From 23ee30a53ae843f62f1466a24222fe1e48cac2f8 Mon Sep 17 00:00:00 2001
From: James Magahern <james@magahern.com>
Date: Thu, 25 Jun 2026 23:44:13 -0700
Subject: [PATCH] Simplify TestFlight CI signing

---
 .gitea/workflows/testflight.yml |   1 +
 ios/Apps/Sybil/project.yml      |   4 +-
 ios/fastlane/Fastfile           | 168 +++++++++++++-------------------
 3 files changed, 71 insertions(+), 102 deletions(-)

diff --git a/.gitea/workflows/testflight.yml b/.gitea/workflows/testflight.yml
index 4e5397c..e5aaf44 100644
--- a/.gitea/workflows/testflight.yml
+++ b/.gitea/workflows/testflight.yml
@@ -36,6 +36,7 @@ jobs:
       - name: Upload to TestFlight
         working-directory: ios
         env:
+          HOME: /var/lib/act_runner
           APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
           APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
           APP_STORE_CONNECT_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_KEY_CONTENT }}
diff --git a/ios/Apps/Sybil/project.yml b/ios/Apps/Sybil/project.yml
index 9c19df9..dc2a101 100644
--- a/ios/Apps/Sybil/project.yml
+++ b/ios/Apps/Sybil/project.yml
@@ -35,8 +35,8 @@ targets:
       configs:
         Release:
           CODE_SIGN_STYLE: Manual
-          CODE_SIGN_IDENTITY: Apple Distribution
-          "CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution
+          CODE_SIGN_IDENTITY: "Apple Distribution: James Magahern (DQQH5H6GBD)"
+          "CODE_SIGN_IDENTITY[sdk=iphoneos*]": "Apple Distribution: James Magahern (DQQH5H6GBD)"
           PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
 
 schemes:
diff --git a/ios/fastlane/Fastfile b/ios/fastlane/Fastfile
index 282899a..58ed55c 100644
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -1,4 +1,3 @@
-require "fileutils"
 require "shellwords"
 
 default_platform(:ios)
@@ -7,13 +6,8 @@ APP_IDENTIFIER = "net.buzzert.sybil2"
 SCHEME = "Sybil"
 TEAM_ID = "DQQH5H6GBD"
 PROFILE_NAME = "Sybil AppStore CI"
-SIGNING_IDENTITY_NAME = "Apple Distribution: James Magahern (DQQH5H6GBD)"
-SIGNING_IDENTITY_SHA1 = "6B74B268C4761720FB2051D01D8BB3E47B55D9F5"
-CI_KEYCHAIN_DIR = "/private/var/lib/act_runner/Library/Keychains"
-CI_LOGIN_KEYCHAIN = File.join(CI_KEYCHAIN_DIR, "login.keychain")
-CI_LOGIN_KEYCHAIN_DB = "#{CI_LOGIN_KEYCHAIN}-db"
-CI_KEYCHAIN_PASSWORD = "sybil-ci-keychain-password"
-MATCH_BRANCH = "master"
+SIGNING_IDENTITY = "Apple Distribution: James Magahern (DQQH5H6GBD)"
+CI_KEYCHAIN_NAME = "sybil_ci_keychain"
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -36,67 +30,15 @@ def release_version
   version
 end
 
-def ci_login_keychain_path
-  return CI_LOGIN_KEYCHAIN_DB if ENV["CI"]
+def ci?
+  present?(ENV["CI"])
+end
 
-  candidates = [
-    "/private/var/lib/act_runner/Library/Keychains/login.keychain-db",
-    "/var/lib/act_runner/Library/Keychains/login.keychain-db",
-    "/Users/runner/Library/Keychains/login.keychain-db",
-    File.expand_path("~/Library/Keychains/login.keychain-db"),
-    File.expand_path("~/Library/Keychains/login.keychain")
-  ]
-  existing_candidate = candidates.find { |path| File.file?(path) }
-  return existing_candidate if existing_candidate
-
-  keychains = sh("security list-keychains -d user", log: false).shellsplit
-  keychains.find { |path| File.basename(path).start_with?("login.keychain") } || keychains.first || "login.keychain"
+def ci_keychain_path
+  File.expand_path("~/Library/Keychains/#{CI_KEYCHAIN_NAME}-db")
 end
 
 platform :ios do
-  private_lane :cleanup_ci_signing_identity do
-    next unless ENV["CI"]
-
-    keychain_path = ENV["MATCH_KEYCHAIN_NAME"].to_s
-    keychain_path = ci_login_keychain_path unless present?(keychain_path)
-
-    sh("security delete-identity -Z #{SIGNING_IDENTITY_SHA1.shellescape} #{keychain_path.shellescape} || true", log: false)
-  end
-
-  private_lane :prepare_ci_keychain do
-    next unless ENV["CI"]
-
-    ENV["HOME"] = "/var/lib/act_runner"
-    FileUtils.mkdir_p(CI_KEYCHAIN_DIR)
-    unless File.file?(CI_LOGIN_KEYCHAIN_DB)
-      sh("security create-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{CI_LOGIN_KEYCHAIN.shellescape}", log: false)
-    end
-
-    ENV["MATCH_KEYCHAIN_NAME"] = ci_login_keychain_path
-    ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD
-    sh("security unlock-keychain -p #{CI_KEYCHAIN_PASSWORD.shellescape} #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
-    sh("security set-keychain-settings -t 3600 #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
-    sh("security default-keychain -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
-    sh("security login-keychain -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape} || true", log: false)
-    sh("security list-keychains -d user -s #{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}", log: false)
-    cleanup_ci_signing_identity
-  end
-
-  private_lane :verify_ci_signing_identity do
-    next unless ENV["CI"]
-
-    keychain_path = ENV.fetch("MATCH_KEYCHAIN_NAME")
-    sh("security unlock-keychain -p #{ENV.fetch("MATCH_KEYCHAIN_PASSWORD").shellescape} #{keychain_path.shellescape}", log: false)
-    sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{ENV.fetch("MATCH_KEYCHAIN_PASSWORD").shellescape} #{keychain_path.shellescape}", log: false)
-
-    identities = sh("security find-identity -v -p codesigning #{keychain_path.shellescape}", log: false)
-    UI.message(identities)
-
-    unless identities.include?(SIGNING_IDENTITY_NAME)
-      UI.user_error!("The runner login keychain does not contain the expected Apple Distribution signing identity")
-    end
-  end
-
   private_lane :app_store_api_key do
     app_store_connect_api_key(
       key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
@@ -106,41 +48,68 @@ platform :ios do
     )
   end
 
