Xcode Bot Keychain Configuration
The Xcode Bot server (as of 3.2.1) uses /Library/Developer/XcodeServer/Keychains/Portal.keychain
to store the needed certs and keys used for codesigning (previously it used the System.keychain
.
The server seems to only automatically download developement certs and profiles (not distribution) so we must manually populate the keychain with the dsitribution cert/key pairs needed and manually place the distribution profile(s) we need into the location which the server looks for them. In my iOSContinuousIntegration system I have a pre_action.sh
script which handles copying the profiles from where they are committed in the repository to the proper location on the server for the bots to locate them, so no need to go into that here. The keychain is a bit more complicated…
(Shamelessly borrowed from http://stackoverflow.com/a/25934218/397210)
Copy the Portal keychain to your desktop:
sudo cp /Library/Developer/XcodeServer/Keychains/Portal.keychain ~/Desktop/ Password: your-administrator-password sudo chown `whoami`:staff ~/Desktop/Portal.keychain
Set the Portal keychain password to “123”
security set-keychain-password -o "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain New Password: 123 Retype New Password: 123
Open the Keychain in Keychain Access:
open -b com.apple.keychainaccess ~/Desktop/Portal.keychain
Unlock the “Portal” keychain using password “123” (This may not be needed as it may already be unlocked).
Add the needed keys to the “Portal” keychain. Generally you will want your AdHoc Distribution certificate and private key, assuming you’re building for AdHoc distribution (for say, Crashlytics Beta).
Make sure the private keys have the correct access rights (in the “Access Control” tab of the “Get Info” for the private keys in Keychain Access), “xcsbuildd”, “xcscontrol”, “xcodebuild” and “codesign” should be listed. “xcsbuildd”, “xcscontrol”, and “xcodebuild” are inside the Xcode binary…
/Applications/Xcode.app/Contents/Developer/usr/bin
while “codesign” isusr/bin/codesign
. Finder’s “Go to Folder…” command is useful for locating these binaries. Though you will likely need to “unhide” the/usr
directory from the GUI.This can be done by opening a terminal and issuing the command:
sudo chflags nohidden /usr
Then navigate to
/usr/bin
and select the codesign executable from the file picker GUI in the “Access Control List” tab of the Keychain Access’s Get Info dialog. Once added to the ACL you can (and should) re-hide/usr
with this command:sudo chflags hidden /usr
Lock the “Portal” keychain, quit “Keychain Access”
Reset the Portal keychain password:
security set-keychain-password -p "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain Password: your-administrator-password (optional step) Old Password: 123
It may or may not ask you for your administrator password again, pay attention to the prompt.
Copy the Portal keychain back
sudo chown _xcsbuildd:_xcs ~/Desktop/Portal.keychain sudo cp ~/Desktop/Portal.keychain /Library/Developer/XcodeServer/Keychains/
Since the system caches open keychains, restart you computer.
…all this because Xcode Bots don’t copy non-development profiles.