All geek questions in one place

Jenkins iOS using Credentials and Developer Profile

We use Jenkins as our CI server for our iOS team with the following setup:

  • OSX core server not performing any tasks
  • 2 subordinate OSX operators performing our integration tasks + user interface testing

Currently, all the signing identifiers and provisioning profiles for applications are downloaded from each slave, which makes administration tedious and adds a new node cluster to an even more painful one.

To get around this, we looked at using a credential plugin with developer profiles and import the profile as the first build step for all iOS tasks, but we run into the main problems:

  • The import developer profile seems to work for the first time (at least to create entries in the keychain), but the job fails "does not match the profile profile", even if the developer profile contains all the initialization profiles required by the target.
  • A second run on the same task always fails with the error "Keychain already exist"

We tried some work around the second problem, adding a shell build step, removing a specific keychain, but still encountering the first error. If we manually install the profile on the slave, we will skip the assembly, but this will defeat the purpose of using the credential plugin.

What do you guys think?

+5
source share
1 answer

I think the new version of the credential plugin now first removes all existing keychains with the corresponding name before importing, as shown in the log output below.

$ security delete-keychain jenkins-MyAppsBuildName-iOS $ security create-keychain -p ******** jenkins-MyAppsBuildName-iOS $ security unlock-keychain -p ******** jenkins-MyAppsBuildName-iOS

Because of this, I don’t think you will have a problem with duplicate errors in the keychain in the second run.

Since the problem with the initialization profile was not found, add the following line inside the run shell command and run the jenkins build.

 security list-keychains

Take a look at the console for this particular assembly, and you will see a list of all the key chains that are currently in the shell area.

If you do not see "jenkins-MyAppsBuildName-iOS" as a list of keys, this is why you have a signature problem. Since the keychain is not listed, it is not even scanned to find the correct subscription ID / profile.

Solution: Warning: Hacking

I am not 100% sure why this is happening, but from other threads this is a permission issue.

Fortunately, there is an easy way.

At the execute command line, add the following:

 security list-keychain -s jenkins-${JOB_NAME}

This will reset the list of keychains to include the keychains needed to successfully build the project.

To make sure that the relevant keywords are listed, you can add the following lines to the shell command:

 security list-keychain security list-keychain -s jenkins-${JOB_NAME} security list-keychain

Now compare the output of the first list-keychain command with the second list-keychain command in the console. Make sure the key chain for creating jenkin is listed after the second exit of the list of security keys.

Warning: This constantly changes the list of keys in the system, so it is probably a good idea to reset the keychain after the build is complete. You can accomplish this by setting the default values ​​of the required keys in the xcode configuration inside the Jenkin System Configuration section. After that, check the box "Restore OS X keychains after the build process as defined in the global configuration" in the build environment inside the Jenkins work page.

Additional information: In my example, I set up a list of keys to include only the keyword created by Jenkins, but you can also enable the standard system and login by changing the line as such:

 security list-keychain -s jenkins-${JOB_NAME} login.keychain System.keychain

Keywords: Jenkins, iOS, slave, node, Xcode, plugin, credentials, .developerprofile

+6
source

Source: https://habr.com/ru/post/1201699/

More articles:


All Articles