I’m trying to upload my certs to Bitrise by using the codesigndoc tool, which I’m running with the following command
bash -l -c "$(curl -sfL https://raw.githubusercontent.com/bitrise-tools/codesigndoc/master/_scripts/install_wrap-xcode.sh) --scheme='my Scheme' --certs-only"
The issue is that it’s not detecting any distribution certificates
The Xcode archive used development certificate: iPhone Developer: Me (XXX) [1234].
Please select a distribution certificate:
Please select from the list:
(type in the option's number, then hit Enter) [1] :
It errors out if I try and continue, with an invalid option response (if I just try to put in 1 or 0).
I already archived and exported the ipa manually, which I heard is sometimes needed.
This seems to be an issue in codesigndoc - tracking it at: https://discuss.bitrise.io/t/no-codesigndoc-distribution-certificatea/4355
Will report the progress there.
I was able to circumvent the problem by removing the scheme & certs-only flags.
Not sure why, but it fixed the problem.
Related
I am facing a weird issue for an Command line application created from Xcode . I am running a script to fetch expiry date of one of the certificates available in Keychain access in Mac using the below command
security find-certificate -c "CertificateNameHere" -p | openssl x509 -text | grep "Not After"
When I run it locally through Xcode I am able to fetch the date. But when I Run the app as a service from one of the Library folder the expiry date is not fetched. Instead I am getting a error
PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.140.1/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: TRUSTED CERTIFICATE
Though the certificate is trusted
I tried lot of solutions like Trying to find a proper solution to get the expiry date of one the certificates available in keychain but there is no luck. So I am posting it in stackoverflow. I tried another solution to use Mac Xcode security framework to fetch the date using swift but The issue persists.
The probable reason to your trouble is access permissions.
When the script is run as a service it has another user and different/none environment context (Like crontab service).
You can fix this by providing the service with proper login user, and initialize the service with proper source command to respective .profile or .bash_profile script.
I'm trying to build for App Store but I got the error Command /usr/bin/codesign failed with exit code 1. I tried to clean DerivedData, restart computer, revoke keys and create new one. I had updated my mac to catalina and Xcode 11, before the upgrade it was working.
/Users/digistarts/Library/Developer/Xcode/DerivedData/Runner-glehwjejufujqwblxzreggowpgvb/Build/Intermediates.noindex/ArchiveIntermediates/Runner/InstallationBuildProductsLocation/Applications/Runner.app/Frameworks/Flutter.framework: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Apple Development: Daniel Santana (85UL9U2WVT)"
/Users/digistarts/Library/Developer/Xcode/DerivedData/Runner-glehwjejufujqwblxzreggowpgvb/Build/Intermediates.noindex/ArchiveIntermediates/Runner/InstallationBuildProductsLocation/Applications/Runner.app/Frameworks/Flutter.framework: errSecInternalComponent
Command /usr/bin/codesign failed with exit code 1
In Keychain Access... The solution was right clicking on Apple Worldwide Developer Relations Certification Authority and select Get Info. In the Image bellow, I've change When using this certificate to Use System Defaults and the system asked me to put password. Now it's working \o/
In case it'll be helpful for someone else - I had the same problem, which only was reproduced with no internet connection, and as fast as I connect back - error disappears.
My project xamarin forms.
I had such a problem after renewing the certificate, it turned out at the end of the build on the Mac it asks for the user's password when checking the certificate.
I have been trying to test my app on a real device and I keep getting this error. I have tried changing my project to this selected answer already XCode 9.1 Command /bin/sh failed with exit code 1 , but it did not work and I have also deleted my derived data already. I hope someone can help me! Thanks!!
If you search around there are a lot of solutions presented to solve this problem. But a few them are outdated or very specific to a certain domain. Recently I ran into the same issue with Charts and Xcode refusing to build to my device with the same error message. The problem you're having has nothing to do with your free developer account but rather with the keychain.
