xcodebuild stuck on codesign? how to disable prompt?

Question

I'm trying to get continuous integration set up, specifically for circleci with iOS. someone has done a great job of writing the details of this: http://mazyod.com/blog/2015/03/26/marry-circleci-to-hockey/

however, my xcodebuild always gets stuck, and it looks like it's waiting for codesign:

/usr/bin/codesign --force --sign...

the log shows that it has been running for over an hour. my guess is that... is this command waiting for an input or something?

if so, how do i force it to use the keychain i've created using the distribution cert/private key ?

here's what the script (add-keys.sh) looks like:

#!/bin/sh
security -v create-keychain -p $KEY_PASSWORD ios-build.keychain
security -v import ./utils/build_tools/custom_builds/apple.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security -v import ./utils/build_tools/custom_builds/distribution.cer -k ~/Library/Keychains/ios-build.keychain -T /usr/bin/codesign
security -v import ./utils/build_tools/custom_builds/distribution_cert_private_key.p12 -k ~/Library/Keychains/ios-build.keychain -P $KEY_PASSWORD -T /usr/bin/codesign
security -v list-keychain -s ~/Library/Keychains/ios-build.keychain
security -v unlock-keychain -p $KEY_PASSWORD ~/Library/Keychains/ios-build.keychain

mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp ./utils/build_tools/custom_builds/profile/* ~/Library/MobileDevice/Provisioning\ Profiles/
ls ~/Library/MobileDevice/Provisioning\ Profiles/

where i've stored $KEY_PASSWORD on circle ci's environment vars and is being recognized.

is it that this is causing a pop up prompt to allow user to use keychain or something? if so, am i just supposed to sudo everywhere? or how do i get rid of this?

did i not import the correct certificates or something? are they incorrectly named or something? i used the exact ones i use to build normally.

Answer 1

I had the same problem with Circle CI 2.0 and xcode >= 9.0.

Looks like problem in MacOS Sierra (and popup with credentials prompt).

You can fix it simply by using following command as build step:

security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD circle.keychain

I've found solved issue in Circle CI discuss:

https://discuss.circleci.com/t/xcode-8-3-build-timing-out/11721/5

Good luck!

Answer 2

Perhaps it was re-locked after executing security unlock-keychain if your build process took a long time.

The default timeout is 300s. (You can check it with security show-keychain-info <your keychain path> .)

You can extend it like this:

# Extend the timeout to 600s
security set-keychain-settings -lut 600

FYI, it's described in man security like this:

set-keychain-settings [-hlu] [-t timeout] [keychain]
       Set settings for keychain, or the default keychain if none is specified.
       -l              Lock keychain when the system sleeps.
       -u              Lock keychain after timeout interval.
       -t timeout      Specify timeout interval in seconds (omitting this option specifies "no timeout").

Answer 3

You have confused P12_PASSWORD and KEYCHAIN_PASSWORD! Please see the original version: https://github.com/thorikawa/CircleCI-iOS-TestFlight-Sample/blob/master/scripts/add-key.sh

From there, you could see that create-keychain and unlock-keychain use KEYCHAIN_PASSWORD, import use P12_PASSWORD!

So you need store two password and use them correctly!