轉載來自:https://testerhome.com/topics/33338
今天幫忙處理一個 electron mac app 的簽名問題,過程中發現搜索到的中文文檔都不大靠譜,所以記錄如下。
問題描述
已從開發那導入了 p12 開發者證書,打包時也設定了用這個證書,但實際打包報錯
signing file=release/build/mac-arm64/xxx.app identityName=Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx) identityHash=D305770249AD009874A683DC5616E7105E67858D provisioningProfile=none
⨯ Command failed: codesign --sign D305770249AD009874A683DC5616E7105E67858D --force --keychain /var/folders/2t/hzb086x5425b5f8zzdr_bjrr0000gp/T/0c881042b187e7f5d405e1734973970f9a588b3d902053ae147d8dbded685994.keychain --timestamp --options runtime --entitlements assets/entitlements.mac.plist /Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/荔枝直播助手.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx)"
/Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/xxx.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist: errSecInternalComponent
failedTask=build stackTrace=Error: Command failed: codesign --sign D305770249AD009874A683DC5616E7105E67858D --force --keychain /var/folders/2t/hzb086x5425b5f8zzdr_bjrr0000gp/T/0c881042b187e7f5d405e1734973970f9a588b3d902053ae147d8dbded685994.keychain --timestamp --options runtime --entitlements assets/entitlements.mac.plist /Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/xxx.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx)"
/Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/xxx.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist: errSecInternalComponent
關鍵字:unable to build chain to self-signed root for signer
解決方案
恩,沒時間的可以直接看這裏
這個報錯的大致意思是,無法建立的證書鏈中的 root 證書。
雙擊報錯信息對應的證書,其實會看到裏面帶有其頒發機構(即 root 證書)相關信息:
然後根據這個信息,到蘋果存放所有根證書的頁面 https://www.apple.com/certificateauthority/ 找到對應的證書,下載導入即可。
問題解析詳細過程
首先,萬能思維:是不是鑰匙串沒解鎖?
然後加了解鎖語句,發現還是有一樣的報錯。
然後,順着這個日誌去看看鑰匙串裏的證書,發現 Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx) 證書在鑰匙串裏有,也沒過期,但鑰匙串界面上寫着 不受信任
嗯嗯,然後直覺思維,不受信任,那我手動信任不就好了?然後雙擊證書,把信任設置改爲始終信任
再試了一下,問題依舊。OK,配置先改回來默認。
好,google 走起,關鍵字 unable to build chain to self-signed root for signer :
https://stackoverflow.com/questions/48911289/warning-unable-to-build-chain-to-self-signed-root-for-signer-warning-in-xcode
https://blog.csdn.net/pre_eminent/article/details/114756030
找到兩篇看起來關係比較大的,都說是 apple 根證書的鍋,然後上機器看了下,根證書沒過期呀:
陷入僵局。。。。
換個思路,我不找直接錯誤原因了,我找找爲啥 keychain 不信任我這個證書,然後改關鍵字爲 certificate is not trusted keychain
找到了另一個 stackoverflow 的
裏面提到的一個地址:https://developer.apple.com/de/support/expiration/
然後我進去看了下,裏面有個 TakeAction ,大意是說不管你是啥開發者計劃,簽名時都得用到某些指定的證書,然後說 xcode 11.4.1 會自動管理這些,也可以手動到 Certificate Authority page 下載。
於是打開了 Certificate Authority page ,樣子如下:
泥馬,原來有這麼多根證書。。。那該選哪個呢?
這時候,聰明的我想到(實際我是先搞了好幾個試了沒效果,然後才突發奇想),既然 keychain 說不信任,那應該 keychain 裏有線索,於是再次雙擊打開了下,看到如下信息:
剛好前面的蘋果頁面看到有個 G2 ,所以這裏也有個 G2 ,引起了我的注意。會不會是缺了這個呢?好,我下載試試。
於是下載並雙擊導入了這個根證書:
Yeah,證書有效了。
再次執行 job ,簽名也終於不報錯了,問題解決!