为Atlassian Bamboo制作钥匙串证书

2018-06-04 17:38:08

我有一个建立包的Bamboo计划，我想用我的开发人员证书签署该包。在我的构建脚本中，我有这样的：

productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

从命令行运行此脚本按预期运行。但是，从Bamboo运行脚本，我总是得到错误：

productsign: error: Could not find appropriate signing identity for "Name of my certificate"

我认为这一定是因为构建脚本从Bamboo运行时运行的上下文。如何使证书在Bamboo中可用？它安装在System ，而不是login 。

如果您需要以root身份运行Bamboo，那么您需要使用Keychain Access（应用程序>实用程序）将来自登录钥匙串的相应证书复制到您的系统钥匙串。

话虽如此，但以用户身份而不是root身份运行Bamboo可能会更好。例如，如果您需要使用移动设置配置文件在同一台服务器上签署任何iOS版本，则root将无法工作。

您是否尝试过操作？

即：

sudo productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

由于关键在于系统钥匙串（可能不应该用于你的用例？），你可能无法以“常规”用户的身份访问它，即使[通过设计]你可以访问证书。

我的建议是将您需要的密钥存储在单独的钥匙串中。这将使它更容易找到并管理它们。只需创建一个新的钥匙链并将您的证书移入它; 将它存储在方便的地方。然后我用这种方式签名（我使用codesign签名，但--productsign是一样的）。我不会以root身份建立，也不会为此使用sudo。

# Keychain that holds all the required signing certificates
# To create a keychain like this, create it in "Keychain Access" and copy all your certificates into it
# Then set its timeout to infinite (so it doesn't re-lock itself during the build):
#    security set-keychain-settings <path>
# Passing no "-t" option means "no timeout."
# Generally you should just be able to copy this file from build host to build host as needed. Then
# add it to the available keychains using Keychain Access, File>Add Keychain…. If you don't add it to
# Keychain Access, you'll receive signing error CSSMERR_TP_NOT_TRUSTED, since it won't recognize the
# entire chain
keychain=~/Library/Keychains/MyProduct.keychain
keychain_password=somepassword # If you have one on the keychain
cert_identifier='My Signing Name'
...

# We assume the keychain has an infinite timeout, so we just unlock it once here.
if ! security unlock-keychain -p "${keychain_password}" ${keychain} ; then
  echo "Cannot unlock keychain. Cannot sign on this host."
  exit 1
fi

sign()
{
  name=$1 ; shift
  paths=$*

  if ${sign} ; then
    echo "** SIGNING $name **"
    chmod u+w $paths
    codesign --keychain ${keychain} -f -s ${cert_identifier} $paths
  fi
}

sign "The Whole Package" something.pkg

链接地址: http://www.djcxy.com/p/15291.html

上一篇: Making Keychain Certificates available to Atlassian Bamboo

下一篇: Troubleshooting Error: connect ECONNREFUSED in nodejs stream