今天帮忙处理一个 electron mac app 的签名问题,过程中发现搜索到的中文文档都不大靠谱,所以记录如下。
已从开发那导入了 p12 开发者证书,打包时也设定了用这个证书,但实际打包报错
signing file=release/build/mac-arm64/xxx.app identityName=Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx) identityHash=D305770249AD009874A683DC5616E7105E67858D provisioningProfile=none
⨯ Command failed: codesign --sign D305770249AD009874A683DC5616E7105E67858D --force --keychain /var/folders/2t/hzb086x5425b5f8zzdr_bjrr0000gp/T/0c881042b187e7f5d405e1734973970f9a588b3d902053ae147d8dbded685994.keychain --timestamp --options runtime --entitlements assets/entitlements.mac.plist /Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/荔枝直播助手.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx)"
/Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/xxx.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist: errSecInternalComponent
failedTask=build stackTrace=Error: Command failed: codesign --sign D305770249AD009874A683DC5616E7105E67858D --force --keychain /var/folders/2t/hzb086x5425b5f8zzdr_bjrr0000gp/T/0c881042b187e7f5d405e1734973970f9a588b3d902053ae147d8dbded685994.keychain --timestamp --options runtime --entitlements assets/entitlements.mac.plist /Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/xxx.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx)"
/Users/jenkins/workspace/workspace/LiveAssistantLizhiFM-pcClient/release/build/mac-arm64/xxx.app/Contents/Resources/app.asar.unpacked/node_modules/agora-electron-sdk/build/Release/AgoraAIDenoiseExtension.framework/Versions/A/Resources/Info.plist: errSecInternalComponent
关键字:unable to build chain to self-signed root for signer
恩,没时间的可以直接看这里
这个报错的大致意思是,无法建立的证书链中的 root 证书。
双击报错信息对应的证书,其实会看到里面带有其颁发机构(即 root 证书)相关信息:
然后根据这个信息,到苹果存放所有根证书的页面 https://www.apple.com/certificateauthority/ 找到对应的证书,下载导入即可。
首先,万能思维:是不是钥匙串没解锁?
然后加了解锁语句,发现还是有一样的报错。
然后,顺着这个日志去看看钥匙串里的证书,发现 Developer ID Application: Guangzhou Lizhi Network Technology Company Limited (xxx) 证书在钥匙串里有,也没过期,但钥匙串界面上写着 不受信任
嗯嗯,然后直觉思维,不受信任,那我手动信任不就好了?然后双击证书,把信任设置改为始终信任
再试了一下,问题依旧。OK,配置先改回来默认。
好,google 走起,关键字 unable to build chain to self-signed root for signer :
https://stackoverflow.com/questions/48911289/warning-unable-to-build-chain-to-self-signed-root-for-signer-warning-in-xcode
https://blog.csdn.net/pre_eminent/article/details/114756030
找到两篇看起来关系比较大的,都说是 apple 根证书的锅,然后上机器看了下,根证书没过期呀:
陷入僵局。。。。
换个思路,我不找直接错误原因了,我找找为啥 keychain 不信任我这个证书,然后改关键字为 certificate is not trusted keychain
找到了另一个 stackoverflow 的
里面提到的一个地址:https://developer.apple.com/de/support/expiration/
然后我进去看了下,里面有个 TakeAction ,大意是说不管你是啥开发者计划,签名时都得用到某些指定的证书,然后说 xcode 11.4.1 会自动管理这些,也可以手动到 Certificate Authority page 下载。
于是打开了 Certificate Authority page ,样子如下:
泥马,原来有这么多根证书。。。那该选哪个呢?
这时候,聪明的我想到(实际我是先搞了好几个试了没效果,然后才突发奇想),既然 keychain 说不信任,那应该 keychain 里有线索,于是再次双击打开了下,看到如下信息:
刚好前面的苹果页面看到有个 G2 ,所以这里也有个 G2 ,引起了我的注意。会不会是缺了这个呢?好,我下载试试。
于是下载并双击导入了这个根证书:
Yeah,证书有效了。
再次执行 job ,签名也终于不报错了,问题解决!