ios: source TestFlight build number from CI run number

App Store Connect requires CFBundleVersion to be unique and strictly increasing app-wide. latest_testflight_build_number could return a stale value (it missed an existing build 13) and produced colliding build numbers, 409-ing every upload. Use the monotonic Gitea run number (github.run_number -> SYBIL_BUILD_NUMBER) instead. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ios: get TestFlight CI signing working
2026-06-26 00:41:37 -07:00 · 2026-06-26 00:28:27 -07:00
11 changed files with 237 additions and 650 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -1,208 +0,0 @@
 name: TestFlight Release
 on:
  push:
    tags:
      - "release/v*.*.*"
 permissions:
  contents: write
 jobs:
  testflight:
    runs-on: xcode
    env:
      SIGNING_KEYCHAIN: sybil_signing_temp
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Validate release tag
        run: |
          set -euo pipefail
          tag_name="${GITHUB_REF#refs/tags/}"
          if [[ ! "$tag_name" =~ ^release/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "Release tag must match release/vN.N.N; got ${tag_name}" >&2
            exit 1
          fi
          release_version="${tag_name#release/v}"
          {
            echo "TAG_NAME=${tag_name}"
            echo "RELEASE_VERSION=${release_version}"
          } >> "${GITHUB_ENV}"
      - name: Set up Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.3"
      - name: Install Ruby gems
        working-directory: ios
        run: bundle install
      - name: Install release tools
        run: |
          set -euo pipefail
          missing_tools=()
          for tool in xcodegen jq; do
            if ! command -v "${tool}" >/dev/null 2>&1; then
              missing_tools+=("${tool}")
            fi
          done
          if [[ "${#missing_tools[@]}" -eq 0 ]]; then
            exit 0
          fi
          if ! command -v brew >/dev/null 2>&1; then
            echo "Missing required tools: ${missing_tools[*]}; Homebrew is not available to install them" >&2
            exit 1
          fi
          brew install "${missing_tools[@]}"
      - name: Install signing secrets
        env:
          APPSTORE_CERTIFICATES_FILE_BASE64: ${{ secrets.APPSTORE_CERTIFICATES_FILE_BASE64 }}
          APPSTORE_CERTIFICATES_PASSWORD: ${{ secrets.APPSTORE_CERTIFICATES_PASSWORD }}
          APPSTORE_PROVISIONING_PROFILE_BASE64: ${{ secrets.APPSTORE_PROVISIONING_PROFILE_BASE64 }}
        run: |
          set -euo pipefail
          : "${APPSTORE_CERTIFICATES_FILE_BASE64:?APPSTORE_CERTIFICATES_FILE_BASE64 secret is required}"
          : "${APPSTORE_CERTIFICATES_PASSWORD:?APPSTORE_CERTIFICATES_PASSWORD secret is required}"
          : "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
          keychain_password="$(uuidgen)"
          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
          mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets
          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${HOME}/Library/MobileDevice/Provisioning Profiles/Sybil_AppStore_CI.mobileprovision"
          security create-keychain -p "${keychain_password}" "${keychain_path}"
          security set-keychain-settings -lut 21600 "${keychain_path}"
          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
          security import ios/build/secrets/appstore-signing.p12 \
            -k "${keychain_path}" \
            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
      - name: Build and upload to TestFlight
        working-directory: ios
        env:
          APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
          APP_STORE_CONNECT_API_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_ISSUER_ID }}
          APP_STORE_CONNECT_API_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_API_KEY_CONTENT }}
          APP_STORE_CONNECT_API_KEY_CONTENT_BASE64: "true"
          FASTLANE_DONT_STORE_PASSWORD: "1"
          FASTLANE_HIDE_CHANGELOG: "1"
          FASTLANE_SKIP_UPDATE_CHECK: "1"
          SYBIL_PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
        run: |
          set -euo pipefail
          SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
      - name: Locate IPA
        run: |
          set -euo pipefail
          ipa_path="$(find ios/build/fastlane -maxdepth 1 -type f -name '*.ipa' -print | sort | tail -n 1)"
          if [[ -z "${ipa_path}" ]]; then
            echo "No IPA found under ios/build/fastlane" >&2
            exit 1
          fi
          {
            echo "IPA_PATH=${ipa_path}"
            echo "IPA_NAME=$(basename "${ipa_path}")"
          } >> "${GITHUB_ENV}"
      - name: Publish Gitea release asset
        env:
          GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }}
          RELEASE_API_URL: ${{ github.api_url }}
          RELEASE_REPOSITORY: ${{ github.repository }}
          RELEASE_SHA: ${{ github.sha }}
        run: |
          set -euo pipefail
          : "${GITEA_TOKEN:?GITEA_TOKEN is required}"
          api_url="${RELEASE_API_URL:-https://code.buzzert.dev/api/v1}"
          repository="${RELEASE_REPOSITORY:-buzzert/Sybil-2}"
          sha="${RELEASE_SHA:-${GITHUB_SHA:-}}"
          release_name="Sybil v${RELEASE_VERSION}"
          release_body="Automated TestFlight release for ${TAG_NAME}."
