Imported signing certificate can't be found

[orkoden]

I'm using different certificates for different builds. So I configure my .gradle file accordingly.
However builds have been failing

Code Sign error: No codesigning identities found: No codesigning identities (i.e. certificate and private key pairs) that match the provisioning profile specified in your build settings (“Some App AdHoc Distribution”) were found.

I think the reason for failure is here:

Run command: 'security create-keychain -p This_is_the_default_keychain_password /Users/username/Library/Keychains/gradle.keychain'
Run command: 'security unlock-keychain -p This_is_the_default_keychain_password /Users/username/Library/Keychains/gradle.keychain'
Run command: 'security -v import /Users/username/path/someapp/build/Certificates.p12 -k /Users/username/Library/Keychains/gradle.keychain -P mysecretpassword -T /usr/bin/codesign'
import "/Users/username/path/someapp/build/Certificates.p12" "-k" "/Users/username/Library/Keychains/gradle.keychain" "-P" "mysecretpassword" "-T" "/usr/bin/codesign"
1 identity imported.
Run command: 'security list'
"/Users/username/Library/Keychains/login.keychain"
"/Library/Keychains/System.keychain"
:provisioning-install

It seems like keychain creation and certificate import succeeds, but then 'security list' does not find gradle.keychain.
It used to work.

gradle 1.12
OS X 10.9.2
Xcode 5.1.1

[renep]

I'm wondering because gradle should create the keychain file in the project directory, but it was use this one: /Users/username/Library/Keychains/gradle.keychain

What does your build.gradle file look like?

[orkoden]

The weird thing is that this project used to build fine just a couple of weeks ago. If the signing certificate is imported into the login.keychain manually it works. So the certificate and provisioning profile is not the problem.

buildscript {
    repositories {
        maven {
            url('http://openbakery.org/repository/')
        }
        mavenCentral()
    }
    dependencies {
        classpath group: 'org.openbakery', name: 'xcodePlugin', version: '0.6.+'
    }
}
apply plugin: 'xcode'

xcodebuild {
    target = 'someapp'
    configuration = 'Release'
    sdk = 'iphoneos'
    signIdentity = 'iPhone Distribution: Mycomany GmbH'
}

provisioning {
    mobileprovisionUri = new File('EnterpriseDistribution/Enterprise_someapp.mobileprovision').toURI()
}

keychain {
    certificateUri = new File('EnterpriseDistribution/Certificates.p12').toURI()
    certificatePassword = '????'
}

[renep]

You are using the gradle plugin version 0.6 that is very very old. You are using Xcode 5.1.1 and only the plugin version 0.9.x supports Xcode 5.x.

Also some other configuration has changed, so you can try this config:

buildscript {
    repositories {
                maven {
                    url('http://openbakery.org/repository/')
                }
                mavenCentral()
    }
    dependencies {
        classpath group: 'org.openbakery', name: 'xcodePlugin', version: '0.9.+'
    }
}
apply plugin: 'xcode'


xcodebuild {
    target = 'someapp'
    configuration = 'Release'
  sdk = 'iphoneos'

    signing {
          certificateURI = new File('EnterpriseDistribution/Certificates.p12').toURI()
            identity = 'iPhone Distribution: Mycomany GmbH'
            mobileprovisionUri = new File('EnterpriseDistribution/Enterprise_someapp.mobileprovision').toURI()
            certificatePassword = '????'
     }

}

or see https://github.com/openbakery/gradle-xcodePlugin/blob/master/example/

[orkoden]

Thank you very much. It didn't occur to me that there would be so many changes. However it now fails differently.
First it failed on infoplist-modify.

:infoplist-modify FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':infoplist-modify'.
> 0

After adding infoPlist = 'myapp/myapp-Info.plist' to the .gradle file it fails on :build.

:assemble UP-TO-DATE
:infoplist-modify
Updating SomeApp/MyApp-Info.plist
:keychain-create
:provisioning-install
:build FAILED

FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':build'.

I also tried running the provided xcodebuild command myself. It complains xcodebuild: error: Unknown build action about the path to the keychain provided with OTHER_CODE_SIGN_FLAGS=--keychain.

Any ideas?

[renep]

I need two things to identify the error

1. your build.gradle file
2. run gradle with the "-debug" parameters, than you see more output that I need.

If you want to post this here in the issue you can send me this via mail. You find the address on my profile page.