To solve it you'll have to do the following:
Open Terminal and type: security set-key-partition-list -S apple-tool:,apple:,codesign: -s /Users/YOUR_USERNAME/Library/Keychains/login.keychain-db
You'll be prompted for your password. If you enter your password correctly and are repeatedly told it is incorrect go into Utilities -> Keychain Access.
Select and deselect the lock. Enter your password when prompted. Re-enter the command on terminal input your password and then clean/build on Xcode. Everything should work as before.
All of a sudden, with no change to the Xcode build server, I started getting an error, even across different bots, branches, and apps (all are Mac apps). I didn't change any software or configuration on the build server (that I know of), or even sign into it. I get the error once during analysis:
Check dependencies
Code Sign error: Multiple matching codesigning identities found: Multiple codesigning identities (i.e. certificate and private key pairs) matching “Mac Developer: OS X Server (N________L)” were found.
And again during Testing (though my tests pass – the one above is what fails the build):
Testing failed:
Multiple matching codesigning identities found: Multiple codesigning identities (i.e. certificate and private key pairs) matching “Mac Developer: OS X Server (N________L)” were found.
I have tried the following, triggering a build after each step, with no change in the message:
Triggered another build
Updated to the latest Xcode on the build server (6.3.2)
Searched through Keychain Access for any "OS X Server" certificates or keys, finding none
Removed all Developer Teams from Server.app. Note: this acted weird. I had to remove it twice before the setting read "No Teams", but now it's stayed that way
I signed in to add my team again
Removed it again, which still had to be done twice before it "stuck"
Restarted the machine, multiple times
Removed all provisioning profiles from /Library/Developer/XcodeServer/ProvisioningProfiles
Signed in with my developer account again after removing the provisioning profiles. They have been recreated, but the error remains
I turned off "Perform analyze action" in the bot, which did get rid of the message, but turning it back on, or turning on "Perform archive action", reintroduce it, so that's not an option (also, I want static analysis performed, which is why it's turned on in the first place).
Assuming for the moment that Xcode Server's list of signing identities is corrupted, how would I go about resetting them, outside of Server.app (since I already removed the Development Team there)? I found a couple of directories that seem like candidates for some troubleshooting and/or backup restoration, but I'm hesitant to mess around without knowing for sure what they're for.
/Library/Developer/XcodeServer/Certificates
/Library/Developer/XcodeServer/Keychains
I noticed that my provisioning profiles all expire on May 20, 2016. This means my old ones expired two days ago (5/20/2015), which was between my last successful (5/19) and first failed (5/21) builds.
So now, knowing the source of these failures, the problem now becomes: how do I clear out the old provisioning profiles (or certificates, etc.) that are causing the duplicates?
The server is up-to-date on Yosemite (10.10.3), Server (4.1), and Xcode (6.3.2).
Update
I'm trying to list codesigning identities, but can't get even a single "Mac Developer: OS X Server" to show up, let alone multiples. These are the commands I've tried, which only list the non-Server identities in the keychain:
security find-identity -p codesigning
sudo -u _xcsbuildd security find-identity -p codesigning
sudo -u _xcsd security find-identity -p codesigning
It looks like a bug in Server did in fact introduce a duplicate signing identity. I reported it as rdar://21080937, if you'd like to dupe it.
In order to fix it, I had to learn about how Xcode Server stores signing identities (thanks entirely to an extremely helpful answer to an unrelated question).
Xcode Server stores Developer Program certificates in
/Library/Developer/XcodeServer/Keychains/Portal.keychain
Following the steps below, I was able to open the keychain, find the duplicate, remove it, and put it back. These steps are adapted from the answer linked above.
Sign out of the Developer Portal from Server.app by removing the developer team you're having issues with
Copy the Portal keychain to your desktop:
> sudo cp /Library/Developer/XcodeServer/Keychains/Portal.keychain ~/Desktop/
Password: your-administrator-password
> sudo chown `whoami`:staff ~/Desktop/Portal.keychain
Set the Portal keychain password to “123”
> security set-keychain-password -o "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain
New Password: 123
Retype New Password: 123
Open the Keychain in Keychain Access:
> open -b com.apple.keychainaccess ~/Desktop/Portal.keychain
Unlock the “Portal” keychain using password “123”
Find the duplicate keys with the name listed in the error
Remove one (I picked the one modified less recently, but it may not matter)
Lock the “Portal” keychain, quit “Keychain Access”
Reset the Portal keychain password:
> security set-keychain-password -p "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" ~/Desktop/Portal.keychain
Password: your-administrator-password (optional step)
Old Password: 123
It may or may not ask you for your administrator password again, pay attention to the prompt.
