ios: pass signing keychain to xcode

ios: handle empty ci keychain list
ios: parse ci profile without keychain
2026-06-25 22:02:19 -07:00 · 2026-06-25 21:58:01 -07:00 · 2026-06-25 21:56:19 -07:00 · 2026-06-25 21:52:17 -07:00 · 2026-06-25 21:48:19 -07:00
3 changed files with 36 additions and 6 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -85,10 +85,16 @@ jobs:

          keychain_password="$(uuidgen)"
          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
+          if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then
+            previous_default_keychain=""
+          fi
          developer_dir="$(xcode-select -p)"
          signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
-          keychain_path="${signing_dir}/${SIGNING_KEYCHAIN}.keychain-db"
+          mkdir -p "${HOME}/Library/Keychains"
+          keychain_dir="$(cd "${HOME}/Library/Keychains" && pwd -P)"
+          keychain_path="${keychain_dir}/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
          certificate_path="${signing_dir}/appstore-signing.p12"
+          wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
          profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
          profile_plist="${signing_dir}/profile.plist"
          old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
@@ -97,7 +103,8 @@ jobs:

          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
-          security cms -D -i "${profile_path}" > "${profile_plist}"
+          curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
+          openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
          profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
          profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
          old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
@@ -109,19 +116,37 @@ jobs:
          cp "${profile_path}" "${old_named_profile_path}"
          cp "${profile_path}" "${xcode_named_profile_path}"

+          base_keychains=()
+          while IFS= read -r existing_keychain; do
+            [[ -z "${existing_keychain}" ]] && continue
+            [[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue
+            [[ ! -e "${existing_keychain}" ]] && continue
+            base_keychains+=("${existing_keychain}")
+          done < <(security list-keychains -d user | sed 's/[ "]//g')
+
+          security delete-keychain "${keychain_path}" >/dev/null 2>&1 || true
+          rm -f "${keychain_path}"
          security create-keychain -p "${keychain_password}" "${keychain_path}"
          security set-keychain-settings -lut 21600 "${keychain_path}"
          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
+          security import "${wwdr_certificate_path}" \
+            -k "${keychain_path}" \
+            -T /usr/bin/codesign \
+            -T /usr/bin/security \
+            -T /usr/bin/xcodebuild
          security import "${certificate_path}" \
            -k "${keychain_path}" \
-            -f pkcs12 \
            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild \
            -T "${developer_dir}/usr/bin/xcodebuild"
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
-          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+          if [[ "${#base_keychains[@]}" -gt 0 ]]; then
+            security list-keychains -d user -s "${keychain_path}" "${base_keychains[@]}"
+          else
+            security list-keychains -d user -s "${keychain_path}"
+          fi
          security default-keychain -d user -s "${keychain_path}"
          security find-identity -v -p codesigning "${keychain_path}"
          security find-identity -v -p codesigning
@@ -255,5 +280,6 @@ jobs:
            "${SYBIL_XCODE_PROFILE_PATH:-}" \
            "${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
            "${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
-          security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-}" || true
+          security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true
+          rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db
          rm -rf "${SYBIL_SIGNING_DIR:-}"
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -54,7 +54,9 @@ The Release signing settings are also present in `Apps/Sybil/project.yml` so
 XcodeGen emits a manually signed App Store archive configuration. CI passes the
 installed provisioning profile UUID to Fastlane as
 `SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
-project before archiving.
+project before archiving. CI also passes the temporary keychain path as
+`CODE_SIGN_KEYCHAIN` so Xcode searches the disposable keychain for the imported
+Distribution identity.

 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -71,6 +71,7 @@ def apply_release_signing_settings
    settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
    settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
    settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_KEYCHAIN"] = ENV["SYBIL_SIGNING_KEYCHAIN_PATH"] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
    if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
      settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
      settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
@@ -435,6 +436,7 @@ platform :ios do
      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
    ]
    if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
+      xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
      xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
    end
    xcode_args = xcode_args.join(" ")
Author	SHA1	Message	Date
James Magahern	60bbe077e8	ios: pass signing keychain to xcode Some checks failed TestFlight Release / testflight (push) Failing after 18s Details	2026-06-25 22:02:19 -07:00
James Magahern	0b09d5425b	ios: handle empty ci keychain list Some checks failed TestFlight Release / testflight (push) Failing after 15s Details	2026-06-25 21:58:01 -07:00
James Magahern	c9a3015e35	ios: parse ci profile without keychain Some checks failed TestFlight Release / testflight (push) Failing after 9s Details	2026-06-25 21:56:19 -07:00
James Magahern	abd8a80daa	ios: isolate ci signing keychains Some checks failed TestFlight Release / testflight (push) Failing after 8s Details	2026-06-25 21:52:17 -07:00
James Magahern	0f76ef91a9	ios: restore working ci p12 import Some checks failed TestFlight Release / testflight (push) Failing after 9s Details	2026-06-25 21:48:19 -07:00