-
Bug
-
Resolution: Unresolved
-
Minor
-
None
Prior to the xcodebuild step, when a separate keychain is being provided, there is a need to call the following before that keychain can be seen by xcode:
Little-Net-8671:~ jenkins-agent$ security default-keychain -s /Users/jenkins-agent/Library/Keychains/jenkins.keychain-db
This step is performed in the xcodebuild step on the following line, but this does doesn't appear to get run when a keychainId is specified:
Nothing works (certificates being looked for in the login keychain, not the jenkins keychain, fail with cert not found) until security default-keychain is run manually at least once.
The snippet of the jenkinsfile look like this:
stage('MacOS') {
agent { label 'macos' }
stages {
stage('unlock-keychain') {
steps {
unlockMacOSKeychain keychainId: 'jenkins-agent-keychain'
}
}
stage('build') {
steps {
dir("src/macos/Redwax SignText") {
xcodeBuild xcodeWorkspaceFile: 'Redwax SignText.xcodeproj/project',
xcodeSchema: 'Redwax SignText',
keychainId: 'jenkins-agent-keychain'
}
}
}
}
}
I haven't traced the code yet, but it does look like "security default-keychain" is not run when "unlockMacOSKeychain" is used, or perhaps the step is being skipped when keychainId is used instead of the legacy keychainPath (with password baked into jenkinsfile).
TL;DR: when keychainId is specified, security default-keychain must be called.
