Making Keychain Certificates available to Atlassian Bamboo

I have a Bamboo plan which builds a package, and I want to sign that package with my developer certificate. In my build script, I have this:

productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

Running this script from the command line works as expected. However, running the script from Bamboo, I always get the error:

productsign: error: Could not find appropriate signing identity for "Name of my certificate"

I presume this must be because of the context that the build script is run in when run from Bamboo. How do I make the certificate usable in Bamboo? It is installed in System , not login .


If you need to run Bamboo as root , then you'll need to copy the appropriate certificates from your login keychain to your System keychain using Keychain Access (Applications > Utilities).

Having said that, it would probably be better to run Bamboo as a user instead of root . Eg if you need to use mobile provisioning profiles to sign any iOS builds on the same server, being root will not work.


Have you tried sudo'ing the operation?

Ie:

sudo productsign --sign "Name of my certificate" "input.pkg" "output.pkg"

As the key is in the System keychain (which maybe it shouldn't be for your use case?), you likely don't have access to it as a 'regular' user, even though [by design] you have access to the certificates in it.


My recommendation is to store the keys you need in a separate keychain. That will make it much easier to find them and manage them. Just create a new keychain and move your cert into it; store it somewhere convenient. Then I sign things this way (I'm using codesign , but --productsign is the same). I do not build as root, nor do I use sudo for this.

# Keychain that holds all the required signing certificates
# To create a keychain like this, create it in "Keychain Access" and copy all your certificates into it
# Then set its timeout to infinite (so it doesn't re-lock itself during the build):
#    security set-keychain-settings <path>
# Passing no "-t" option means "no timeout."
# Generally you should just be able to copy this file from build host to build host as needed. Then
# add it to the available keychains using Keychain Access, File>Add Keychain…. If you don't add it to
# Keychain Access, you'll receive signing error CSSMERR_TP_NOT_TRUSTED, since it won't recognize the
# entire chain
keychain=~/Library/Keychains/MyProduct.keychain
keychain_password=somepassword # If you have one on the keychain
cert_identifier='My Signing Name'
...

# We assume the keychain has an infinite timeout, so we just unlock it once here.
if ! security unlock-keychain -p "${keychain_password}" ${keychain} ; then
  echo "Cannot unlock keychain. Cannot sign on this host."
  exit 1
fi

sign()
{
  name=$1 ; shift
  paths=$*

  if ${sign} ; then
    echo "** SIGNING $name **"
    chmod u+w $paths
    codesign --keychain ${keychain} -f -s ${cert_identifier} $paths
  fi
}

sign "The Whole Package" something.pkg
链接地址: http://www.djcxy.com/p/15292.html

上一篇: Maven java编译错误无法访问CommonClassA

下一篇: 为Atlassian Bamboo制作钥匙串证书