-  private_lane :sync_match_signing do |options|
-    %w[
-      APP_STORE_CONNECT_API_KEY
-      APP_STORE_CONNECT_API_KEY_PATH
-      SIGH_API_KEY
-      SIGH_API_KEY_PATH
-    ].each { |key| ENV.delete(key) }
+  private_lane :setup_ci_signing do
+    next unless ci?
 
-    match_options = {
+    setup_ci(
+      force: true,
+      keychain_name: CI_KEYCHAIN_NAME,
+      timeout: 3600
+    )
+  end
+
+  private_lane :cleanup_ci_signing do
+    next unless ci?
+    next unless ENV["MATCH_KEYCHAIN_NAME"] == CI_KEYCHAIN_NAME
+
+    delete_keychain(name: CI_KEYCHAIN_NAME)
+  rescue => error
+    UI.message("Unable to delete temporary CI keychain: #{error.message}")
+  ensure
+    ENV.delete("MATCH_KEYCHAIN_NAME")
+    ENV.delete("MATCH_KEYCHAIN_PASSWORD")
+  end
+
+  private_lane :sync_signing do |options|
+    match(
       type: "appstore",
       readonly: options.fetch(:readonly),
       app_identifier: APP_IDENTIFIER,
       team_id: TEAM_ID,
       profile_name: PROFILE_NAME,
-      git_branch: MATCH_BRANCH,
+      git_url: ENV.fetch("MATCH_GIT_URL"),
+      git_branch: "master",
       git_full_name: "Sybil Release Bot",
       git_user_email: "james.magahern@me.com",
-      api_key: app_store_api_key
-    }
-    match_options[:git_url] = ENV.fetch("MATCH_GIT_URL")
-    match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
-    match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if present?(ENV["MATCH_KEYCHAIN_PASSWORD"])
+      api_key: options.fetch(:api_key)
+    )
+  end
 
-    match(match_options)
+  private_lane :verify_ci_signing do
+    next unless ci?
+
+    if File.file?(ci_keychain_path)
+      password = ENV.fetch("MATCH_KEYCHAIN_PASSWORD", "")
+      sh("security unlock-keychain -p #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
+      sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
+    end
+
+    identities = sh("security find-identity -v -p codesigning", log: false)
+    UI.message(identities)
+
+    unless identities.include?(SIGNING_IDENTITY)
+      UI.user_error!("The CI keychain search list does not contain #{SIGNING_IDENTITY}")
+    end
   end
 
   desc "Create or update match signing assets"
   lane :setup_signing do
-    prepare_ci_keychain
-    sync_match_signing(readonly: false)
+    sync_signing(api_key: app_store_api_key, readonly: false)
   end
 
   desc "Build and upload to TestFlight"
   lane :beta do
-    prepare_ci_keychain
+    setup_ci_signing
 
     api_key = app_store_api_key
 
@@ -162,35 +131,34 @@ platform :ios do
       xcodeproj: PROJECT_FILE
     )
 
-    build_options = {
+    sync_signing(api_key: api_key, readonly: true)
+    verify_ci_signing
+
+    build_app(
       project: PROJECT_FILE,
       scheme: SCHEME,
       export_method: "app-store",
+      codesigning_identity: SIGNING_IDENTITY,
+      xcargs: [
+        "DEVELOPMENT_TEAM=#{TEAM_ID.shellescape}",
+        "CODE_SIGN_STYLE=Manual",
+        "CODE_SIGN_IDENTITY=#{SIGNING_IDENTITY.shellescape}",
+        "PROVISIONING_PROFILE_SPECIFIER=#{PROFILE_NAME.shellescape}"
+      ].join(" "),
       export_options: {
+        signingStyle: "manual",
+        teamID: TEAM_ID,
         provisioningProfiles: {
           APP_IDENTIFIER => PROFILE_NAME
         }
       }
-    }
-
-    if ENV["CI"]
-      build_options[:xcargs] = [
-        "CODE_SIGN_KEYCHAIN=#{ENV.fetch("MATCH_KEYCHAIN_NAME").shellescape}",
-        "OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ENV.fetch("MATCH_KEYCHAIN_NAME")}").shellescape}"
-      ].join(" ")
-    end
-
-    begin
-      sync_match_signing(readonly: true)
-      verify_ci_signing_identity
-      build_app(build_options)
-    ensure
-      cleanup_ci_signing_identity
-    end
+    )
 
     upload_to_testflight(
       api_key: api_key,
       skip_waiting_for_build_processing: true
     )
+  ensure
+    cleanup_ci_signing
   end
 end