-
摘要:
最近受疫情影响,在家里办公。公司用来持续集成的苹果垃圾桶上的证书过期了,又不能去公司操作,所以研究了一下利用
ssh和命令行工具远程导入p12证书的方法。 -
keywords:证书过期、远程、命令行、导入p12
1.常规UI操作
Xcode利用codesign进行签名的时候,可能需要用户进行授权。这时会有一个弹窗,让用户输入Mac开机密码并选择一次/总是可以访问。
codesign的keychain访问权限
1.1 问题
-
要是选择了"Deny"怎么办?
- 打开钥匙串App
- 点登录和我的证书
- 找到iPhone Developer:XXX@XXX(XXX)的证书,右击删除
- 重新打开Xcode编译并运行
Command+R,会再次弹出codesign的权限弹框,输入Mac开机密码并点始终允许即可。
-
现在是远程控制没有图形界面怎么办?
这时就需要我们的终端出马了。
2. 终端操作
-
远程登录
//user_name:用户名 //ip:设备公网ip地址 ssh user_name@ip -
security命令现在的需求就是
/usr/bin/codesign在执行的时候能访问钥匙串中p12的私钥。目前有两种解决办法,都需要用到security命令。输入security -h即可参看帮助文档。
help Show all commands, or show usage for a command.
list-keychains Display or manipulate the keychain search list.
list-smartcards Display available smartcards.
default-keychain Display or set the default keychain.
login-keychain Display or set the login keychain.
create-keychain Create keychains and add them to the search list.
delete-keychain Delete keychains and remove them from the search list.
lock-keychain Lock the specified keychain.
unlock-keychain Unlock the specified keychain.
set-keychain-settings Set settings for a keychain.
set-keychain-password Set password for a keychain.
show-keychain-info Show the settings for keychain.
dump-keychain Dump the contents of one or more keychains.
create-keypair Create an asymmetric key pair.
add-generic-password Add a generic password item.
add-internet-password Add an internet password item.
add-certificates Add certificates to a keychain.
find-generic-password Find a generic password item.
delete-generic-password Delete a generic password item.
set-generic-password-partition-list Set the partition list of a generic password item.
find-internet-password Find an internet password item.
delete-internet-password Delete an internet password item.
set-internet-password-partition-list Set the partition list of a internet password item.
find-key Find keys in the keychain
set-key-partition-list Set the partition list of a key.
find-certificate Find a certificate item.
find-identity Find an identity (certificate + private key).
delete-certificate Delete a certificate from a keychain.
delete-identity Delete an identity (certificate + private key) from a keychain.
set-identity-preference Set the preferred identity to use for a service.
get-identity-preference Get the preferred identity to use for a service.
create-db Create a db using the DL.
export Export items from a keychain.
import Import items into a keychain.
export-smartcard Export items from a smartcard.
cms Encode or decode CMS messages.
install-mds Install (or re-install) the MDS database.
add-trusted-cert Add trusted certificate(s).
remove-trusted-cert Remove trusted certificate(s).
dump-trust-settings Display contents of trust settings.
user-trust-settings-enable Display or manipulate user-level trust settings.
trust-settings-export Export trust settings.
trust-settings-import Import trust settings.
verify-cert Verify certificate(s).
authorize Perform authorization operations.
authorizationdb Make changes to the authorization policy database.
execute-with-privileges Execute tool with privileges.
leaks Run /usr/bin/leaks on this process.
error Display a descriptive message for the given error code(s).
create-filevaultmaster-keychain Create a keychain containing a key pair for FileVault recovery use.
smartcards Enable, disable or list disabled smartcard tokens.
translocate-create Create a translocation point for the provided path
translocate-policy-check Check whether a path would be translocated.
translocate-status-check Check whether a path is translocated.
translocate-original-path Find the original path for a translocated path.
requirement-evaluate Evaluate a requirement against a cert chain.
2.1 方式①
-
找到Keychain默认路径
//一般是:~/Library/Keychains/login.keychain-db security default-keychain -
解锁Keychain
//$pwd是Mac开机密码 security unlock-keychain -p $pwd ~/Library/Keychains/login.keychain-db -
导入p12证书
//$p12_file_path:p12证书的文件地址 //$p12_pwd:证书的密码 security import $p12_file_path -k ~/Library/Keychains/login.keychain-db -P $p12_pwd -
打包代码中,在执行
xcodebuild前执行security unlock-keychain... //解锁keychain security unlock-keychain -p $pwd ~/Library/Keychains/login.keychain-db xcodebuild clean -workspace $BUILD_TARGET.xcworkspace -scheme $BUILD_SCHEME -configuration $BUILD_CONFIG xcodebuild archive -workspace $BUILD_TARGET.xcworkspace -scheme $BUILD_SCHEME -configuration $BUILD_CONFIG -UseModernBuildSystem=NO 2>$BUILD_ERROR_LOG DEPLOYMENT_POSTPROCESSING=YES ...
2.2 方式②
security import
Usage: import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase] [options...]
-k Target keychain to import into
-t Type = pub|priv|session|cert|agg
-f Format = openssl|openssh1|openssh2|bsafe|raw|pkcs7|pkcs8|pkcs12|netscape|pemseq
-w Specify that private keys are wrapped and must be unwrapped on import
-x Specify that private keys are non-extractable after being imported
-P Specify wrapping passphrase immediately (default is secure passphrase via GUI)
-a Specify name and value of extended attribute (can be used multiple times)
-A Allow any application to access the imported key without warning (insecure, not recommended!)
-T Specify an application which may access the imported key (multiple -T options are allowed)
Use of the -P option is insecure
Import items into a keychain.
我们发现security import方法中可以提供完全-A和部分应用-T的访问权限。
//解锁钥匙串
security unlock-keychain -p pwd ~/Library/Keychains/login.keychain-db
//导入证书
security import $p12_file_path -k ~/Library/Keychains/login.keychain-db -P $pwd -T /usr/bin/codesign
- 关键操作:
set-key-partition-list命令
OS X 10.12.5 Sierra之后,苹果添加了Keychain忽略访问控制设置和UI提示以获得许可(security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission),所以要求配置partition list,作为 ACL(Access Control Lists)的补充,根据应用签名,对访问进行权限控制。参考资料
security set-key-partition-list -S apple-tool:,apple: -s -k $pwd ~/Library/Keychains/login.keychain-db
解释一下其中几个参数:
-
-S:提供的访问权限,多个 key 用逗号分隔。苹果的工具可以用apple-tool:,apple:,如codesign就可以设置这两个 key。 -
-s:指定用于 codesign 的 private key。 -
-k:修改 partition list 需要提供钥匙串密码。
所以以上的命令作用为:给 login.keychain中用于codesign的 private key,写入苹果产品的权限。
注意:
set-key-partition-lis对 key 的操作是重写,不是追加。
- 附上
set-key-partition-list的使用说明
set-key-partition-list
Usage: set-key-partition-list [options...] [keychain]
-a Match "application label" string
-c Match "creator" (four-character code)
-d Match keys that can decrypt
-D Match "description" string
-e Match keys that can encrypt
-j Match "comment" string
-l Match "label" string
-r Match keys that can derive
-s Match keys that can sign
-t Type of key to find: one of "symmetric", "public", or "private"
-u Match keys that can unwrap
-v Match keys that can verify
-w Match keys that can wrap
-S Comma-separated list of allowed partition IDs
-k password for keychain (required)
If no keychains are specified to search, the default search list is used.
Set the partition list of a key.
网友评论