          release_payload="$(jq -nc \
            --arg tag "${TAG_NAME}" \
            --arg name "${release_name}" \
            --arg body "${release_body}" \
            --arg target "${sha}" \
            '{tag_name: $tag, name: $name, body: $body, draft: false, prerelease: false} +
            (if $target == "" then {} else {target_commitish: $target} end)')"
          response_file="$(mktemp)"
          status="$(curl -sS -o "${response_file}" -w "%{http_code}" \
            -X POST "${api_url}/repos/${repository}/releases" \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -H "Content-Type: application/json" \
            --data "${release_payload}")"
          if [[ "${status}" == "201" ]]; then
            release_id="$(jq -r '.id' "${response_file}")"
          elif [[ "${status}" == "409" ]]; then
            release_id="$(curl -fsS \
              -H "Authorization: token ${GITEA_TOKEN}" \
              "${api_url}/repos/${repository}/releases?limit=100" |
              jq -r --arg tag "${TAG_NAME}" '.[] | select(.tag_name == $tag) | .id' |
              head -n 1)"
          else
            cat "${response_file}" >&2
            exit 1
          fi
          if [[ -z "${release_id}" || "${release_id}" == "null" ]]; then
            echo "Could not resolve Gitea release id for ${TAG_NAME}" >&2
            exit 1
          fi
          existing_asset_id="$(curl -fsS \
            -H "Authorization: token ${GITEA_TOKEN}" \
            "${api_url}/repos/${repository}/releases/${release_id}/assets" |
            jq -r --arg name "${IPA_NAME}" '.[] | select(.name == $name) | .id' |
            head -n 1)"
          if [[ -n "${existing_asset_id}" && "${existing_asset_id}" != "null" ]]; then
            curl -fsS -X DELETE \
              -H "Authorization: token ${GITEA_TOKEN}" \
              "${api_url}/repos/${repository}/releases/${release_id}/assets/${existing_asset_id}"
          fi
          asset_name="$(jq -rn --arg value "${IPA_NAME}" '$value | @uri')"
          curl -fsS -X POST \
            -H "Authorization: token ${GITEA_TOKEN}" \
            -F "attachment=@${IPA_PATH}" \
            "${api_url}/repos/${repository}/releases/${release_id}/assets?name=${asset_name}" >/dev/null
          echo "Published ${IPA_NAME} to ${release_name}"
      - name: Clean up temporary keychain
        if: always()
        run: |
          security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true
--- a/.gitea/workflows/testflight.yml
+++ b/.gitea/workflows/testflight.yml
@@ -0,0 +1,71 @@
 name: TestFlight
 on:
  workflow_dispatch:
  push:
    tags:
      - "v*"
 jobs:
  testflight:
    runs-on: xcode
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: "3.1.7"
          bundler-cache: true
          working-directory: ios
      - name: Install XcodeGen
        run: |
          set -euo pipefail
          if ! command -v xcodegen >/dev/null 2>&1; then
            brew install xcodegen
          fi
      - name: Prepare Runner Keychain
        env:
          HOME: /var/lib/act_runner
        run: |
          set -euo pipefail
          mkdir -p "${HOME}/Library/Keychains"
          login_keychain="${HOME}/Library/Keychains/login.keychain"
          if [ ! -f "${login_keychain}-db" ]; then
            security create-keychain -p "" "${login_keychain}"
          fi
          security unlock-keychain -p "" "${login_keychain}" 2>/dev/null || \
            security unlock-keychain -p "sybil-ci-keychain-password" "${login_keychain}" 2>/dev/null || true
          security default-keychain -d user -s "${login_keychain}"
