ios: install ci profiles for xcode signing

ios/.env.example

@@ -5,6 +5,7 @@ FASTLANE_HIDE_CHANGELOG=1
 SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
+SYBIL_PROVISIONING_PROFILE_UUID=
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
 SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=

ios/Apps/Sybil/project.yml

@@ -32,6 +32,12 @@ targets:
         INFOPLIST_KEY_UILaunchScreen_Generation: YES
         INFOPLIST_KEY_UISupportedInterfaceOrientations_iPhone: UIInterfaceOrientationPortrait
         INFOPLIST_KEY_UISupportedInterfaceOrientations_iPad: UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight
+      configs:
+        Release:
+          CODE_SIGN_STYLE: Manual
+          CODE_SIGN_IDENTITY: Apple Distribution
+          "CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution
+          PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
 
 schemes:
   Sybil:

ios/fastlane/CI.md

@@ -15,11 +15,12 @@ git push origin release/v1.10.0
 
 The release job runs on the `xcode` runner label, imports the signing p12 into
 a temporary per-user keychain, makes that keychain the user default for the
-duration of the job, installs the App Store provisioning profile, builds and
-uploads the app with fastlane, then creates or updates the matching Gitea
-release with the generated IPA as an asset. The job restores the previous user
-default keychain and deletes the temporary signing keychain in an `always()`
-cleanup step.
+duration of the job, installs the App Store provisioning profile in both the
+legacy MobileDevice directory and the Xcode UserData directory used by newer
+Xcode releases, builds and uploads the app with fastlane, then creates or
+updates the matching Gitea release with the generated IPA as an asset. The job
+restores the previous user default keychain and deletes the temporary signing
+keychain and installed profiles in an `always()` cleanup step.
 
 Required repository secrets:
 
@@ -49,6 +50,12 @@ exact certificate common name used when exporting a local p12 for secrets, while
 `SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
 selector that Xcode uses during archive/export.
 
+The Release signing settings are also present in `Apps/Sybil/project.yml` so
+XcodeGen emits a manually signed App Store archive configuration. CI passes the
+installed provisioning profile UUID to Fastlane as
+`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
+project before archiving.
+
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The

ios/fastlane/Fastfile

@@ -71,6 +71,10 @@ def apply_release_signing_settings
     settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
     settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
     settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+    if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
+      settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
+      settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
+    end
   end
   project.save
 end
@@ -428,11 +432,7 @@ platform :ios do
 
     xcode_args = [
       xcode_build_setting("MARKETING_VERSION", version),
-      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number),
-      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
-      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
-      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
-      xcode_build_setting("CODE_SIGN_IDENTITY", XCODE_CODE_SIGN_IDENTITY)
+      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
     ]
     if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
       xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")