利用终端远程导入p12证书

摘要：

最近受疫情影响，在家里办公。公司用来持续集成的苹果垃圾桶上的证书过期了，又不能去公司操作，所以研究了一下利用ssh和命令行工具远程导入p12证书的方法。
keywords：证书过期、远程、命令行、导入p12

1.常规UI操作

Xcode利用codesign进行签名的时候，可能需要用户进行授权。这时会有一个弹窗，让用户输入Mac开机密码并选择一次/总是可以访问。

codesign的keychain访问权限

1.1 问题

要是选择了"Deny"怎么办？
1. 打开钥匙串App
2. 点登录和我的证书
3. 找到iPhone Developer:XXX@XXX(XXX)的证书，右击删除
4. 重新打开Xcode编译并运行Command+R，会再次弹出codesign的权限弹框，输入Mac开机密码并点始终允许即可。
现在是远程控制没有图形界面怎么办？
这时就需要我们的终端出马了。

2. 终端操作

远程登录

//user_name:用户名
//ip:设备公网ip地址
ssh user_name@ip

security命令

现在的需求就是/usr/bin/codesign在执行的时候能访问钥匙串中p12的私钥。目前有两种解决办法，都需要用到security命令。输入security -h即可参看帮助文档。

help                                 Show all commands, or show usage for a command.
list-keychains                       Display or manipulate the keychain search list.
list-smartcards                      Display available smartcards.
default-keychain                     Display or set the default keychain.
login-keychain                       Display or set the login keychain.
create-keychain                      Create keychains and add them to the search list.
delete-keychain                      Delete keychains and remove them from the search list.
lock-keychain                        Lock the specified keychain.
unlock-keychain                      Unlock the specified keychain.
set-keychain-settings                Set settings for a keychain.
set-keychain-password                Set password for a keychain.
show-keychain-info                   Show the settings for keychain.
dump-keychain                        Dump the contents of one or more keychains.
create-keypair                       Create an asymmetric key pair.
add-generic-password                 Add a generic password item.
add-internet-password                Add an internet password item.
add-certificates                     Add certificates to a keychain.
find-generic-password                Find a generic password item.
delete-generic-password              Delete a generic password item.
set-generic-password-partition-list  Set the partition list of a generic password item.
find-internet-password               Find an internet password item.
delete-internet-password             Delete an internet password item.
set-internet-password-partition-list Set the partition list of a internet password item.
find-key                             Find keys in the keychain
set-key-partition-list               Set the partition list of a key.
find-certificate                     Find a certificate item.
find-identity                        Find an identity (certificate + private key).
delete-certificate                   Delete a certificate from a keychain.
delete-identity                      Delete an identity (certificate + private key) from a keychain.
set-identity-preference              Set the preferred identity to use for a service.
get-identity-preference              Get the preferred identity to use for a service.
create-db                            Create a db using the DL.
export                               Export items from a keychain.
import                               Import items into a keychain.
export-smartcard                     Export items from a smartcard.
cms                                  Encode or decode CMS messages.
install-mds                          Install (or re-install) the MDS database.
add-trusted-cert                     Add trusted certificate(s).
remove-trusted-cert                  Remove trusted certificate(s).
dump-trust-settings                  Display contents of trust settings.
user-trust-settings-enable           Display or manipulate user-level trust settings.
trust-settings-export                Export trust settings.
trust-settings-import                Import trust settings.
verify-cert                          Verify certificate(s).
authorize                            Perform authorization operations.
authorizationdb                      Make changes to the authorization policy database.
execute-with-privileges              Execute tool with privileges.
leaks                                Run /usr/bin/leaks on this process.
error                                Display a descriptive message for the given error code(s).
create-filevaultmaster-keychain      Create a keychain containing a key pair for FileVault recovery use.
smartcards                           Enable, disable or list disabled smartcard tokens.
translocate-create                   Create a translocation point for the provided path
translocate-policy-check             Check whether a path would be translocated.
translocate-status-check             Check whether a path is translocated.
translocate-original-path            Find the original path for a translocated path.
requirement-evaluate                 Evaluate a requirement against a cert chain.

