executing xcodebuild from php website

Question

I have written the appropriate xcode build scripts and when I run them from the command line they work each and every time.

I have my apache system running as my local user/group (myuser/staff), so it SHOULD have the proper permissions (I think).

The issue that I'm having is that although the build is generating, it's not signing it.

At the very end, I get a "Program /usr/bin/codesign returned 1 : [/tmp/1u_gMG7iJU/Payload/myapp.app: code object is not signed at all" error.

Like I said, if I execute the exact same script directly from the command line it works perfectly.

I have tried relying on the xcodebuild clean build command to assign the proper provisioning profile, and that doesn't work as I actually generate two builds. One with enterprise (wild card) so that we can quickly and easily test internally, and the other with an exact profile. So I need to be able to specify which profile to use.

I've tried specifying the CODE_SIGN_IDENTITY, and PROVISIONING_PROFILE values during the signing process and that doesn't work

I've tried specifying the --sign and --embed flags as well to no avail.

My currently working xcodebuild commands are:

/usr/bin/xcodebuild -project /path/to/my.xcodeproj CODE_SIGN_IDENTITY="iPhone Distribution: My Company" PROVISIONING_PROFILE="my-provisioning-profile-uuid" clean build;

/usr/bin/xcrun -sdk iphoneos PackageApplication -v /path/to/build/Release-iphoneos/myapp.app -o /path/to/my/output/myapp.ipa --sign "iPhone Distribution: my company" --embed "/local/path/to/provisioning profiles/my-provisioning-profile-uuid.mobileprovisioningprofile";

Can anyone think of anything I haven't tried?

I'm starting to think that maybe I should set up a custom keychain that will hold all the certs and such for the automated builds, but I'm not too sure if that rabbit hole will pay off.

If I were to go that route, would I need to have special permissions on the provisioning profiles? Would I have to re-create all of my active provisioning profiles (I'd rather not have to do that). Would I have to maybe move where my provisioning profiles are housed?

Another possibility that I'm thinking MAY work (equally may not) is defaulting all my applications to sign with the enterprise cert, and only when I'm ready to release them then I specify the "production" cert... would I be able to do that via the scripts?

I'm really at a loss as to what to do, and nothing I've searched for thus far has brought me any closer.

Thanks for your help!

Answer 1

To answer my own question, what I ended up doing was creating an ANT build script. The first process is to SSH in to my own user account, and that user has all the appropriate permissions. This also allowed me to not have to futz with the apache user settings.