ios: sign with disposable login keychain

.gitea/workflows/testflight-release.yml

@@ -90,19 +90,20 @@ jobs:
           fi
           developer_dir="$(xcode-select -p)"
           signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
-          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
+          mkdir -p "${HOME}/Library/Keychains"
+          keychain_name="${HOME}/Library/Keychains/login.keychain"
           certificate_path="${signing_dir}/appstore-signing.p12"
           wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
           profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
           profile_plist="${signing_dir}/profile.plist"
           old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
           xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
-          mkdir -p "${HOME}/Library/Keychains" "${old_profile_dir}" "${xcode_profile_dir}"
+          mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
 
           printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
           printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
           curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
-          security cms -D -i "${profile_path}" > "${profile_plist}"
+          openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
           profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
           profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
           old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
@@ -122,31 +123,37 @@ jobs:
             base_keychains+=("${existing_keychain}")
           done < <(security list-keychains -d user | sed 's/[ "]//g')
 
-          security delete-keychain "${keychain_path}" >/dev/null 2>&1 || true
-          rm -f "${keychain_path}"
-          security create-keychain -p "${keychain_password}" "${keychain_path}"
-          security set-keychain-settings -lut 21600 "${keychain_path}"
-          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
+          security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true
+          rm -f "${HOME}/Library/Keychains/${keychain_name}-db"
+          security create-keychain -p "${keychain_password}" "${keychain_name}"
+          security set-keychain-settings -lut 21600 "${keychain_name}"
+          security unlock-keychain -p "${keychain_password}" "${keychain_name}"
           security import "${wwdr_certificate_path}" \
-            -k "${keychain_path}" \
+            -k "${keychain_name}" \
             -T /usr/bin/codesign \
             -T /usr/bin/security \
             -T /usr/bin/xcodebuild
           security import "${certificate_path}" \
-            -k "${keychain_path}" \
+            -k "${keychain_name}" \
             -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
             -T /usr/bin/codesign \
             -T /usr/bin/security \
             -T /usr/bin/xcodebuild \
             -T "${developer_dir}/usr/bin/xcodebuild"
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
-          security list-keychains -d user -s "${keychain_path}" "${base_keychains[@]}"
-          security default-keychain -d user -s "${keychain_path}"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
+          if [[ "${#base_keychains[@]}" -gt 0 ]]; then
+            security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
+          else
+            security list-keychains -d user -s "${keychain_name}"
+          fi
+          security default-keychain -d user -s "${keychain_name}"
+          keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
           security find-identity -v -p codesigning "${keychain_path}"
           security find-identity -v -p codesigning
           echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
           {
             echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
+            echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}"
             echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
             echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
             echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"

ios/.env.example

@@ -7,7 +7,8 @@ SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_PROVISIONING_PROFILE_UUID=
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
-SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
+SYBIL_XCODE_CODE_SIGN_IDENTITY=6B74B268C4761720FB2051D01D8BB3E47B55D9F5
+SYBIL_EXPORT_SIGNING_CERTIFICATE=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
 

ios/fastlane/CI.md

@@ -13,14 +13,15 @@ git tag release/v1.10.0
 git push origin release/v1.10.0
 ```
 
-The release job runs on the `xcode` runner label, imports the signing p12 into
-a temporary per-user keychain, makes that keychain the user default for the
+The release job runs on the `xcode` runner label, creates the runner user's
+login keychain from Gitea secrets, makes that keychain the user default for the
 duration of the job, installs the App Store provisioning profile in both the
 legacy MobileDevice directory and the Xcode UserData directory used by newer
 Xcode releases, builds and uploads the app with fastlane, then creates or
 updates the matching Gitea release with the generated IPA as an asset. The job
-restores the previous user default keychain and deletes the temporary signing
-keychain and installed profiles in an `always()` cleanup step.
+restores the previous user default keychain and deletes the user login keychain
+and installed profiles in an `always()` cleanup step. No signing material is
+installed into the system keychain.
 
 Required repository secrets:
 
@@ -47,14 +48,17 @@ default.
 
 Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
 exact certificate common name used when exporting a local p12 for secrets, while
-`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
-selector that Xcode uses during archive/export.
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the certificate SHA-1 fingerprint
+that Xcode uses during archive. `SYBIL_EXPORT_SIGNING_CERTIFICATE` defaults to
+the generic `Apple Distribution` selector used in the export options.
 
 The Release signing settings are also present in `Apps/Sybil/project.yml` so
 XcodeGen emits a manually signed App Store archive configuration. CI passes the
 installed provisioning profile UUID to Fastlane as
 `SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
-project before archiving.
+project before archiving. CI also passes the temporary keychain path as
+`CODE_SIGN_KEYCHAIN` so Xcode searches the disposable keychain for the imported
+Distribution identity.
 
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private

ios/fastlane/Fastfile

@@ -20,7 +20,8 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
-XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "6B74B268C4761720FB2051D01D8BB3E47B55D9F5" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
+EXPORT_SIGNING_CERTIFICATE = ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -71,6 +72,7 @@ def apply_release_signing_settings
     settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
     settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
     settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_KEYCHAIN"] = ENV["SYBIL_SIGNING_KEYCHAIN_PATH"] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
     if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
       settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
       settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
@@ -435,6 +437,7 @@ platform :ios do
       xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
     ]
     if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
+      xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
       xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
     end
     xcode_args = xcode_args.join(" ")
@@ -455,7 +458,7 @@ platform :ios do
         provisioningProfiles: {
           APP_IDENTIFIER => PROFILE_SPECIFIER
         },
-        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
+        signingCertificate: EXPORT_SIGNING_CERTIFICATE,
         teamID: TEAM_ID,
         manageAppVersionAndBuildNumber: false,
         uploadSymbols: true,