Back to Home

Why does Gym Fail at `[CP] Embed Pods Frameworks`

Shane Qi • 2019-03-07 20:48

If you are using Match and Gym on a CI/CD machine, and Gym failed at [CP] Embed Pods Frameworks, you might have run into the the issue that this blog is going to talk about.

TL;DR

  1. If Match has already installed the certs and private keys, delete them from the keychain. (Match's magic won't happen if certs and private keys already exist)
  2. Make sure you give Match the keychain password. (by the parameter or the environment variable)
  3. Run Match again. If you see logs like 'Setting key partition list...', the problem is likely solved.
Why did Gym fail?

Match downloads and installs certs w/ private keys and provision profiles for you. Certs and keys are stored in the keychain and protected by the keychain.

At that moment, Gym invoked codesign to sign the pod frameworks. codesign needed the cert and private key, but macOS didn't want to give out the cert and the key without your consent.

So if you were doing this on your local machine, you would see that macOS prompts for password to ask your consent to give out the cert and the key:

prompt-password-access-key

But if it was the CI/CD machine that's running Gym, it can't prompt an UI permission popup. Nor does codesign ask for the password in command line. So it failed.

How to prevent the UI permission popup?

Before Sierra, we can give codesign the permission to access this key when importing the key:

security import {{certPath}} -k {{keychainPath}} -P {{certPass}} -T /usr/bin/codesign -T /usr/bin/security

Starting with Sierra (as of Mojave 10.14.3), the -T won't work. You need to use this command, after importing the cert and before running codesign:

security set-key-partition-list -S apple-tool:,apple: -k {{keychainPass}} {{keychainName}}

More details: security / codesign in Sierra: Keychain ignores access control settings and UI-prompts for permission

Isn't Match supposed to take care of this?

The answer is yes. Match takes care of it:

keychain_importe

Why did Gym still fail if Match handled it?

It's probably because the machine has Sierra or newer OS, and you need to use set-key-partition), but Match failed to set partition list.

keychain_importer_1

Looking at the Fastlane's source code, only if the cert importing succeeds will Match set partition list.

  1. So one of the possible reasons that Match won't set partition list is that the cert importing failed because the cert already exists.
  2. In my case, Match didn't set partition list for me because the keychain was locked and I didn't give keychain password to Match. After I gave Match the keychain password (by setting env var MATCH_KEYCHAIN_PASSWORD="123abc"), I also needed to delete the imported certs and private keys first, then run Match again to set partition list. (if I didn't delete the certs and private keys, Match wasn't going to set partition list for me because of the reason 1).