Unable to sign iOS builds with Jenkins

I solved this problem by adding SessionCreate=true to my org.jenkins-ci.plist file. This call initializes the Security framework.

Source: http://developer.apple.com/library/mac/#technotes/tn2083/_index.html

See mine in its entirety below:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>EnvironmentVariables</key> <dict>   <key>JENKINS_HOME</key>   <string>/Users/Shared/Jenkins/Home</string> </dict><key>GroupName</key><string>daemon</string><key>KeepAlive</key><true/><key>Label</key><string>org.jenkins-ci</string><key>ProgramArguments</key><array>  <string>/bin/bash</string>  <string>/Library/Application Support/Jenkins/jenkins-runner.sh</string></array><key>RunAtLoad</key><true/><key>UserName</key><string>jenkins</string><key>SessionCreate</key><true/></dict></plist>

You could also try my alternative Jenkins installer which runs Jenkins as an application.

The project is at https://github.com/stisti/jenkins-app.Downloads are at https://github.com/stisti/jenkins-app/downloads

Jenkins needs to run in the user context in order to have access to keychains.

I had the same problem. The main issue is actually caused when launchd launches a LaunchDaemon. Even if you specify the user that you want to run the launchd process under it doesn't run it as if you were logged in as that user. Which is why you aren't seeing the login keychain in the list of keychains available to Jenkins.

I came across a work around that involved calling su - yourbuilduser -c ./start-jenkins.sh, where start-jenkins.sh is a custom start script, from your launchd plist (as a LaunchDaemon). This guarantees access to the login keychain but makes Jenkins hard to control from launchd. Specifically, you can't stop Jenkins by calling launctl unload ... you have to kill the process manually.

Currently we are running our iOS CI using a plist in LaunchAgents (that just starts Jenkins using java -jar jenkins.war) rather than in LaunchDaemons. Tediously this means that your user has to be logged into the server (not an issue if your machine is within your private network or in a correctly configured DMZ), however it also means that the Jenkins process can be controlled from launchctl and that it has access to the user's keychain. You can set the user to auto-login so you get Jenkins on start-up.

I have managed to automate almost every aspect of a Continuous Delivery pipeline for iOS binaries this is the only part where my solution just doesn't feel right (ideally, I'd just be able to use a LaunchDaemon that would have access to the user's keychain).