[orkoden]

gradle file

buildscript {
    repositories {
        maven {
            url('http://openbakery.org/repository/')
        }
        mavenCentral()
    }
    dependencies {
        classpath group: 'org.openbakery', name: 'xcodePlugin', version: '0.9.+'
    }
}
apply plugin: 'xcode'

xcodebuild {
    target = 'myapptarget'
    configuration = 'Distribution'
    sdk = 'iphoneos'
    infoPlist = 'MyApp/MyApp-Info.plist'    

    signing {
        identity = 'iPhone Distribution: Companyname AG'
        mobileProvisionURI = new File('Distribution/MyApp_AdHoc_Distribution.mobileprovision').toURI()
        certificateURI = new File('Distribution/Certificates.p12').toURI()
        certificatePassword = 'XXXXXXX'
    }
}

--debug output https://gist.github.com/orkoden/48ee2c85300a4a047490

Thank you so much for taking the time.

[renep]

The xcodeproject is not found. The build.gradle file must be in the root of the xcodeproject.

Error message in the debug output is

14:43:55.167 [DEBUG] [org.openbakery.CommandRunner] xcodebuild: error: The directory /Users/username/projects/myappprojectfolder/buildscripts does not contain an Xcode project.

[orkoden]

Thank you. It now builds but singing still fails. The correct certificate and provisioning profile are correctly moved to their subfolders in the build directory.

15:45:39.377 [DEBUG] [org.openbakery.CommandRunner]     export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
15:45:39.377 [DEBUG] [org.openbakery.CommandRunner]     export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/Users/username/Library/Haskell/bin:/Users/username/bin:/Users/username/bin/starteam-en-11.0.0-java/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin:/Applications/Server.app/Contents/ServerRoot/usr/bin:/Applications/Server.app/Contents/ServerRoot/usr/sbin:/usr/local/MacGPG2/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin:/opt/X11/bin:/Applications/Server.app/Contents/ServerRoot/usr/bin:/Applications/Server.app/Contents/ServerRoot/usr/sbin"
15:45:39.378 [DEBUG] [org.openbakery.CommandRunner]     Using code signing identity "iPhone Developer: Developer Name (8QHJB72JPC)" and provisioning profile "MyApp Development" (AC8FA3DE-74BA-42C1-AC03-5233056F870C)
15:45:39.378 [DEBUG] [org.openbakery.CommandRunner]     /usr/bin/codesign --force --sign AD257698FB0EDDEC67EAA715135C00A5163E4771 --resource-rules=/Users/username/projects/MyApp/build/sym/Distribution-iphoneos/myapp.app/ResourceRules.plist --keychain /Users/username/projects/MyApp/build/keychain/gradle-1400593536970.keychain --entitlements /Users/username/projects/MyApp/build/obj/Secure\ Web.build/Distribution-iphoneos/myapp.build/myapp.xcent /Users/username/projects/MyApp/build/sym/Distribution-iphoneos/myapp.app
15:45:39.407 [DEBUG] [org.openbakery.CommandRunner] AD257698FB0EDDEC67EAA715135C00A5163E4771: no identity found
15:45:39.408 [DEBUG] [org.openbakery.CommandRunner] Command /usr/bin/codesign failed with exit code 1
15:45:39.409 [DEBUG] [org.openbakery.CommandRunner]
15:45:39.431 [DEBUG] [org.openbakery.CommandRunner] ** BUILD FAILED **
15:45:39.431 [DEBUG] [org.openbakery.CommandRunner]
15:45:39.432 [DEBUG] [org.openbakery.CommandRunner]
15:45:39.433 [DEBUG] [org.openbakery.CommandRunner] The following build commands failed:
15:45:39.433 [DEBUG] [org.openbakery.CommandRunner]     CodeSign build/sym/Distribution-iphoneos/myapp.app
15:45:39.434 [DEBUG] [org.openbakery.CommandRunner] (1 failure)
15:45:39.453 [DEBUG] [org.gradle.api.internal.tasks.execution.ExecuteAtMostOnceTaskExecuter] Finished executing task ':build'
15:45:39.454 [LIFECYCLE] [class org.gradle.TaskExecutionLogger] :build FAILED
15:45:39.455 [INFO] [org.gradle.execution.taskgraph.AbstractTaskPlanExecutor] :build (Thread[main,5,main]) completed. Took 1.445 secs.
15:45:39.455 [DEBUG] [org.gradle.execution.taskgraph.AbstractTaskPlanExecutor] Task worker [Thread[main,5,main]] finished, busy: 1.716 secs, idle: 0.032 secs
15:45:39.461 [ERROR] [org.gradle.BuildExceptionReporter]
15:45:39.463 [ERROR] [org.gradle.BuildExceptionReporter] FAILURE: Build failed with an exception.
15:45:39.464 [ERROR] [org.gradle.BuildExceptionReporter]
15:45:39.464 [ERROR] [org.gradle.BuildExceptionReporter] * What went wrong:
15:45:39.465 [ERROR] [org.gradle.BuildExceptionReporter] Execution failed for task ':build'.

