Search code examples
jenkinsxcodebuildcodesign

Jenkins iOS builds on Mac Sierra failing during xcodebuild 8.2 code signing (SecKey API returned -25308)

I have Jenkins CI set up on Mac Sierra to build iOS apps using Xcode 8.2 with automatic signing. All works well when building using Xcode as the developer. However, Jenkins using xcodebuild is failing with the following:

SecKey API returned: -25308, (null)/Users/Shared/Jenkins/Home/workspace/App/build/Build/Intermediates/ArchiveIntermediates/App/InstallationBuildProductsLocation/Applications/App.app/Frameworks/GTMSessionFetcher.framework: unknown error -1=ffffffffffffffff

I have followed the advice in security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission, to no avail.

I have tried putting both private keys and certs into the System keychain, to no avail.

If I log in as the Jenkins user and run the codesign command manually, I "Always Allow" access to the keychain, and it works, repeatedly. However, running as invoked by the Jenkins CI does not. (The Jenkins master is the Mac, and I'm using this same Mac to build.)

The error is mentioning the CocoaPod GTMSessionFetcher. Is this something to do with CocoaPods?

Any ideas would be appreciated.

Solution

  • I was experiencing exactly the same issue and I am quite sure that it has nothing to do with CocoaPods, its a codesigning issue. Some of the things I did:

    1. Check that I do not have duplicate Keychain Entries. This post was useful for that. It turned out that I had one entry duplicated.

    2. Check that private keys are allowed to all applications, as explained here

    3. Try this (be aware that since macOS Sierra login.keychain has changed to login.keychain-db), which is the second answer in the advice you mention, but didn't work.

    4. Move both private keys and certs to System keychain (leaving only the certificates on login keychain). This last step was the one that made things work.

    In case this is not helpful you can try to unlock the login keychain manually in your Jenkins job (that did the trick for me before I moved keys an certs to System keychain):

    node("macOS-sierra") {

   .........

  stage("Build"){
    sh 'security unlock-keychain -p KEYCHAIN_PASS "/Users/YOUR-CI-USER/Library/Keychains/login.keychain-db" && fastlane beta'

  }

    You can check your keychains with this:

    $ security list-keychains