Created
February 16, 2016 17:52
-
-
Save semireg/6a780347c4037ea47ac9 to your computer and use it in GitHub Desktop.
Fastfile script for unlocking the Portal keychain for Xcode bots
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Author: Caylan Larson, @caylan, Semireg Industries, LLC | |
| # This is the only command in this script. The remainder is notes. | |
| security unlock-keychain -p "`cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" "/Library/Developer/XcodeServer/Keychains/Portal.keychain" | |
| # FastFile usage: | |
| # desc "Xcode Bot Prebuild" | |
| # lane :botprebuild do | |
| # sh("scripts/unlock-portal-keychain.sh") | |
| # match(type: "appstore", readonly: true) | |
| # end | |
| # The match repo certs are encrypted with a passphrase. This passphrase is stored in the keychain as an "Internet password" item. The _xcsbuildd user's Portal keychain is difficult to modify. I had luck by copying the Portal keychain to another user's homedir, setting permissions, and changing the password to something simple. Then, copy/paste the keychain item from your login to the Portal keychain. Lock the keychain, replace the simple password with the PortalKeychainSharedSecret, and then copy back to the original location with proper permissions. The last step, which has to happen at least once, is to unlock the keychain for use. This is the only command in this script and is above. | |
| # Move Keychain to logged in user's desktop: | |
| # sudo cp /Library/Developer/XcodeServer/Keychains/Portal.keychain ~/Desktop/; sudo chown `whoami`:staff ~/Desktop/Portal.keychain | |
| # Change keychain password to 123: | |
| # security set-keychain-password -o "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" -p 123 ~/Desktop/Portal.keychain | |
| # Open Keychain Access and copy/paste the match_git entry from login --> Portal. Note: This will not work via Remote Desktop. Lock Portal and quit. | |
| # Restore keychain password to shared secret: | |
| # security set-keychain-password -p "`sudo cat /Library/Developer/XcodeServer/SharedSecrets/PortalKeychainSharedSecret`" -o 123 ~/Desktop/Portal.keychain | |
| # Restore keychain: | |
| # sudo chown _xcsbuildd:_xcs ~/Desktop/Portal.keychain; sudo cp ~/Desktop/Portal.keychain /Library/Developer/XcodeServer/Keychains/Portal.keychain |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Good stuff, but why can't you also inject the
matchpassword into thePortal.keychainin the script? It could be something you run once as superuser and from then the fastlane lane alone will be enough to get match working?Also, if you do figure out a way to make it work, feel free to PR an amendment to my article: https://github.com/czechboy0/hdcom-site/blob/master/contents/articles/2015-08-17-17-30-xcode_server_tutorials_3_prebuild__postbuild_scripts/index.md