14

I am trying to switch on a certain keychain, and close another one. I need this because our enterprise & appstore identities are called the same.

Right now, I do a "security unlock-keychain" followed by a "security default-keychain" to open the correct keychain and do a "security lock-keychain" on the keychain I wish not to use.

But xcodebuild still sees the entries in both keychains and gives up.

iPhone Distribution: Company name.: ambiguous (matches "iPhone Distribution: Company name." in /Users/user/Library/Keychains/login.keychain and "iPhone Distribution: Company name" in /Users/user/Library/Keychains/enterprise.keychain)

How do I prevent the system from finding the entry in the keychain that I lock?

mfaani
  • 33,269
  • 19
  • 164
  • 293
Tycho Pandelaar
  • 7,367
  • 8
  • 44
  • 70

3 Answers3

14

You can tell Xcode which keychain to use:

xcodebuild "OTHER_CODE_SIGN_FLAGS=--keychain '$PATH_TO_KEYCHAIN'"

Or, if you call codesign directly:

codesign --keychain "$PATH_TO_KEYCHAIN"

If you use PackageApplication, there isn't a way to set this. However, PackageApplication is a pretty simple script that can be reimplemented if necessary (very useful if you're integrating with a larger system/script).

Jacob Lukas
  • 689
  • 6
  • 14
  • Sounds cool. I'll give that a try. Do the specified keychains need to be loaded in the keychain application, or is their presence on the file system enough? – Tycho Pandelaar Nov 27 '13 at 13:58
  • I don't think the keychain needs to be added to the keychain application, but I'm not sure. – Jacob Lukas Nov 29 '13 at 22:58
3

Solution: I've put all the appstore related stuff in the login keychain, and the enterprise stuff in a seperate keychain file.

In the buildscript, I switch between those as follows:

    # 1. Only activate the System and either the Appstore(=login) or Enterprise keychain.
security list-keychains -s $KEYCHAIN_NAME $SYSTEM_KEYCHAIN

# 2. Loop through App Schema's
for APP_SCHEME in ${APP_SCHEMES[@]}; do
    echo "--=  Processing $APP_SCHEME  =--"
    xcodebuild -scheme "${APP_SCHEME}" archive
done ### Looping through App Schema's

# 3. Restore login & system keychains
security list-keychains -s $APPSTORE_KEYCHAIN $ENTERPRISE_KEYCHAIN $SYSTEM_KEYCHAIN
Tycho Pandelaar
  • 7,367
  • 8
  • 44
  • 70
  • However, this is potentially not desired option in case of parallel builds, when tasks may switch incorrect keychain concurrently. I would still prefer PackageApplication script taking option to set preferred keychain for the certificate lookup. – lef Jan 24 '16 at 09:06
0

Another solution for xcode version 6 and below: specify your certificate by SHA1 instead of by (ambiguous) name. From "man codesign":

 If identity consists of exactly forty hexadecimal digits, it is instead
 interpreted as the SHA-1 hash of the certificate part of the desired iden-
 tity.  In this case, the identity's subject name is not considered.

And from "security help find-certificate"

-Z  Print SHA-1 hash of the certificate

Unfortunately, this method requires using the PackageSign script, which has been deprecated in Xcode 7

Community
  • 1
  • 1
Paul Du Bois
  • 2,097
  • 1
  • 20
  • 31
  • Sounds promising... But I don't see how I can specify a SHA1 in xcode. I would probably have to do the signing by a script. Anyway, thanks for the hint. I'll digg into this to see if it can help us out. – Tycho Pandelaar Jun 02 '13 at 10:25
  • 1
    @P5ych0 Sorry, didn't see this until now. Yes, we do the signing in script, eg with "xcrun -sdk iphoneos PackageApplication --sign --embed " – Paul Du Bois Jul 29 '13 at 19:19
  • But as I can see in the PackageApplication script, there are snippets checking the --sign parameter to match "iPhone Distribution", so I gues using SHA-1 is not feasible unless this buggy script is hacked. – lef Jan 24 '16 at 08:55