My guess was gradle-xcodeplugin does no longer override the settings in the xcode project file for the provisioning profile to use. I tried changing it there.
The first thing that happened was being asked by Keychain.app to enter the password for the current gradle keychain. Which of course is no good for unattended builds. I had to force delete the build folder to
get rid of that problem.
After that and changing the provisioning profile in the Xcode project it worked.

Is my guess correct, that gradle-xcodeplugin does no longer override the settings in the xcode project file for the provisioning profile to use?
I would like to specify it only in the .gradle file.

[renep]

I think the identity is wrong: "iPhone Developer: Developer Name (8QHJB72JPC)"

Run the following command in the Terminal and you see valid values:

security find-identity | grep "iPhone Developer" 

[orkoden]

The identity is set to Automatic in Xcode and to iPhone Distribution: CompanyName in the .gradle file as you can see above. It should not be iPhone Developer when building with that .gradle file.

security find-identity | grep "iPhone Developer" outputs my one iPhone Developer identity. I want to keep the distribution identity separate and not have it hang around in the keychain all the time.

Something else I noticed. There's still a grade keychain hanging around in my Keychain.app. Should that not be cleaned up?

[renep]

In the build.gradle file you should specify the correct signIdentity with

xcodebuild {
    signIdentity = 'iPhone Distribution: ...'
}

This must match exactly the identity form the *.p12 file, and the security find-identity | grep "iPhone Developer"should show it.

The gradle build ignores the signing settings from the xcode project.

The gradle build cleans up old keychains, but when a build has failed, the cleanup is not perform, so it can be that some items remain in the keychain.
If you run gradle clean the keychains should be also clean up.

[orkoden]

The only thing that worked for me was setting the provisioning profiles in Xcode for the appropriate configurations. That means it is not related to the identity.

In any case for distribution signing I don't have to set the identity to iPhone Developer: ..., but to iPhone Distribution: .... Which is exactly what I do with the correct identity name.

security find-identity | grep "iPhone Developer" will find developer identities. What I need are distribution identities security find-identity | grep "iPhone Distribution". I do not keep them around in a keychain, so looking for them that way will not work. But yes, I imported my distribution certificate into a keychain and confirmed that the identity I set is correct.

[renep]

I do not have the distribution key in my keychain either. The plugin overrides the settings specified in the xcodeproject file, if they are specified properly.
One of the reasons I have created this plugin is to get rid of the complexity of signing and having the proper keys in the keychains. (I have my keys and provisioning profile stored on single location in my network where only build server has access.)

Take a look in the build.gradle in the example. Here you seen that multiple signing identities are specified for different targets. e.g the integration target uses the development identity, the appstore target uses the distribution target:
https://github.com/openbakery/gradle-xcodePlugin/blob/master/example/build.gradle)

This build file is nearly the same as I in all my projects (only the targets and identities must be changed)

[renep]

Here my comment for rbang1's pull request #78:

I have test your fix by changing the path of the project to have spaces and it hasn't work.
The problem is that the xcodebuild command does not escape the spaces, also when you add quotes or '\ '.
Filed a radar for this: 17987594

The only solution by now is to make sure that your path does not contain spaces!

[rbang1]

Actually in my case there are no spaces in path, the build breaks down on space between --keychain and path to keychain for the OTHER_CODE_SIGN_FLAGS argument

[renep]

I don't think this is you problem. Quotes are not needed here, because this parameters is passed as one parameter to the xcodebuild command using the java ProcessBuilder (http://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html)

A space is only a problem in the path, because the xcodebuild command parses the parameter and extracted the path of the keychain and pass it to the codesign command. Here the path is not escaped by the xcodebuild command.
This is not an issue in the gradle xcode plugin because when I try the xcodebuild command manually in the terminal, and I was not able to escape it so that it works. Therefor I filed a radar.

Nevertheless at my point of view, I think that the identity, mobile provision and certificate does not match in your case. The signing part works fine for me for quite I time.
e.g. the identity must look like this:

signing {
        identity = 'iPhone Developer: Firstname Lastname (1WDEE53JDP)' 
}