          security list-keychains -d user -s "${login_keychain}-db"
          security delete-keychain "${HOME}/Library/Keychains/sybil_ci_keychain" >/dev/null 2>&1 || true
          rm -f "${HOME}/Library/Keychains/sybil_ci_keychain" "${HOME}/Library/Keychains/sybil_ci_keychain-db"
      - name: Upload to TestFlight
        working-directory: ios
        env:
          HOME: /var/lib/act_runner
          APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
          APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
          APP_STORE_CONNECT_KEY_CONTENT: ${{ secrets.APP_STORE_CONNECT_KEY_CONTENT }}
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          MATCH_GIT_URL: ${{ secrets.MATCH_GIT_URL }}
          MATCH_GIT_BASIC_AUTHORIZATION: ${{ secrets.MATCH_GIT_BASIC_AUTHORIZATION }}
          SYBIL_BUILD_NUMBER: ${{ github.run_number }}
          FASTLANE_SKIP_UPDATE_CHECK: "1"
          FASTLANE_XCODEBUILD_SETTINGS_TIMEOUT: "120"
        run: |
          export PATH="/Users/runner/hostedtoolcache/Ruby/3.1.7/arm64/bin:${PATH}"
          ruby --version
          bundle exec fastlane ios beta
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 .env
-
+ios/fastlane/README.md
 ios/fastlane/report.xml
--- a/ios/.env.example
+++ b/ios/.env.example
@@ -5,6 +5,10 @@ FASTLANE_HIDE_CHANGELOG=1
 SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_PROVISIONING_PROFILE_UUID=
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
 SYBIL_XCODE_CODE_SIGN_IDENTITY=6B74B268C4761720FB2051D01D8BB3E47B55D9F5
 SYBIL_EXPORT_SIGNING_CERTIFICATE=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
--- a/ios/Apps/Sybil/project.yml
+++ b/ios/Apps/Sybil/project.yml
@@ -32,6 +32,12 @@ targets:
        INFOPLIST_KEY_UILaunchScreen_Generation: YES
        INFOPLIST_KEY_UISupportedInterfaceOrientations_iPhone: UIInterfaceOrientationPortrait
        INFOPLIST_KEY_UISupportedInterfaceOrientations_iPad: UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight
      configs:
        Release:
          CODE_SIGN_STYLE: Manual
          CODE_SIGN_IDENTITY: Apple Distribution
          "CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution
          PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
 schemes:
  Sybil:
--- a/ios/Gemfile
+++ b/ios/Gemfile
@@ -1,3 +1,3 @@
 source "https://rubygems.org"
-gem "fastlane", "~> 2.227"
+gem "fastlane"
--- a/ios/Gemfile.lock
+++ b/ios/Gemfile.lock
@@ -225,7 +225,7 @@ PLATFORMS
  ruby
 DEPENDENCIES
-  fastlane (~> 2.227)
+  fastlane
 BUNDLED WITH
   2.5.23
--- a/ios/fastlane/Appfile
+++ b/ios/fastlane/Appfile
@@ -1,9 +0,0 @@
 require "dotenv"
 Dotenv.load(File.expand_path("../.env", __dir__))
 app_identifier(ENV.fetch("FASTLANE_APP_IDENTIFIER", "net.buzzert.sybil2"))
 team_id(ENV.fetch("FASTLANE_TEAM_ID", "DQQH5H6GBD"))
 apple_id(ENV["FASTLANE_USER"]) if ENV["FASTLANE_USER"].to_s.strip.length.positive?
 itc_team_id(ENV["FASTLANE_ITC_TEAM_ID"]) if ENV["FASTLANE_ITC_TEAM_ID"].to_s.strip.length.positive?
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -1,58 +0,0 @@
 # TestFlight Release CI
 Gitea Actions publishes iOS releases from tags that match:
 ```sh
 release/vN.N.N
 ```
 For example:
 ```sh
 git tag release/v1.10.0
 git push origin release/v1.10.0
 ```
 The release job runs on the `xcode` runner label, imports the signing p12 into
 a temporary keychain, installs the App Store provisioning profile, builds and
 uploads the app with fastlane, then creates or updates the matching Gitea
 release with the generated IPA as an asset. The job deletes the temporary
 signing keychain in an `always()` cleanup step.
