2

If I build the iOS (part of a Xamarin.Forms project) with the Jenkins web GUI (directly running on the Mac) I get the following meaningful error from the console output:

unknown error -1=ffffffffffffffff

More detailed log

[exec] _CodesignNativeLibraries:
[exec]   CodesignNativeLibraries Task
[exec]     AppBundleDir: bin/iPhone/Release/AppiOS.app
[exec]     CodesignAllocate: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
[exec]     DisableTimestamp: False
[exec]     IntermediateOutputPath: obj/iPhone/Release/codesign
[exec]     Keychain: <null>
[exec]     SigningKey: XXX
[exec]     ExtraArgs: <null>
[exec] _CodesignAppBundle:
[exec]   Codesign Task
[exec]     CodesignAllocate: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
[exec]     DisableTimestamp: False
[exec]     Entitlements: obj/iPhone/Release/Entitlements.xcent
[exec]     Keychain: <null>
[exec]     Resources:
[exec]       bin/iPhone/Release/AppiOS.app
[exec]     ResourceRules: <null>
[exec]     SigningKey: XXX
[exec]     ExtraArgs: <null>
[exec]     IsAppExtension: False
[exec]   Tool /usr/bin/codesign execution started with arguments: -v --force --sign XXX --entitlements /Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/obj/iPhone/Release/Entitlements.xcent /Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/bin/iPhone/Release/AppiOS.app
[exec] bin/iPhone/Release/AppiOS.app : error : /Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/bin/iPhone/Release/AppiOS.app: unknown error -1=ffffffffffffffff [/Users/someuser/.jenkins/workspace/Project/ProjectName/ProjectName.iOS/ProjectName.iOS.csproj]

On the other side it works without an error if I build

  • in Xamarin Studio
  • in Visual Studio for Mac
  • while connected via Mac build host
  • on terminal

After some research the following solutions were mentioned:

  • allow access to keychain
  • revoke and create new certificates/provisioning profiles

I tried both and I'm still getting the error. The question for me is, why Jenkins launched with

launchctl load /Library/LaunchDaemons/org.jenkins-ci.plist

can't access the certificates/provisioning profiles. This is the call from Ant in the configuration

<target name="buildIpa" depends="init" if="isMac">
    <exec dir="${basedir}" executable="${msibuild}" failonerror="true">
        <arg line="&quot;/p:Configuration=Release&quot; /p:Platform=&quot;iPhone&quot; /p:IpaPackageDir=&quot;./bin&quot; /t:Build ${TopLevelProject}.sln "/>
    </exec>
</target>

, where msibuild is /Libary/Frameworks/Mono.framework/Versions/Current/Commands/msbuild.

The other projects (Droid, UWP) are also build and I don't know how to only build for iOS ...

How can I find out if there is a signing error, an error with the installation of Jenkins or other error?

My current setup:

Mac OS X: 10.12.6
Xcode: 9.1
Visual Studio Community 2017 for Mac: 7.2.2
Mono: 5.4.1.6
Xamarin.iOS: 11.3.0.47
Xamarin.Forms: 2.3.4.267
Xamarin Studio on Mac: 6.3
Jenkins: 2.73.3

testing
  • 19,681
  • 50
  • 236
  • 417
  • Have you imported the certificate and provisioning profile to Jenkins? Did Jenkins have full access to the signing files? – Kevin Li Nov 21 '17 at 02:42
  • No, I only have imported/created the files directly on the Mac (which resides in the keychain). That is the question if Jenkins has full access. I did allow the access to the certificate for all applications, but this seems not enough. – testing Nov 21 '17 at 11:11
  • 1
    Do you unlock the keychain in your build script using "security unlock-keychain -p keychainPassword pathToKeychain"? – Christopher Stephan Nov 21 '17 at 16:43
  • @ChristopherStephan: No, currently not. Do I have to unlock that every time? What is `pathToKeychain`? */Users/someUser/Library/Keychains/*? Are there other options, which don't need to provide the password? Normally, it should ask me if I'd allow it and I click on *Always allow*, but that is never asked with Jenkins. – testing Nov 21 '17 at 17:41
  • For example, `pathToKeychain` could be /Users/someUser/Library/Keychains/login.keychain-db if the provisioning profile is stored in the login keychain. Currently I don't know a possibility to hide the password. There is a Jenkins plugin to import keychains, but it is not working with Mac OS Sierra any longer (https://github.com/SICSoftwareGmbH/kpp-management-plugin/issues/5). Try unlocking the keychain before you build the ipa. If it does not fix the problem create a demo app in Xcode, provide the bundle identifier you use for the app, add the provisioning profile and see if a build succeeds. – Christopher Stephan Nov 21 '17 at 19:21

3 Answers3

4

what helps me

  1. Keychain: moving certificates from Login to System and manually unlock it before Xcodebuild launch security unlock-keychain -p "<YOUR PASS HERE>" ~/Library/Keychains/login.keychain

  2. Custom xcodebuild arguments: implement manual code signing style in Jenkins with CODE_SIGN_STYLE="Manual" and using Keychains and Provisioning Profiles Plugin (just easy to operate with env variables)

    CODE_SIGN_STYLE="Manual" PROVISIONING_PROFILE_SPECIFIER=${PROVISIONING_PROFILE} CODE_SIGN_IDENTITY="${CODE_SIGNING_IDENTITY}" -allowProvisioningUpdates

Amazonian
  • 119
  • 8
  • *"Moving certificates"*: Drag and drop in keychain? *"Custom xcodebuild arguments"*: Christopher above mentioned, that [KPP](https://wiki.jenkins.io/display/JENKINS/Keychains+and+Provisioning+Profiles+Plugin) is not working anymore, is this also true for you? Do you need 1 and 2? – testing Nov 22 '17 at 13:00
  • _Moving certificates_: Copy/Paste to System and delete from Login. _Custom xcodebuild arguments_: **Keychains and Provisioning Profiles** its not for MacOSSierra, it's plugin for Jenkins, just for easy use keychain variables. https://wiki.jenkins.io/display/JENKINS/Keychains+and+Provisioning+Profiles+Plugin – Amazonian Nov 22 '17 at 14:00
3

When Jenkins is launched via launchd (controlled via the launchctl utility) the resulting process has reduced permissions to access resources in the system such as a given user's Keychain, because it is lacking an attribute set for a user who is actually logged in. You can work around this by having your Jenkins launched either via the JNLP or via an ssh slave. I suggest using the SSH slave option as the JNLP is fragile.

Here is Jenkins ssh slaves page: https://wiki.jenkins.io/display/JENKINS/SSH+Slaves+plugin

These two stack overflows will give you more help on how to accomplish setting up your profiles via the command line:

How to install developer certificate/private key and provisioning profile for iOS development via command line?

security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission

ablarg
  • 2,400
  • 1
  • 24
  • 32
  • Using an ssh session does not automatically resolve the problem. I'm explicitly calling security unlock-keychain as per @Pokemon answer, that solved it for me. Still, +1 for a very sensible explanation why running this through Jenkins caused the issue. – parvus May 29 '19 at 10:48
1

I have a Xamarin project with Automatic Provisioning setup. I could build locally on the Jenkins slave but not when running the same commands from our Jenkins Pipeline.

I found that I had to run and sh command before my build sh 'security unlock-keychain -p "[Users Password]" /Users/[Users Name]/Library/Keychains/login.keychain-db' to be able to sign code.

It would seem that when run from Jenkins the shell environment has its keychains locked!

Tim Hobbs
  • 269
  • 2
  • 4