Starting processes with different unlocked keychains on MacOS - macos

As described in question CLI: Switch keychains in order to sign an xcodebuild I have the problem of having to use two keychains for running xcodebuild. I need this because our enterprise & appstore identities are called the same.
When I try the proposed solution it works fine, if I'm running only one xcodebuildat a time. But I'm using a buildserver (hudson or jenkins) running multiple builds in parallel. Each build job should build the enterprise and the appstore version of an app, therefore it has to use different keychains. When changing the keychain list as proposed, this always affects all running processes of the current user. Therefore parallel builds of different projects would be affected and basically fail or use the wrong keychain.
I've tried several workarounds to open a new security context, which seems to host the keychain information:
I used login -f ... to start a new login session, hoping it will use an independent security context. But when I change the keychain settings in the session it also affects the other login session.
I used ssh localhost ... to start a new login session, but unfortunately with the same result.
It seems, that the security context is bound to the user and not to a dedicated session. Unfortunately I cannot find any information about those security contexts using Google.
Is there any way to run several processes for a dedicated user having different keychains active and unlocked?

Related

No Users Or Groups Folders In VisualSVN Server

I have downloaded VisualSVN Server, version 5.1.1. In the left panel there is only Repositories and Jobs. I want to add new users for learing and testing purposes. However I can't see any settings to do so. I currently dont have a licence. Is this the main reason? If not, how can I enable Users and Groups folders or how can I reach to related settings? Keep in mind that I'm a completely newbie to this application. Any help is appreciated, thanks
I have tried to find related settings in autentication properties but I got confused and bogged down. I have tried to open the application as Administrator, still couldn't find or make sense of settings.
I also tried to find subversion authentication settings which is normally in the main page.
In the MMC snap-in, you should have a Users option down the left hand side of the tree. However, on the main Visual SVN page, you have various options, one of which should be Subversion Authentication. You can also add users and groups using the options here also (see below, for a screen shot of my SVN Server). Regarding the license, that shouldn't be an issue, as long as your requirement fits withing the "Community" licensing requirements.
If you don't see options to Create Users / Groups, use the Configure Authentication Options and set the Authentication Mode to Subversion Authentication. This will allow subversion to authenticate users based on a list that is setup within the server itself. Hope that Helps.
The Users and Groups folders are only available in the management console when your server is configured to use the standalone Subversion authentication mode. When this authentication mode is active, your server maintains a dedicated list of user and group accounts.
However, your screenshot shows that you've enabled Windows authentication. In this case, your server integrates with your Active Directory domain / Windows, and user and group accounts are maintained by Active Directory. I.e., you don't need to create users and groups in VisualSVN Server. They are already created in your domain and you can grant permissions to these accounts via the management console.
You can find more information about the authentication modes in the article KB182: VisualSVN Server authentication modes.

Fastlane match with multiple apps

I have developer account with multiple apps. I am using fastlane match to generate certs and profile. Now using match it creates new certs. Check below code how I generate it.
lane :GenerateCerts do
match(app_identifier: "dev", type: "development")
match(app_identifier: "stage", type: "development")
match(app_identifier: "stage", type: "appstore")
end
I already have crossed the limit on developer account to generate new iOS Distribution certs so I am not able to generate a new one. But I guess that certificate on dev portal can be used for generating profiles.
How can I use the certificate already in the portal to generate profiles?
Also, I need to manually set the profiles in Xcode for different configurations. Which command could be helpful to configure certificates in Xcode generated by match, cert, sigh?
What is the best practice for following case when I have single developer account for multiple apps?
Creating different git repo for different apps for fastlane match
Single repo for all apps.
For now I am using first one. If you have any better suggestions please help.
How can I use the certificate already there in portal to generate profiles?
This use case is not supported by match. Match only supports syncing profiles it created. If you want to work around this, you can manually create an identical, encrypted git repo and it will work from there. There are instructions for modifying one on the advanced documentation page
Instead, you could review the source code for match, which uses cert and sigh under the hood, and create a custom action for your specific use case.
But honestly it's easier to just destroy the existing certs and make new ones with match.
Also, I need to manually set the profiles in Xcode for different configurations. Which command could be helpful to configure certificates in Xcode generated by match, cert, sigh?
To clarify:
cert will get (or create, if necessary) a code signing certificate
sigh will get (or create, if necessary) a provisioning profile signed with a code signing certificate
match calls the above commands and syncs their outputs via an encrypted git repo
So if you want to configure certificates, use cert.
What is the best practice for following case when I have single developer account for multiple apps?
There's not really a best practice here that I know of. You have a few options, each with their own tradeoffs:
Use one repo per app. This benefits from complete isolation by project which can be helpful for security purposes but you'll need to sync the distribution profiles by hand (using the advanced technique I linked above)
Use one repo, with one branch per app. This lets you sync the same certificates around for several apps, but has a security risk because anyone with access to this repo has more privileges than they need (unless everyone works on everything)
Use one repo for distribution credentials, with an additional per-app repo for development credentials.
The second options will require use of the match_branch option which can be passed in your Fastfile, or (my preference) specified in your Matchfile to make your Fastfile cleaner. For final option, you could make use of the for_lane command to override an option when called from a particular lane. For example, your Matchfile might look like:
git_url "git#github.com:my_org/my_repo_name.git"
type 'development'
readonly true
for_lane :deploy_to_app_store do
type 'appstore'
git_url "git#github.com:my_org/my_distribution_cert_repo.git"
end

TeamCity guest access without artifacts / build logs?

I'd like to enable guest access to our TeamCity server so that our operations team can see if a deployment build is currently underway, as they do testing and during a deployment the environment becomes unstable.
It looks like the very base View Projects role assigned to guest still allows users to download artifacts, see the build log and unit test results. Since the artifacts are the software we develop, which is commercial, we can't have anonymous access allowing downloading of our code.
How can I further restrict the guest account to only be able to see if a build is running? If its not possible, I'll accept that as well, and will probably just make a shared logon for them, but it'd be nicer just to enable guest.
We're using TC 2017.1.3.
you cannot do that. Give access for guest user is bad idea.
You have to create other user and give special rights.

Puppet Create user profile on local machine

I am trying to build a puppet manifest to add an ldap user profile to a local machine on the domain.
After spending some time looking through Google and various sites all I am seeing is examples of local users only and I wonder if it is even possible?
Currently I have to logon onto the computer, which creates the user profile folder under (c:\Users{username}). I need to add 3-5 profiles to every machine, but I don't want to go through the whole LOGIN > LOGOUT > LOGIN > LOGOUT process for each user on each machine.
I am new to puppet and just not sure if this is possible in puppet or if I need to figure out a different method?

Hudson build on URL token

I configured a hudson instance and have created jobs. While creating builds, I was able to see this option "Trigger the build by accessing this URL + SecretTOKEN" option. Now, I am unable to see that for any new jobs I create. Am I missing some setting or a configuration? The only change I made was running the servlet container from Root to a regular user.
In my Hudson (1.349) when creating a new job, there's an option under Build Triggers called Trigger Builds Remotely (e.g. from scripts), which when selected allows you to enter an Authentication Token (which has the descriptive text from your question).
I'm not aware of any system configuration that disables this. It doesn't sound like a Hudson user permissions problem if you can have permissions to create/edit jobs.
What appears under Build Triggers when you create a new job?
I had the same problem with the missing Trigger Builds Remotely option. The fix in my case was to enable security in the main Hudson configuration (with Anyone can do anything selected)

Resources