 Required repository secrets:
 ```text
 APP_STORE_CONNECT_API_KEY_ID
 APP_STORE_CONNECT_API_ISSUER_ID
 APP_STORE_CONNECT_API_KEY_CONTENT
 APPSTORE_CERTIFICATES_FILE_BASE64
 APPSTORE_CERTIFICATES_PASSWORD
 APPSTORE_PROVISIONING_PROFILE_BASE64
 ```
 Generate or refresh the signing assets locally with:
 ```sh
 cd ios
 fastlane ios create_ci_signing
 ```
 The generated `build/signing/ci-secrets.env` file is ignored by Git. Copy its
 certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The
 lane will export the local identity and create the provisioning profile against
 that existing certificate instead of creating another Distribution certificate.
 If `create_ci_signing` fails with an expired or missing agreement error, the
 Apple Developer Program account holder must accept the current agreements in
 App Store Connect before new certificates or provisioning profiles can be
 created through the API.
 The workflow uses Gitea's built-in `GITEA_TOKEN` for release creation and asset
 upload, with `contents: write` permissions. In Gitea this covers release asset
 publication.
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -1,386 +1,214 @@
 require "dotenv"
 require "base64"
 require "fileutils"
 require "json"
 require "net/http"
 require "open3"
 require "openssl"
 require "securerandom"
 require "shellwords"
 require "uri"
 require "yaml"
 Dotenv.load(File.expand_path("../.env", __dir__))
 default_platform(:ios)
-APP_IDENTIFIER = ENV.fetch("FASTLANE_APP_IDENTIFIER", "net.buzzert.sybil2")
+APP_IDENTIFIER = "net.buzzert.sybil2"
-TEAM_ID = ENV.fetch("FASTLANE_TEAM_ID", "DQQH5H6GBD")
+SCHEME = "Sybil"
-APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
+TEAM_ID = "DQQH5H6GBD"
-PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
+PROFILE_NAME = "Sybil AppStore CI"
-PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
+SIGNING_IDENTITY = "Apple Distribution: James Magahern (DQQH5H6GBD)"
 CI_KEYCHAIN_NAME = "sybil_ci_keychain"
 CI_KEYCHAIN_PASSWORD = "sybil-ci-keychain-password"
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
-APP_SPEC = File.join(IOS_ROOT, "Apps/Sybil/project.yml")
+CI_KEYCHAIN_PATH = File.join(File.expand_path("~/Library/Keychains"), CI_KEYCHAIN_NAME)
-SIGNING_OUTPUT_DIR = File.join(IOS_ROOT, "build/signing")
+CI_KEYCHAIN_DB_PATH = "#{CI_KEYCHAIN_PATH}-db"
-SCHEME = "Sybil"
+LOGIN_KEYCHAIN_PATH = File.expand_path("~/Library/Keychains/login.keychain")
-TARGET = "SybilApp"
+LOGIN_KEYCHAIN_DB_PATH = "#{LOGIN_KEYCHAIN_PATH}-db"
 def present?(value)
  !value.to_s.strip.empty?
 end
-def capture(command)
+def release_version
-  stdout, stderr, status = Open3.capture3(command)
+  tag = ENV["SYBIL_VERSION_TAG"].to_s
-  return stdout.strip if status.success?
+  tag = ENV["GITHUB_REF_NAME"].to_s if !present?(tag)
  tag = ENV["GITHUB_REF"].to_s.sub(%r{\Arefs/tags/}, "") if !present?(tag)
  tag = sh("git describe --tags --abbrev=0").strip if !present?(tag)
  version = tag.sub(%r{\Arelease/}, "").sub(/\Av/, "")
  UI.user_error!("Command failed: #{command}\n#{stderr.strip}")
 end
 def run_silent(*command, error_message:)
  _stdout, stderr, status = Open3.capture3(*command)
  return if status.success?
