I've setup a "jenkins" user in OS X 10.7.3 and set the Jenkins CI web application archive to run as this user - Activity Monitor confirms a process named java running as user jenkins
I can run "xcodebuild -sdk iphoneos5.0" in terminal when logged in as the jenkins user without failure. The first time I ran xcodebuild I got the usual Keychain access dialog prompting "Always Allow" and then never got that dialog window again.
However, when the CI server tries the exact same command, it fails always with a code sign error.
Code Sign error: The identity 'iPhone Developer' doesn't match any valid certificate/private key pair in the default keychain
Any clue where I can go to figure out what I've done wrong?
Everything that I can find online says it should just work after you've run xcodebuild once from the command line.
EDIT: Adding "security list-keychains" before the xcodebuild statement outputs
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain"
So, does this mean the Jenkins CI server process is not running as the jenkins OS X user?
Keychains need to be unlocked before they can be used. You can use security unlock-keychain to unlock. You can do that interactively (safer) or by specifying the password on the command line (unsafe), e.g.:
security unlock-keychain -p mySecretPassword...
Obviously, putting this into a script compromises the security of that keychain, so often people setup an individual keychain with only the signing credentials to minimize such damage.
Typically in Terminal the keychain is already unlocked by your session, since the default keychain is unlocked on login, so you don't need to do that. However, any process not run in your session won't have unlocked keychain even if it has you as the user (most commonly this affects ssh, but also any other process).