Thursday, June 8, 2017

Working Around Xcode Server CI Manual profile Issues

There's a few problems and issues to deal with when getting Xcode server to work and they've been mostly dealt with well in other blog posts.

The dreaded error you get with a manually provisioned profile is harder to get rid of:

Provisioning profile "MyApp Development iOS" doesn't include signing certificate "iPhone Developer: OS X Server (VQJ479QQTU)"

It occurs because when the Xcode server runs in the context of the OS X Server it has its own keychain called "Portal" and in that keychain it creates its own new certificates, which are accessible by the server process.

First get your CI server up and running and create a bot as described in the Apple macOS Server documentation for CI services, or a recent blog post.

If you've got a manually provisioned profile you'll get the error above.  Make sure that on your local development machine - e.g. your laptop - open Xcode and use the credentials export feature - it will ask for a password which you'll need to carefully record.

This will create an archive of the credentials including your certificates, keys, profiles and so on.  Copy that onto your macOS Server machine (e.g. using scp or a USB key or whatever) and then as the xcodeserver user that you created for the purpose open Xcode and import that archive, supplying the password created above.

Now open the Keychain Access program - I find its easiest to do this by invoking Spotlight with <cmd>-<space> and then typing "Key...".  Here you need to do the following

  • Click on "Portal" top left to open the "Portal" keychain
  • Select all the automatically created certificates that are complained of in the error e.g. 
    • iPhone Developer: OS X Server (VQJ479QQTU) 
  • Set these aside for safe keeping & then delete them.
    • Archive these off by choosing "File" > "Export Items...".
    • This is in case something goes wrong and you need to re-install them
    • Now choose "Edit" > "Delete"
  • Now click on "login" to open the "login" keychain.  
    • This is where Xcode's import developer accounts tool will have placed the certificates.
    • Select all of the certificates and drag them into the "Portal" keychain.
    • At the end your "Keychain Access" should look like this:

You should now be able to run an integration and Xcode server will find and use the correct certificates to support your manually assigned profiles.