<< Back to previous view |
[QB-1803] Build agent in service mode does not inherit full Mac user environment
|
|
Status: | Open |
Project: | QuickBuild |
Component/s: | None |
Affects Version/s: | 5.0.29 |
Fix Version/s: | None |
Type: | Bug | Priority: | Major |
Reporter: | Irina Kotlova | Assigned To: | Robin Shen |
Resolution: | Unresolved | Votes: | 0 |
Remaining Estimate: | Unknown | Time Spent: | Unknown |
Original Estimate: | Unknown | ||
Environment: | MacOSX 10.8 (Mountain Lion) |
Description |
1) We build over-the-air (OTA) product on Mac OSX 10.8. OTA build must be signed with the certificate. The certificate is fully installed under 'qbuser' login which is a Standard User (not Administrator).
2) Build Agent is started in service mode automatically upon reboot via /Library/LaunchDaemons/org.tanukisoftware.wrappers.quickbuild.plist with the following content: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>org.tanukisoftware.wrapper.quickbuild</string> <key>ProgramArguments</key> <array> <string>/Builds/QuickBuild/buildagent/bin/./agent.sh</string> <string>launchdinternal</string> </array> <key>OnDemand</key> <true/> <key>RunAtLoad</key> <true/> <key>UserName</key> <string>qbuser</string> </dict> </plist> bin/agent.sh script has this entry: RUN_AS_USER=qbuser 3) The first step in the build is to run 'security unlock-keychain' command. The command fails with the error: 12:04:02,152 INFO - [echo] **************************** 12:04:02,152 INFO - [echo] ** Accessing the KeyChain ** 12:04:02,152 INFO - [echo] **************************** 12:04:02,159 DEBUG - [exec] Current OS is Mac OS X 12:04:02,161 DEBUG - [exec] Executing 'security' with arguments: 12:04:02,161 DEBUG - [exec] 'unlock-keychain' 12:04:02,161 DEBUG - [exec] '-p' 12:04:02,161 DEBUG - [exec] 'KEYCHAIN_PWD' 12:04:02,161 DEBUG - [exec] '/Users/svcbuildm/Library/Keychains/login.keychain' 12:04:02,161 DEBUG - [exec] 12:04:02,161 DEBUG - [exec] The ' characters around the executable and arguments are 12:04:02,161 DEBUG - [exec] not part of the command. 12:04:02,273 INFO - [exec] security: SecKeychainUnlock /Users/svcbuildm/Library/Keychains/login.keychain: The user name or passphrase you entered is not correct. 12:04:02,594 ERROR - [exec] Result: 51 Because 'security unlock-keychain' command fails, the build cannot proceed further. -------------------------------------------- Now I stop build agent. Open the terminal window. Start build agent manually in console mode with this command: cd /Builds/QuickBuild/buildagent/bin . agent.sh console Run the build and 'security unlock-keychain' command succeeds: 12:05:04,358 INFO - [echo] **************************** 12:05:04,358 INFO - [echo] ** Accessing the KeyChain ** 12:05:04,358 INFO - [echo] **************************** 12:05:04,365 DEBUG - [exec] Current OS is Mac OS X 12:05:04,367 DEBUG - [exec] Executing 'security' with arguments: 12:05:04,367 DEBUG - [exec] 'unlock-keychain' 12:05:04,367 DEBUG - [exec] '-p' 12:05:04,367 DEBUG - [exec] 'KEYCHAIN_PWD' 12:05:04,367 DEBUG - [exec] '/Users/svcbuildm/Library/Keychains/login.keychain' 12:05:04,367 DEBUG - [exec] 12:05:04,367 DEBUG - [exec] The ' characters around the executable and arguments are 12:05:04,367 DEBUG - [exec] not part of the command. ---------------------------------- Quick investigation shows that these 3 environment variables are present on System Attributes tab in the console mode and are absent in service mode: Apple_PubSub_Socket_Render /tmp/launch-imw7UO/Render Apple_Ubiquity_Message /tmp/launch-itv7yI/Apple_Ubiquity_Message SECURITYSESSIONID 186a6 Seems like SECURITYSESSIONID is what needed for 'security unlock-keychain' to succeed. --------------------------------- The bottom line is that: - build agent service mode does not have full shell environment that console mode has; - the only workaround to be able to build OTA product is to start build agent in console mode which can only be done manually; upon accidental reboot build agent console can be restarted only manually. Any official Apple product requires code signing; so succeeding 'security unlock-keychain' is the essential part of the build; the step currently fails in build agent service mode. |
Comments |
Comment by Irina Kotlova [ 02/Oct/13 05:02 PM ] |
I discovered that it is not necessary to specify keychain password in build agent console mode - it can be any string, still 'security unlock-keychain' succeeds. Even running 'security unlock-keychain' is not needed at all in console mode! It can be easily skipped and further signing succeeds. :-) Thus, SECURITYSESSIONID environment variable is critical in the build process. It does not show up on System Attributes tab in build agent service mode. |