如何编写协同设计脚本以信任从 Mac 命令行导入的钥匙串

问题描述 投票:0回答:1

您好,我正在尝试为我们的产品创建一个标准构建项目,这样我就可以仅使用一个脚本在任何 Mac 上运行它。 所以我已将所有分发证书导出到 p12 文件中,并将其存储在存储库中。在构建过程中,我使用这些命令导入它

echo "Attaching External Keychain"
/usr/bin/openssl pkcs12 -in Distribution-Keys.p12 -nokeys -passin pass:<PASSWORD> | /usr/bin/openssl x509 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space

echo "Creating external Keychain"
security create-keychain -p <PASSWORD> Distribution-Keys.keychain

echo "Changing access to external Keychain"
security set-keychain-settings -lut 21600 Distribution-Keys.keychain

echo "Unlocking external Keychain"
security unlock-keychain -p <PASSWORD> Distribution-Keys.keychain

echo "Importing external Keychain from p12 file"
security import Distribution-Keys.p12 -P <PASSWORD> -A -t cert -f pkcs12 -k Distribution-Keys.keychain


security list-keychain -d user

echo "Adding new keychain to search path"
security list-keychain -d user -s Distribution-Keys.keychain /Users/support/Library/Keychains/login.keychain-db

security list-keychain -d user

当我从 ssh 运行构建脚本时,我得到一个“codesign”,代码为 3

当我在 Mac 终端中运行时,它会弹出一个窗口,显示“codesign 希望访问钥匙串中的密钥“Distribution-Keys” 并要求输入密码。

我如何允许信任作为脚本(命令行)的一部分?

问候克里斯蒂安·阿里尔德·斯托尔·安徒生

块引用

macos shell command-line code-signing keychain
1个回答
0
投票

以下命令绕过协同设计模式钥匙串密码对话框:

security set-key-partition-list \
  -S apple-tool:,apple: \
  -k "$MAC_KEYCHAIN_PASSWORD" \
  "$MAC_KEYCHAIN_PATH"

以下行粘贴自 macOS 14.0 上运行的 

man security

set-key-partition-list [-S <partition list (comma separated)>] [-k <keychain password>] [options...] [keychain] Sets the "partition list" for a key. The "partition list"
is an extra parameter in the ACL which limits access to the key based on an application's code signature. You must present the keychain's password to change a partition
list. If you'd like to run /usr/bin/codesign with the key, "apple:" must be an element of the partition list.

       -S partition-list
                       Comma-separated partition list. See output of "security dump-keychain" for examples.
       -k password     Password for keychain
       -a application-label
                       Match "application label" string
       -c creator      Match creator (four-character code)
       -d              Match keys that can decrypt
       -D description  Match "description" string
       -e              Match keys that can encrypt
       -j comment      Match comment string
       -l label        Match label string
       -r              Match keys that can derive
       -s              Match keys that can sign
       -t type         Type of key to find: one of "symmetric", "public", or "private"
       -u              Match keys that can unwrap
       -v              Match keys that can verify
       -w              Match keys that can wrap

参见:

  1. https://github.com/Apple-Actions/import-codesign-certs/blob/5565bb656f60c98c8fc515f3444dd8db73545dc2/src/security.ts#L121-L141
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.