  UI.user_error!("#{error_message}\n#{stderr.strip}")
 end
 def user_keychains
  capture("security list-keychains -d user").lines.map { |line| line.strip.delete('"') }.reject(&:empty?)
 end
 def app_project_settings
  YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base")
 end
 def local_marketing_version
  app_project_settings.fetch("MARKETING_VERSION").to_s
 end
 def local_build_number
  app_project_settings.fetch("CURRENT_PROJECT_VERSION").to_i
 end
 def normalize_version_tag(tag)
  version = tag.to_s.strip.sub(%r{\Arelease/}, "").sub(/\Av/, "")
  unless version.match?(/\A\d+\.\d+\.\d+\z/)
-    UI.user_error!("Release tag #{tag.inspect} must look like release/v1.10.0")
+    UI.user_error!("Release tag must look like v1.2.3; got #{tag.inspect}")
  end
  version
 end
-def release_version
+def ci?
-  tag = ENV["SYBIL_VERSION_TAG"]
+  present?(ENV["CI"])
  tag = capture("git describe --tags --abbrev=0") unless present?(tag)
  normalize_version_tag(tag)
 end
-def xcode_build_setting(key, value)
+# App Store Connect requires CFBundleVersion to be unique and strictly
-  "#{key}=#{value.to_s.shellescape}"
+# increasing app-wide (not just per marketing version), so we derive it from
-end
+# the monotonic CI run number rather than querying TestFlight (that query can
 # lag behind builds still processing and hand back a colliding value).
 def build_number
  value = ENV["SYBIL_BUILD_NUMBER"].to_s
  value = ENV["GITHUB_RUN_NUMBER"].to_s if !present?(value)
-def env_line(key, value)
+  unless value.match?(/\A\d+\z/)
-  "#{key}=#{value.to_s.shellescape}"
+    UI.user_error!("Build number must come from SYBIL_BUILD_NUMBER/GITHUB_RUN_NUMBER; got #{value.inspect}")
 end
 def base64url(value)
  Base64.urlsafe_encode64(value).delete("=")
 end
 def integer_to_fixed_bytes(integer, length)
  hex = integer.to_s(16)
  hex = "0#{hex}" if hex.length.odd?
  [hex].pack("H*").rjust(length, "\0")[-length, length]
 end
 def app_store_connect_private_key
  key_path = ENV["APP_STORE_CONNECT_API_KEY_PATH"]
  key_content = ENV["APP_STORE_CONNECT_API_KEY_CONTENT"]
  pem = if present?(key_path)
          File.read(key_path)
        elsif present?(key_content)
          ENV["APP_STORE_CONNECT_API_KEY_CONTENT_BASE64"].to_s == "true" ? Base64.decode64(key_content) : key_content
        end
  UI.user_error!("App Store Connect API key content is required") unless present?(pem)
  OpenSSL::PKey::EC.new(pem)
 end
 def app_store_connect_jwt
  key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
  issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
  issuer_id = ENV["APP_STORE_CONNECT_API_KEY_ISSUER_ID"] unless present?(issuer_id)
  UI.user_error!("App Store Connect API key id and issuer id are required") unless present?(key_id) && present?(issuer_id)
  header = { alg: "ES256", kid: key_id, typ: "JWT" }
  payload = { iss: issuer_id, iat: Time.now.to_i, exp: Time.now.to_i + 600, aud: "appstoreconnect-v1" }
  unsigned = [base64url(header.to_json), base64url(payload.to_json)].join(".")
  asn1_signature = app_store_connect_private_key.dsa_sign_asn1(OpenSSL::Digest::SHA256.digest(unsigned))
  signature_sequence = OpenSSL::ASN1.decode(asn1_signature)
  raw_signature = signature_sequence.value.map { |part| integer_to_fixed_bytes(part.value, 32) }.join
  [unsigned, base64url(raw_signature)].join(".")
 end
 def app_store_connect_request(method, path, payload = nil)
  uri = URI("https://api.appstoreconnect.apple.com#{path}")
  request_class = Net::HTTP.const_get(method.to_s.capitalize)
  request = request_class.new(uri)
  request["Authorization"] = "Bearer #{app_store_connect_jwt}"
  if payload
    request["Content-Type"] = "application/json"
    request.body = payload.to_json
  end
-  response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| http.request(request) }
+  value.to_i
  return {} if response.is_a?(Net::HTTPSuccess) && response.body.to_s.empty?
