Compare commits
5 Commits
release/v1
...
release/v1
| Author | SHA1 | Date | |
|---|---|---|---|
| 88bef50ae7 | |||
| 0d069b4233 | |||
| 60bbe077e8 | |||
| 0b09d5425b | |||
| c9a3015e35 |
@@ -90,19 +90,20 @@ jobs:
|
|||||||
fi
|
fi
|
||||||
developer_dir="$(xcode-select -p)"
|
developer_dir="$(xcode-select -p)"
|
||||||
signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
|
signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
|
||||||
keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
|
mkdir -p "${HOME}/Library/Keychains"
|
||||||
|
keychain_name="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain"
|
||||||
certificate_path="${signing_dir}/appstore-signing.p12"
|
certificate_path="${signing_dir}/appstore-signing.p12"
|
||||||
wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
|
wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
|
||||||
profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
|
profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
|
||||||
profile_plist="${signing_dir}/profile.plist"
|
profile_plist="${signing_dir}/profile.plist"
|
||||||
old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
||||||
xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
||||||
mkdir -p "${HOME}/Library/Keychains" "${old_profile_dir}" "${xcode_profile_dir}"
|
mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
|
||||||
|
|
||||||
printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
|
printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
|
||||||
printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
|
printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
|
||||||
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
|
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
|
||||||
security cms -D -i "${profile_path}" > "${profile_plist}"
|
openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
|
||||||
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
|
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
|
||||||
profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
|
profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
|
||||||
old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
|
old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
|
||||||
@@ -122,31 +123,37 @@ jobs:
|
|||||||
base_keychains+=("${existing_keychain}")
|
base_keychains+=("${existing_keychain}")
|
||||||
done < <(security list-keychains -d user | sed 's/[ "]//g')
|
done < <(security list-keychains -d user | sed 's/[ "]//g')
|
||||||
|
|
||||||
security delete-keychain "${keychain_path}" >/dev/null 2>&1 || true
|
security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true
|
||||||
rm -f "${keychain_path}"
|
rm -f "${HOME}/Library/Keychains/${keychain_name}-db"
|
||||||
security create-keychain -p "${keychain_password}" "${keychain_path}"
|
security create-keychain -p "${keychain_password}" "${keychain_name}"
|
||||||
security set-keychain-settings -lut 21600 "${keychain_path}"
|
security set-keychain-settings -lut 21600 "${keychain_name}"
|
||||||
security unlock-keychain -p "${keychain_password}" "${keychain_path}"
|
security unlock-keychain -p "${keychain_password}" "${keychain_name}"
|
||||||
security import "${wwdr_certificate_path}" \
|
security import "${wwdr_certificate_path}" \
|
||||||
-k "${keychain_path}" \
|
-k "${keychain_name}" \
|
||||||
-T /usr/bin/codesign \
|
-T /usr/bin/codesign \
|
||||||
-T /usr/bin/security \
|
-T /usr/bin/security \
|
||||||
-T /usr/bin/xcodebuild
|
-T /usr/bin/xcodebuild
|
||||||
security import "${certificate_path}" \
|
security import "${certificate_path}" \
|
||||||
-k "${keychain_path}" \
|
-k "${keychain_name}" \
|
||||||
-P "${APPSTORE_CERTIFICATES_PASSWORD}" \
|
-P "${APPSTORE_CERTIFICATES_PASSWORD}" \
|
||||||
-T /usr/bin/codesign \
|
-T /usr/bin/codesign \
|
||||||
-T /usr/bin/security \
|
-T /usr/bin/security \
|
||||||
-T /usr/bin/xcodebuild \
|
-T /usr/bin/xcodebuild \
|
||||||
-T "${developer_dir}/usr/bin/xcodebuild"
|
-T "${developer_dir}/usr/bin/xcodebuild"
|
||||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
|
||||||
security list-keychains -d user -s "${keychain_path}" "${base_keychains[@]}"
|
if [[ "${#base_keychains[@]}" -gt 0 ]]; then
|
||||||
security default-keychain -d user -s "${keychain_path}"
|
security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
|
||||||
|
else
|
||||||
|
security list-keychains -d user -s "${keychain_name}"
|
||||||
|
fi
|
||||||
|
security default-keychain -d user -s "${keychain_name}"
|
||||||
|
keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
|
||||||
security find-identity -v -p codesigning "${keychain_path}"
|
security find-identity -v -p codesigning "${keychain_path}"
|
||||||
security find-identity -v -p codesigning
|
security find-identity -v -p codesigning
|
||||||
echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
|
echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
|
||||||
{
|
{
|
||||||
echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
|
echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
|
||||||
|
echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}"
|
||||||
echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
|
echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
|
||||||
echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
|
echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
|
||||||
echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
|
echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
|
||||||
|
|||||||
@@ -54,7 +54,9 @@ The Release signing settings are also present in `Apps/Sybil/project.yml` so
|
|||||||
XcodeGen emits a manually signed App Store archive configuration. CI passes the
|
XcodeGen emits a manually signed App Store archive configuration. CI passes the
|
||||||
installed provisioning profile UUID to Fastlane as
|
installed provisioning profile UUID to Fastlane as
|
||||||
`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
|
`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
|
||||||
project before archiving.
|
project before archiving. CI also passes the temporary keychain path as
|
||||||
|
`CODE_SIGN_KEYCHAIN` so Xcode searches the disposable keychain for the imported
|
||||||
|
Distribution identity.
|
||||||
|
|
||||||
If the Apple team has reached the Distribution certificate limit, set
|
If the Apple team has reached the Distribution certificate limit, set
|
||||||
`SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
|
`SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
|
||||||
|
|||||||
@@ -71,6 +71,7 @@ def apply_release_signing_settings
|
|||||||
settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
|
settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
|
||||||
settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
|
settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
|
||||||
settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
|
settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
|
||||||
|
settings["CODE_SIGN_KEYCHAIN"] = ENV["SYBIL_SIGNING_KEYCHAIN_PATH"] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
|
||||||
if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
|
if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
|
||||||
settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
|
settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
|
||||||
settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
|
settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
|
||||||
@@ -435,6 +436,7 @@ platform :ios do
|
|||||||
xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
|
xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
|
||||||
]
|
]
|
||||||
if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
|
if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
|
||||||
|
xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
|
||||||
xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
|
xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
|
||||||
end
|
end
|
||||||
xcode_args = xcode_args.join(" ")
|
xcode_args = xcode_args.join(" ")
|
||||||
|
|||||||
Reference in New Issue
Block a user