2.1 方式①

找到Keychain默认路径

//一般是：~/Library/Keychains/login.keychain-db
security default-keychain

解锁Keychain

//$pwd是Mac开机密码
security unlock-keychain -p $pwd ~/Library/Keychains/login.keychain-db

导入p12证书

//$p12_file_path:p12证书的文件地址
//$p12_pwd:证书的密码
security import $p12_file_path -k ~/Library/Keychains/login.keychain-db -P $p12_pwd

打包代码中，在执行xcodebuild前执行security unlock-keychain

...
//解锁keychain
security unlock-keychain -p $pwd ~/Library/Keychains/login.keychain-db
xcodebuild clean -workspace $BUILD_TARGET.xcworkspace -scheme $BUILD_SCHEME -configuration $BUILD_CONFIG
xcodebuild archive -workspace $BUILD_TARGET.xcworkspace -scheme $BUILD_SCHEME -configuration $BUILD_CONFIG -UseModernBuildSystem=NO 2>$BUILD_ERROR_LOG DEPLOYMENT_POSTPROCESSING=YES
...

2.2 方式②

security import
Usage: import inputfile [-k keychain] [-t type] [-f format] [-w] [-P passphrase] [options...]
    -k  Target keychain to import into
    -t  Type = pub|priv|session|cert|agg
    -f  Format = openssl|openssh1|openssh2|bsafe|raw|pkcs7|pkcs8|pkcs12|netscape|pemseq
    -w  Specify that private keys are wrapped and must be unwrapped on import
    -x  Specify that private keys are non-extractable after being imported
    -P  Specify wrapping passphrase immediately (default is secure passphrase via GUI)
    -a  Specify name and value of extended attribute (can be used multiple times)
    -A  Allow any application to access the imported key without warning (insecure, not recommended!)
    -T  Specify an application which may access the imported key (multiple -T options are allowed)
Use of the -P option is insecure

    Import items into a keychain.

我们发现security import方法中可以提供完全-A和部分应用-T的访问权限。

//解锁钥匙串
security unlock-keychain -p pwd ~/Library/Keychains/login.keychain-db
//导入证书
security import $p12_file_path -k ~/Library/Keychains/login.keychain-db -P $pwd -T /usr/bin/codesign

关键操作：set-key-partition-list命令
OS X 10.12.5 Sierra之后，苹果添加了Keychain忽略访问控制设置和UI提示以获得许可(security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission)，所以要求配置partition list，作为 ACL(Access Control Lists)的补充，根据应用签名，对访问进行权限控制。参考资料

security set-key-partition-list -S apple-tool:,apple: -s -k $pwd ~/Library/Keychains/login.keychain-db

解释一下其中几个参数：

-S：提供的访问权限，多个 key 用逗号分隔。苹果的工具可以用 apple-tool:,apple:，如 codesign 就可以设置这两个 key。
-s：指定用于 codesign 的 private key。
-k：修改 partition list 需要提供钥匙串密码。

所以以上的命令作用为：给 login.keychain中用于codesign的 private key，写入苹果产品的权限。

注意：set-key-partition-lis 对 key 的操作是重写，不是追加。

附上set-key-partition-list的使用说明

set-key-partition-list
Usage: set-key-partition-list [options...] [keychain]
    -a  Match "application label" string
    -c  Match "creator" (four-character code)
    -d  Match keys that can decrypt
    -D  Match "description" string
    -e  Match keys that can encrypt
    -j  Match "comment" string
    -l  Match "label" string
    -r  Match keys that can derive
    -s  Match keys that can sign
    -t  Type of key to find: one of "symmetric", "public", or "private"
    -u  Match keys that can unwrap
    -v  Match keys that can verify
    -w  Match keys that can wrap
    -S  Comma-separated list of allowed partition IDs
    -k  password for keychain (required)
    If no keychains are specified to search, the default search list is used.
    Set the partition list of a key.