  return JSON.parse(response.body) if response.is_a?(Net::HTTPSuccess)
  UI.user_error!("App Store Connect API request failed: #{method.to_s.upcase} #{path}\n#{response.body}")
 end
-def bundle_id_resource_id
+def ci_keychain_path
-  response = app_store_connect_request(
+  File.file?(CI_KEYCHAIN_DB_PATH) ? CI_KEYCHAIN_DB_PATH : CI_KEYCHAIN_PATH
    :get,
    "/v1/bundleIds?filter[identifier]=#{URI.encode_www_form_component(APP_IDENTIFIER)}&limit=1"
  )
  id = response.fetch("data", []).first&.fetch("id", nil)
  UI.user_error!("Could not find App Store Connect bundle id resource for #{APP_IDENTIFIER}") unless present?(id)
  id
 end
 def recreate_app_store_profile(certificate_id)
  existing = app_store_connect_request(
    :get,
    "/v1/profiles?filter[name]=#{URI.encode_www_form_component(PROFILE_SPECIFIER)}&limit=200"
  )
  existing.fetch("data", []).each do |profile|
    app_store_connect_request(:delete, "/v1/profiles/#{profile.fetch("id")}")
  end
  payload = {
    data: {
      type: "profiles",
      attributes: {
        name: PROFILE_SPECIFIER,
        profileType: "IOS_APP_STORE"
      },
      relationships: {
        bundleId: {
          data: { type: "bundleIds", id: bundle_id_resource_id }
        },
        certificates: {
          data: [{ type: "certificates", id: certificate_id }]
        }
      }
    }
  }
  response = app_store_connect_request(:post, "/v1/profiles", payload)
  profile_content = response.dig("data", "attributes", "profileContent")
  UI.user_error!("App Store Connect profile response did not include profileContent") unless present?(profile_content)
  profile_path = File.join(SIGNING_OUTPUT_DIR, "Sybil_AppStore_CI.mobileprovision")
  File.binwrite(profile_path, Base64.decode64(profile_content))
  install_dir = File.expand_path("~/Library/MobileDevice/Provisioning Profiles")
  FileUtils.mkdir_p(install_dir)
  FileUtils.cp(profile_path, File.join(install_dir, "Sybil_AppStore_CI.mobileprovision"))
  profile_path
 end
 def app_store_connect_key_options
  key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
  issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
  issuer_id = ENV["APP_STORE_CONNECT_API_KEY_ISSUER_ID"] unless present?(issuer_id)
  return nil unless present?(key_id) && present?(issuer_id)
  key_path = ENV["APP_STORE_CONNECT_API_KEY_PATH"]
  key_content = ENV["APP_STORE_CONNECT_API_KEY_CONTENT"]
  if present?(key_path)
    {
      key_id: key_id,
      issuer_id: issuer_id,
      key_filepath: key_path
    }
  elsif present?(key_content)
    {
      key_id: key_id,
      issuer_id: issuer_id,
      key_content: key_content,
      is_key_content_base64: ENV["APP_STORE_CONNECT_API_KEY_CONTENT_BASE64"].to_s == "true"
    }
  end
 end
 platform :ios do
-  private_lane :load_app_store_connect_api_key do
+  private_lane :app_store_api_key do
-    options = app_store_connect_key_options
+    app_store_connect_api_key(
-    UI.user_error!("App Store Connect API key is required") unless options
+      key_id: ENV.fetch("APP_STORE_CONNECT_KEY_ID"),
-
+      issuer_id: ENV.fetch("APP_STORE_CONNECT_ISSUER_ID"),
-    app_store_connect_api_key(options)
+      key_content: ENV.fetch("APP_STORE_CONNECT_KEY_CONTENT"),
      is_key_content_base64: true
    )
  end
-  desc "Show the version Fastlane will stamp into the next TestFlight archive"
+  private_lane :setup_ci_signing do
-  lane :version do
+    next unless ci?
