Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Jenkins iOS build using credentials and developer profile

Tags:

ios

jenkins

We are using Jenkins as our CI server for our iOS team with the following setup:

  • Master server on OSX, not running any job
  • 2 slaves on OSX running our integration jobs + UI Testing

Currently all signing identities and provisioning profiles for the apps are uploaded each slave which makes the administration a tad tedious and adding a new node to the cluster even more painful.

To work around this we've looked into using the credentials plugin with Developer profiles and import the profile as the first build step on all iOS jobs but are faced with to main issues:

  • The import developer profile seems to work the first time (at least for creating the keychain entries) but the job fails with a "no matching provisioning profile" error, even if the developer profile contains all the provisioning profiles required by the target.
  • Second run on the same job always fail with a "Keychain already exist" error

We've tried some work arounds for the second issue adding a shell build step removing the particular keychain but are still faced with the first error. If we manually install the profile on the slave the build passes but this defeat the purpose of using the credentials plugin.

What do you guys think?

like image 236
Eric Genet Avatar asked Sep 03 '14 06:09

Eric Genet


People also ask

How do I add a keychain to Jenkins?

Click on "Choose File" and select the keychain or provisioning profile file. 2. Click on "Upload". The keychain or provisioning profile file is automatically uploaded and stored on the jenkins.

What is Jenkins iOS?

The leading open source automation server, Jenkins provides hundreds of plugins to support building, deploying and automating any project.


1 Answers

I think the newest version of the credentials plugin now first removes any existing keychains with a matching name before importing, as seen in the log output below.

$ security delete-keychain jenkins-MyAppsBuildName-iOS
$ security create-keychain -p ******** jenkins-MyAppsBuildName-iOS
$ security unlock-keychain -p ******** jenkins-MyAppsBuildName-iOS

Because of this fact, I don't think you will have an issue anymore with duplicate keychain errors on the second run.

As far as the issue relating to the provisioning profile not being found, add the following line inside the execute shell command and run a build on jenkins.

security list-keychains

Take a look at the console for that specific build and you should see a list of all the keychains that are currently in the scope of the shell.

If you do not see "jenkins-MyAppsBuildName-iOS" as a listed keychain, this is why you are having the signing issue. Because the keychain is not listed, it is never even being searched through to find the proper signing identity/profile.

Solution: Warning: it's hacky

I'm not 100% sure why this is happening, but from other threads it appears to be a permissions issue.

Luckily there is an easy way around this.

In the execute shell command add the following:

security list-keychain -s jenkins-${JOB_NAME}

This will reset the keychain list to include the keychain needed to successfully build the project.

To verify that this now lists the proper keychain, you can add the following lines to the shell command:

security list-keychain
security list-keychain -s jenkins-${JOB_NAME}
security list-keychain

Now compare the output of the first list-keychain command with the second list-keychain command in the console. Make sure that the jenkin's build keychain is listed after the second security list-keychain output.

Warning: This will permanently change the keychain list on the system, so it is probably a good idea to reset the keychain after the build completes. You can accomplish this by settings the default desired keychain values in the xcode configuration inside of Jenkin's System Configuration section. After doing so, make sure to tick the check box "Restore OS X keychains after build process as defined in global configuration" under build environment inside of the Jenkins job's page.

Additional info: In my example I set the keychain-list to only include the keychain generated from Jenkins, but you may decide to also include the standard system and login keychain's by modifying the line as such:

security list-keychain -s jenkins-${JOB_NAME} login.keychain System.keychain

Keywords: Jenkins, iOS, slave, node, Xcode, plugin, credentials, .developerprofile

like image 116
njtman Avatar answered Oct 04 '22 20:10

njtman