ios: install ci profiles for xcode signing

ios/fastlane/CI.md

@@ -15,11 +15,12 @@ git push origin release/v1.10.0
 
 The release job runs on the `xcode` runner label, imports the signing p12 into
 a temporary per-user keychain, makes that keychain the user default for the
-duration of the job, installs the App Store provisioning profile, builds and
-uploads the app with fastlane, then creates or updates the matching Gitea
-release with the generated IPA as an asset. The job restores the previous user
-default keychain and deletes the temporary signing keychain in an `always()`
-cleanup step.
+duration of the job, installs the App Store provisioning profile in both the
+legacy MobileDevice directory and the Xcode UserData directory used by newer
+Xcode releases, builds and uploads the app with fastlane, then creates or
+updates the matching Gitea release with the generated IPA as an asset. The job
+restores the previous user default keychain and deletes the temporary signing
+keychain and installed profiles in an `always()` cleanup step.
 
 Required repository secrets:
 
@@ -49,6 +50,12 @@ exact certificate common name used when exporting a local p12 for secrets, while
 `SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
 selector that Xcode uses during archive/export.
 
+The Release signing settings are also present in `Apps/Sybil/project.yml` so
+XcodeGen emits a manually signed App Store archive configuration. CI passes the
+installed provisioning profile UUID to Fastlane as
+`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
+project before archiving.
+
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The