-    UI.message("Git tag version: #{release_version}")
+
-    UI.message("Checked-in app version: #{local_marketing_version}")
+    FileUtils.mkdir_p(File.dirname(CI_KEYCHAIN_PATH))
-    UI.message("Checked-in build number: #{local_build_number}")
+    sh("security delete-keychain #{CI_KEYCHAIN_PATH.shellescape} || true", log: false)
    FileUtils.rm_f(CI_KEYCHAIN_PATH)
    FileUtils.rm_f(CI_KEYCHAIN_DB_PATH)
    create_keychain(
      path: CI_KEYCHAIN_PATH,
      password: CI_KEYCHAIN_PASSWORD,
      default_keychain: false,
      unlock: true,
      timeout: 3600,
      lock_when_sleeps: true,
      add_to_search_list: false
    )
    sh("security default-keychain -d user -s #{CI_KEYCHAIN_PATH.shellescape}", log: false)
    sh("security list-keychains -d user -s #{ci_keychain_path.shellescape}", log: false)
    sh("security list-keychains -d dynamic -s #{ci_keychain_path.shellescape} || true", log: false)
    sh("security list-keychains -d common -s #{ci_keychain_path.shellescape} || true", log: false)
    ENV["MATCH_KEYCHAIN_NAME"] = CI_KEYCHAIN_PATH
    ENV["MATCH_KEYCHAIN_PASSWORD"] = CI_KEYCHAIN_PASSWORD
    ENV["MATCH_READONLY"] = "true"
  end
-  desc "Create CI signing certificate/profile and write ignored secret material under build/signing"
+  private_lane :cleanup_ci_signing do
-  lane :create_ci_signing do
+    next unless ci?
    api_key = load_app_store_connect_api_key
-    FileUtils.rm_rf(SIGNING_OUTPUT_DIR)
+    if File.file?(LOGIN_KEYCHAIN_DB_PATH) || File.file?(LOGIN_KEYCHAIN_PATH)
-    FileUtils.mkdir_p(SIGNING_OUTPUT_DIR)
+      sh("security default-keychain -d user -s #{LOGIN_KEYCHAIN_PATH.shellescape} || true", log: false)
      sh("security list-keychains -d user -s #{LOGIN_KEYCHAIN_DB_PATH.shellescape} || true", log: false)
    end
    sh("security delete-keychain #{ci_keychain_path.shellescape} || true", log: false)
    FileUtils.rm_f(CI_KEYCHAIN_PATH)
    FileUtils.rm_f(CI_KEYCHAIN_DB_PATH)
  rescue => error
    UI.message("Unable to delete temporary CI keychain: #{error.message}")
  ensure
    ENV.delete("MATCH_KEYCHAIN_NAME")
    ENV.delete("MATCH_KEYCHAIN_PASSWORD")
    ENV.delete("MATCH_READONLY")
  end
-    cert_id = ENV["SYBIL_SIGNING_CERTIFICATE_ID"].to_s
+  private_lane :sync_signing do |options|
-    keychain_path = nil
+    match_options = {
-    keychain_password = nil
+      type: "appstore",
-    p12_path = File.join(SIGNING_OUTPUT_DIR, "appstore-signing.p12")
+      readonly: options.fetch(:readonly),
-    p12_password = ENV["SYBIL_CI_P12_PASSWORD"].to_s
+      app_identifier: APP_IDENTIFIER,
-    if p12_password.empty?
+      team_id: TEAM_ID,
-      p12_password = SecureRandom.base64(24)
+      profile_name: PROFILE_NAME,
-      UI.important("Generated a p12 password for CI secrets.")
+      git_url: ENV.fetch("MATCH_GIT_URL"),
      git_branch: "master",
      git_full_name: "Sybil Release Bot",
      git_user_email: "james.magahern@me.com",
      api_key: options.fetch(:api_key)
    }
    match_options[:keychain_name] = ENV["MATCH_KEYCHAIN_NAME"] if present?(ENV["MATCH_KEYCHAIN_NAME"])
    match_options[:keychain_password] = ENV["MATCH_KEYCHAIN_PASSWORD"] if ENV.key?("MATCH_KEYCHAIN_PASSWORD")
    match(match_options)
  end
  private_lane :verify_ci_signing do
    next unless ci?
