Use xcodebuild (Xcode 8) and automatic signing in CI (Travis/Jenkins) environments
I basically run into the same issue using Jenkins CI and the Xcode Plugin.I ended up doing the build and codesigning stuff myself using xcodebuild
.
0. Prerequisites
In order to get the following steps done successfully, you need to have installed the necessary provisioning profiles and certificates. That means your code signing should already be working in general.
1. Building an .xcarchive
xcodebuild -project <path/to/project.xcproj> -scheme <scheme-name> -configuration <config-name> clean archive -archivePath <output-path> DEVELOPMENT_TEAM=<dev-team-id>
DEVELOPMENT_TEAM
: your 10 digit developer team id (something like A1B2C3D4E5)
2. Exporting to .ipa
xcodebuild -exportArchive -archivePath <path/to/your.xcarchive> -exportOptionsPlist <path/to/exportOptions.plist> -exportPath <output-path>
Example of an exportOptions.plist
:
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>method</key> <string>development</string> <key>teamID</key> <string> A1B2C3D4E5 </string></dict></plist>
method
: is one ofdevelopment
,app-store
,ad-hoc
,enterprise
teamID
: your 10 digit developer team id (something like A1B2C3D4E5)
This process is anyway closer to what you would do with Xcode manually, than what for example the Jenkins Xcode Plugin does.
Note: The .xcarchive file will always be develpment signed, but selecting "app-store" as method in the 2nd step will do the correct distribution signing and also include the distribution profile as "embedded.mobileprovision".
Hope this helps.
After trying a few options, these are the solutions that I was able to use on my CI server:
Include the Developer certificate and private key as well as the auto generated provisioning profiles in the CI environment:
Using Automatic signing
forces you to use a Developer
certificate and auto-generated provisioning profiles
. One option is to export your development certificate and private key (Application -> Utilities -> Keychain Access) and the auto-generated provisioning profiles to the CI machine. A way to locate the auto-generated provisioning profiles is to navigate to ~/Library/MobileDevice/Provisioning\ Profiles/
, move all files to a backup folder, open Xcode and archive the project. Xcode will create auto-generated development provisioning profiles and will copy them to the Provisioning Profiles
folder.
xcodebuild archive ...
will create a .xcarchive
signed for Development
. xcodebuild -exportArchive ...
can then resign the build for Distribution
Replace 'Automatic' with 'Manual' when building on a CI environment
Before calling xcodebuild
a workaround is to replace all instances of ProvisioningStyle = Automatic
with ProvisioningStyle = Manual
in the project file. sed
can be used for a simple find an replace in the pbxproj
file:
sed -i '' 's/ProvisioningStyle = Automatic;/ProvisioningStyle = Manual;/' <ProjectName>.xcodeproj/project.pbxproj
@thelvis also created a Ruby script to do this using the xcodeproj
gem. The script gives you a better control over what is changed.
xcodebuild
will then use the code signing identity (CODE_SIGN_IDENTITY
) set in the project, as well as the provisioning profiles (PROVISIONING_PROFILE_SPECIFIER
). Those settings can also be provided as parameters to xcodebuild
and they will override the code signing identity and/or provisioning profile set in the project.
EDIT: with Xcode 9,
xcodebuild
has a new build settings parameterCODE_SIGN_STYLE
to select betweenAutomatic
andManual
so there's no need to find and replace instances of automatic with manual in the project file, more info in WWDC 2017 Session 403 What's New in Signing for Xcode and Xcode Server
Switch to manual signing
Manual signing will provide total control over the code signing identities and provisioning profiles being used. It's probably the cleanest solution, but with the downside of losing all the benefits of Automatic signing.
To learn more about code signing with Xcode 8 I really recommend this article as well as the WWDC2016 session 401 - What's new in Xcode app signing
I'm considering another option I've not seen mentioned here yet. Setup two identical targets, that only differ in their signing settings.
- Development Target uses automatic signing to get all of those benefits when new devices / developers are added
- CI Target uses manual signing
Downside is that you would have to manage two identical targets. Upside is that get the benefits of automatic signing for development, and don't have to maintain potentially brittle scripts that modify your project just before build time.