Backup the original keychain
> sudo cp /Library/Developer/XcodeServer/Keychains/Portal.keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain.old
Copy the Portal keychain back
> sudo cp ~/Desktop/Portal.keychain /Library/Developer/XcodeServer/Keychains/
Fix the new keychain's permissions
> sudo chown _xcsbuildd:_xcs /Library/Developer/XcodeServer/Keychains/Portal.keychain
Since the system caches open keychains, restart the server
Add your developer team back, in Server.app
Run a build, verifying everything looks good. If so, remove the backup copies of the keychain
> rm ~/Desktop/Portal.keychain
> sudo rm /Library/Developer/XcodeServer/Keychains/Portal.keychain.old
My eventual workaround for the issue below was to convince our IT guys not to man-in-the-middle the dockerhub registry. I was not able to get anything else to work, alas.
I am running into a problem with my initial attempt to get Docker running on my Mac at work, which is running 10.8.5. It appears that my company's certificate-rewriting proxy seems to be getting in the way of fetching images:
orflongpmacx8:docker pohl_longsine$ docker run hello-world
Unable to find image 'hello-world:latest' locally
Pulling repository hello-world
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
(Indeed, when I log onto the guest wireless – which does not have the meddlesome proxy – I can get past this step. However, I need to figure out how to make this work through the proxy since using the guest wireless is untenable as a long-term solution.)
My issue, on the surface, appears to be very much like the one answered in this question. However, the accepted answer in that question does not work for me, since the root_unix.go file they discuss does not get invoked on a Mac. (From browsing around, I would guess that root_cgo_darwin.go and/or root_darwin.go would be involved instead.)
That doesn't really tell me how, operationally, I need to do the equivalent work of installing some sort of trusted certificate. I managed to get my hands on a *.cer file that I believe to be the one that I need, but I'm at a loss as to what to do with it.
I'm hoping that someone can point me in the right direction.
Edit: I thought that maybe I needed to to something akin to what this page suggests, to add the certificate. Alas, my attempt at following those instructions failed in the following way:
orflongpmacx8:docker pohl_longsine$ sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "~/Desktop/Certs/redacted.cer"
Password:
***Error reading file ~/Desktop/Certs/redacted.cer***
Error reading file ~/Desktop/Certs/redacted.cer
Edit 2: I may have come one step closer to solving this. I should have known better to use a path with a tilde inside quotation marks. If I use an absolute path instead, I can successfully run the above command to add certs.
Alas, this did not alleviate the ultimate symptom:
FATA[0001] Get https://index.docker.io/v1/repositories/library/hello-world/images: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "bcauth")
According to the boot2docker README
Insecure Registry
As of Docker version 1.3.1, if your registry doesn't support HTTPS, you must add it as an insecure registry.
$ boot2docker init
$ boot2docker up
$ boot2docker ssh
$ echo 'EXTRA_ARGS="--insecure-registry <YOUR INSECURE HOST>"' | sudo tee -a /var/lib/boot2docker/profile
$ sudo /etc/init.d/docker restart
then you should be able to do a docker push/pull.
The source of http://golang.org/src/crypto/x509/root_darwin.go shows that the command:
cmd := exec.Command("/usr/bin/security", "find-certificate", "-a", "-p", "/System/Library/Keychains/SystemRootCertificates.keychain")
is used to find the certificate.
Try adding the .cer file into the OSX certificate key-chain.
If you use the docker-machine
edit $USER/.docker/machine/machines/default/config.json
"EngineOptions": {
"InsecureRegistry": [
"XXX.XXX.virtual"
],
}