1) We build over-the-air (OTA) product on Mac OSX 10.8. OTA build must be signed with the certificate. The certificate is fully installed under 'qbuser' login which is a Standard User (not Administrator).
2) Build Agent is started in service mode automatically upon reboot via /Library/LaunchDaemons/org.tanukisoftware.wrappers.quickbuild.plist with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"
http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>org.tanukisoftware.wrapper.quickbuild</string>
<key>ProgramArguments</key>
<array>
<string>/Builds/QuickBuild/buildagent/bin/./agent.sh</string>
<string>launchdinternal</string>
</array>
<key>OnDemand</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>UserName</key>
<string>qbuser</string>
</dict>
</plist>
bin/agent.sh script has this entry:
RUN_AS_USER=qbuser
3) The first step in the build is to run 'security unlock-keychain' command. The command fails with the error:
12:04:02,152 INFO - [echo] ****************************
12:04:02,152 INFO - [echo] ** Accessing the KeyChain **
12:04:02,152 INFO - [echo] ****************************
12:04:02,159 DEBUG - [exec] Current OS is Mac OS X
12:04:02,161 DEBUG - [exec] Executing 'security' with arguments:
12:04:02,161 DEBUG - [exec] 'unlock-keychain'
12:04:02,161 DEBUG - [exec] '-p'
12:04:02,161 DEBUG - [exec] 'KEYCHAIN_PWD'
12:04:02,161 DEBUG - [exec] '/Users/svcbuildm/Library/Keychains/login.keychain'
12:04:02,161 DEBUG - [exec]
12:04:02,161 DEBUG - [exec] The ' characters around the executable and arguments are
12:04:02,161 DEBUG - [exec] not part of the command.
12:04:02,273 INFO - [exec] security: SecKeychainUnlock /Users/svcbuildm/Library/Keychains/login.keychain: The user name or passphrase you entered is not correct.
12:04:02,594 ERROR - [exec] Result: 51
Because 'security unlock-keychain' command fails, the build cannot proceed further.
--------------------------------------------
Now I stop build agent. Open the terminal window. Start build agent manually in console mode with this command:
cd /Builds/QuickBuild/buildagent/bin
. agent.sh console
Run the build and 'security unlock-keychain' command succeeds:
12:05:04,358 INFO - [echo] ****************************
12:05:04,358 INFO - [echo] ** Accessing the KeyChain **
12:05:04,358 INFO - [echo] ****************************
12:05:04,365 DEBUG - [exec] Current OS is Mac OS X
12:05:04,367 DEBUG - [exec] Executing 'security' with arguments:
12:05:04,367 DEBUG - [exec] 'unlock-keychain'
12:05:04,367 DEBUG - [exec] '-p'
12:05:04,367 DEBUG - [exec] 'KEYCHAIN_PWD'
12:05:04,367 DEBUG - [exec] '/Users/svcbuildm/Library/Keychains/login.keychain'
12:05:04,367 DEBUG - [exec]
12:05:04,367 DEBUG - [exec] The ' characters around the executable and arguments are
12:05:04,367 DEBUG - [exec] not part of the command.
----------------------------------
Quick investigation shows that these 3 environment variables are present on System Attributes tab in the console mode and are absent in service mode:
Apple_PubSub_Socket_Render /tmp/launch-imw7UO/Render
Apple_Ubiquity_Message /tmp/launch-itv7yI/Apple_Ubiquity_Message
SECURITYSESSIONID 186a6
Seems like SECURITYSESSIONID is what needed for 'security unlock-keychain' to succeed.
---------------------------------
The bottom line is that:
- build agent service mode does not have full shell environment that console mode has;
- the only workaround to be able to build OTA product is to start build agent in console mode which can only be done manually; upon accidental reboot build agent console can be restarted only manually.
Any official Apple product requires code signing; so succeeding 'security unlock-keychain' is the essential part of the build; the step currently fails in build agent service mode.