I'm trying to automate the process of building iphone apps with a particular certificate. So imagine if different users uploaded their cert into the system and it was immediately available to code sign against. I want to do this without any interaction. I also don't want to clutter up the system or logon keychain with different user certificates. To this end I have:
- turned off the requirement in XCODE to require code signing for a a build.
- developed a ruby script to build an application via the xcodebuild command line tool
- created a script to automatically create a new keychain for a user of my system
- written a script to code sign a built iphone app.
Everything works, but I need to manually hit enter when the codesign program tries to exercise the sign permission. My keychains are all unlocked. Oddly enough it works if I make the keychain the default keychain, but that isn't scalable ie I could only have one build process going at any given time.
When I manually click always allow for that process, I get an entry in my keychain dump that looks like this:
entry 1:
authorizations (6): decrypt derive export_clear export_wrapped mac sign
don't-require-password
description: privateKey
applications (2):
0: /usr/bin/codesign (OK)
So I'm thinking that I need to use the authorize command in security to pre-autorize codesign for those permissions. The security man page is pretty poor. I can't seem to get it to work using commands like this:
security -v authorize -uew sign | /usr/bin/codesign [code sign vars pointing to app and a specific keychain]
Does anyone have any ideas?