. But I'm wondering if there's a better way.
Does anyone have any suggestions?
Best,
--
Allen Cronce
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden