✍️ CI环境完成IPA签名

✍️ 银勒

🗓️2024-03-05 (🗒️2024-04-22)

昨天准备给CI里面添加重签名IPA的命令，后来觉的这个功能加载Makefile里面比较合适，就在Makefile文件里面添加了一个sign的target. 证书📄用的是之前海鲜🦞市场购入的10元一张的开发者证书。

BUILD_DIR=$(PWD)/Build
PROJECTS=$(wildcard *.xcodeproj)
KEYCHAIN_PATH=$(BUILD_DIR)/temp.keychain
KEYCHAIN_PASSWORD="xxxxxxxxx"
KEYCHAIN_ACCOUNT="iPhone Developer: ******** (xxxxxxxxxx)"

all: build ipa

build:
	mkdir -p "$(BUILD_DIR)"
	xcodebuild clean \
		-configuration Release \
		-scheme App \
		-workspace App.xcworkspace | xcpretty
	xcodebuild archive \
		-archivePath "$(BUILD_DIR)"/App \
		-configuration Release \
		-scheme App \
		-workspace App.xcworkspace \
		-allowProvisioningUpdates \
		CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO | xcpretty


ipa: build sign
	mkdir -p "$(BUILD_DIR)"/Release
	mkdir -p "$(BUILD_DIR)"/Release/Payload
	cp -r "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app "$(BUILD_DIR)"/Release/Payload
	cd "$(BUILD_DIR)"/Release && zip -r App.ipa Payload

sign:
	@echo "✍️ Signing..."
	security create-keychain -p $(KEYCHAIN_PASSWORD) $(KEYCHAIN_PATH)
	security unlock-keychain -p $(KEYCHAIN_PASSWORD) $(KEYCHAIN_PATH)
	security import Script/iOS.p12 -k $(KEYCHAIN_PATH) -P $(KEYCHAIN_PASSWORD) -T /usr/bin/codesign
	security import Script/AppleWWDRCAG3.cer -k $(KEYCHAIN_PATH) -P $(KEYCHAIN_PASSWORD) -T /usr/bin/codesign
	security cms -D -i Script/iOS.mobileprovision > Build/entitlement_full.plist
	/usr/libexec/PlistBuddy -x -c 'Print:Entitlements' Build/entitlement_full.plist > Build/entitlement.plist
	cp Script/iOS.mobileprovision "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app/embedded.mobileprovision
	security set-keychain-settings $(KEYCHAIN_PATH)
	security default-keychain -s $(KEYCHAIN_PATH)
	security find-identity -p codesigning $(KEYCHAIN_PATH)
	find "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app -name '*.framework' -type d | while read -r framework; do \
        codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$$framework"; \
    done
	codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app
	codesign -vvv --verify --deep --strict "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app
	security delete-keychain $(KEYCHAIN_PATH)

clean:
	rm -rf $(BUILD_DIR)

由于是CI环境里面，所以创建了一个临时的keychain，在这个临时的keychain里面导入了开发者证书和苹果的根证书。

这里也遇到几个问题🙋，简单记录一下:

编译签名成功，隔空投送到手机，提示无法验证完整性

这个由于之前没有对Framework下面的framework签名，所以在Makefile里面添加了下面👇这一段

1
2
3

find "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app -name '*.framework' -type d | while read -r framework; do \
    codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$$framework"; \
done

笔记本上面签名成功，到CI环境签名报错，提示error: The specified item could not be found in the keychain.

这里签名的时候需要指定keychain

1	codesign -s $(KEYCHAIN_ACCOUNT) --keychain $(KEYCHAIN_PATH) --entitlements Build/entitlement.plist -f "$(BUILD_DIR)"/App.xcarchive/Products/Applications/App.app

如果还是没有效果，修改默认的keychain，反正在CI环境也没什么关系

1	security default-keychain -s $(KEYCHAIN_PATH)

签名提示Warning: unable to build chain to self-signed root for signer

这个问题的查看证书的组织，比如这个证书

证书不被信任

双击证书，查看签发者组织

签发者组织

可以看到👀，签发组织是Apple Worldwide Developer Relations Certification Authority的G3

在苹果的证书下载网站

导入根证书
下载合适的证书后导入，在CI环境可以用命令:

1	security import Script/AppleWWDRCAG3.cer -k $(KEYCHAIN_PATH) -P $(KEYCHAIN_PASSWORD) -T /usr/bin/codesign

签名遇到的问题大致就这么多。

快捷安装IPA

IPA签好名，快捷安装的方法有几种:

隔空投送IPA可以直接安装
用safari下载IPA也会直接安装
扫码安装(itms-services，二维码内容)
点击连接安装(itms-services，网页重定向)

直接下载IPA的方式没有什么特别的，缺点就是在下载过程，会显示缺省的图标，用后两种方式下载，可以在清单文件里面指定一个图标显示

1	itms-services://?action=download-manifest&url=$plist_url

其中$plist_url就是清单文件的内容。这里提供一个模版

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>items</key>
	<array>
		<dict>
			<key>assets</key>
			<array>
				<dict>
					<key>kind</key>
					<string>software-package</string>
					<key>url</key>
					<string>new_software_package_url</string>
				</dict>
				<dict>
					<key>kind</key>
					<string>display-image</string>
					<key>url</key>
					<string>new_display_image_url</string>
				</dict>
				<dict>
					<key>kind</key>
					<string>full-size-image</string>
					<key>url</key>
					<string>new_full_size_image_url</string>
				</dict>
			</array>
			<key>metadata</key>
			<dict>
				<key>bundle-identifier</key>
				<string>top.ourfor.app.App</string>
				<key>bundle-version</key>
				<string>1</string>
				<key>kind</key>
				<string>software</string>
				<key>title</key>
				<string>AIApp</string>
			</dict>
		</dict>
	</array>
</dict>
</plist>

里面的内容可以在CI编译后，通过python脚本修改

本文作者： 银勒
本文链接： https://ourfor.top/article/ipa-resign-ci/