✍️CI环境完成IPA签名

昨天准备给CI里面添加重签名IPA的命令,后来觉的这个功能加载Makefile里面比较合适,就在Makefile文件里面添加了一个sign的target. 证书📄用的是之前海鲜🦞市场购入的10元一张的开发者证书。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
BUILD_DIR=$(PWD)/Build
PROJECTS=$(wildcard *.xcodeproj)
KEYCHAIN_PATH=$(BUILD_DIR)/temp.keychain
KEYCHAIN_PASSWORD="xxxxxxxxx"
KEYCHAIN_ACCOUNT="iPhone Developer: ******** (xxxxxxxxxx)"

all: build ipa

build:
mkdir -p "$(BUILD_DIR)"
xcodebuild clean \
-configuration Release \
-scheme App \
-workspace App.xcworkspace | xcpretty
xcodebuild archive \
-archivePath "$(BUILD_DIR)"/App \
-configuration Release \
-scheme App \
-workspace App.xcworkspace \
-allowProvisioningUpdates \
CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO | xcpretty


ipa: build sign
mkdir -p "$(BUILD_DIR)"/Release
mkdir -p "$(BUILD_DIR)"/Release/Payload
cp -r "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app "$(BUILD_DIR)"/Release/Payload
cd "$(BUILD_DIR)"/Release && zip -r App.ipa Payload

sign:
@echo "✍️ Signing..."
security create-keychain -p $(KEYCHAIN_PASSWORD) $(KEYCHAIN_PATH)
security unlock-keychain -p $(KEYCHAIN_PASSWORD) $(KEYCHAIN_PATH)
security import Script/iOS.p12 -k $(KEYCHAIN_PATH) -P $(KEYCHAIN_PASSWORD) -T /usr/bin/codesign
security import Script/AppleWWDRCAG3.cer -k $(KEYCHAIN_PATH) -P $(KEYCHAIN_PASSWORD) -T /usr/bin/codesign
security cms -D -i Script/iOS.mobileprovision > Build/entitlement_full.plist
/usr/libexec/PlistBuddy -x -c 'Print:Entitlements' Build/entitlement_full.plist > Build/entitlement.plist
cp Script/iOS.mobileprovision "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app/embedded.mobileprovision
security set-keychain-settings $(KEYCHAIN_PATH)
security default-keychain -s $(KEYCHAIN_PATH)
security find-identity -p codesigning $(KEYCHAIN_PATH)
find "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app -name '*.framework' -type d | while read -r framework; do \
codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$$framework"; \
done
codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app
codesign -vvv --verify --deep --strict "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app
security delete-keychain $(KEYCHAIN_PATH)

clean:
rm -rf $(BUILD_DIR)

由于是CI环境里面,所以创建了一个临时的keychain,在这个临时的keychain里面导入了开发者证书和苹果的根证书。

这里也遇到几个问题🙋,简单记录一下:

  • 编译签名成功,隔空投送到手机,提示无法验证完整性

这个由于之前没有对Framework下面的framework签名,所以在Makefile里面添加了下面👇这一段

1
2
3
find "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app -name '*.framework' -type d | while read -r framework; do \
codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$$framework"; \
done
  • 笔记本上面签名成功,到CI环境签名报错,提示error: The specified item could not be found in the keychain.

这里签名的时候需要指定keychain

1
codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app

如果还是没有效果,修改默认的keychain,反正在CI环境也没什么关系

1
security default-keychain -s $(KEYCHAIN_PATH)
  • 签名提示Warning: unable to build chain to self-signed root for signer

这个问题的查看证书的组织,比如这个证书

证书不被信任

双击证书,查看签发者组织

签发者组织

可以看到👀,签发组织是Apple Worldwide Developer Relations Certification AuthorityG3

在苹果的证书下载网站

导入根证书
下载合适的证书后导入,在CI环境可以用命令:

1
security import Script/AppleWWDRCAG3.cer -k $(KEYCHAIN_PATH) -P $(KEYCHAIN_PASSWORD) -T /usr/bin/codesign

签名遇到的问题大致就这么多。

快捷安装IPA

IPA签好名,快捷安装的方法有几种:

  • 隔空投送IPA可以直接安装
  • 用safari下载IPA也会直接安装
  • 扫码安装(itms-services,二维码内容)
  • 点击连接安装(itms-services,网页重定向)

直接下载IPA的方式没有什么特别的,缺点就是在下载过程,会显示缺省的图标,用后两种方式下载,可以在清单文件里面指定一个图标显示

1
itms-services://?action=download-manifest&url=$plist_url

其中$plist_url就是清单文件的内容。这里提供一个模版

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>items</key>
<array>
<dict>
<key>assets</key>
<array>
<dict>
<key>kind</key>
<string>software-package</string>
<key>url</key>
<string>new_software_package_url</string>
</dict>
<dict>
<key>kind</key>
<string>display-image</string>
<key>url</key>
<string>new_display_image_url</string>
</dict>
<dict>
<key>kind</key>
<string>full-size-image</string>
<key>url</key>
<string>new_full_size_image_url</string>
</dict>
</array>
<key>metadata</key>
<dict>
<key>bundle-identifier</key>
<string>top.ourfor.app.App</string>
<key>bundle-version</key>
<string>1</string>
<key>kind</key>
<string>software</string>
<key>title</key>
<string>AIApp</string>
</dict>
</dict>
</array>
</dict>
</plist>

里面的内容可以在CI编译后,通过python脚本修改