    if File.file?(ci_keychain_path)
      password = ENV.fetch("MATCH_KEYCHAIN_PASSWORD", "")
      sh("security unlock-keychain -p #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
      sh("security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password.shellescape} #{ci_keychain_path.shellescape}", log: false)
    end
-    begin
+    identities = sh("security find-identity -v -p codesigning #{ci_keychain_path.shellescape}", log: false)
-      if present?(cert_id)
+    UI.message(identities)
        UI.message("Using existing signing certificate id #{cert_id}")
        export_keychain = ENV["SYBIL_SIGNING_KEYCHAIN"].to_s
        export_keychain = File.expand_path("~/Library/Keychains/login.keychain-db") unless present?(export_keychain)
        run_silent(
          "security", "export", "-k", export_keychain, "-t", "identities", "-f", "pkcs12", "-P", p12_password, "-o", p12_path,
          error_message: "Could not export the local CI signing identity"
        )
      else
        keychain_path = File.join(SIGNING_OUTPUT_DIR, "sybil_ci_signing.keychain-db")
        keychain_password = SecureRandom.base64(24)
        run_silent(
          "security", "create-keychain", "-p", keychain_password, keychain_path,
          error_message: "Could not create temporary signing keychain"
        )
        run_silent(
          "security", "set-keychain-settings", "-lut", "21600", keychain_path,
          error_message: "Could not configure temporary signing keychain"
        )
        run_silent(
          "security", "unlock-keychain", "-p", keychain_password, keychain_path,
          error_message: "Could not unlock temporary signing keychain"
        )
        run_silent(
          "security", "list-keychains", "-d", "user", "-s", keychain_path, *user_keychains,
          error_message: "Could not add temporary signing keychain to the user search list"
        )
-        cert(
+    unless identities.include?(SIGNING_IDENTITY)
-          api_key: api_key,
+      UI.user_error!("The CI keychain search list does not contain #{SIGNING_IDENTITY}")
          development: false,
          force: true,
          generate_apple_certs: true,
          keychain_password: keychain_password,
          keychain_path: keychain_path,
          output_path: SIGNING_OUTPUT_DIR,
          platform: "ios"
        )
        cert_id = lane_context[SharedValues::CERT_CERTIFICATE_ID]
        UI.user_error!("Could not resolve generated certificate id") unless present?(cert_id)
        run_silent(
          "security", "export", "-k", keychain_path, "-t", "identities", "-f", "pkcs12", "-P", p12_password, "-o", p12_path,
          error_message: "Could not export the generated CI signing identity"
        )
      end
      UI.user_error!("Could not find exported p12 at #{p12_path}") unless File.exist?(p12_path)
      profile_path = recreate_app_store_profile(cert_id)
      UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path)
      secrets_path = File.join(SIGNING_OUTPUT_DIR, "ci-secrets.env")
      File.write(
        secrets_path,
        [
          env_line("APPSTORE_CERTIFICATES_FILE_BASE64", Base64.strict_encode64(File.binread(p12_path))),
          env_line("APPSTORE_CERTIFICATES_PASSWORD", p12_password),
          env_line("APPSTORE_PROVISIONING_PROFILE_BASE64", Base64.strict_encode64(File.binread(profile_path))),
          env_line("SYBIL_PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER)
        ].join("\n") + "\n"
      )
    ensure
      system("security", "delete-keychain", keychain_path, out: File::NULL, err: File::NULL) if present?(keychain_path) && File.exist?(keychain_path)
    end
    UI.success("Created CI signing files in #{SIGNING_OUTPUT_DIR}")
    UI.important("Add the values from #{secrets_path} as repository secrets.")
  end
-  desc "Build Sybil and upload it to TestFlight"
+  desc "Create or update match signing assets"
  lane :setup_signing do
    sync_signing(api_key: app_store_api_key, readonly: false)
  end
  desc "Build and upload to TestFlight"
  lane :beta do
-    version = release_version
+    setup_ci_signing
    build_number = ENV["SYBIL_BUILD_NUMBER"].to_s
    api_key = load_app_store_connect_api_key
-    unless present?(build_number)
+    api_key = app_store_api_key
      build_number = (local_build_number + 1).to_s
      begin
        latest = latest_testflight_build_number(
          app_identifier: APP_IDENTIFIER,
          version: version,
          api_key: api_key,
          initial_build_number: local_build_number
        ).to_i
        build_number = [latest + 1, local_build_number + 1].max.to_s
      rescue StandardError => e
        UI.important("Could not look up TestFlight build number: #{e.message}")
        UI.important("Using checked-in build number + 1: #{build_number}")
      end
    end
    UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/)
    sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")
-    xcode_args = [
+    increment_version_number(
-      xcode_build_setting("MARKETING_VERSION", version),
+      version_number: release_version,
-      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number),
+      xcodeproj: PROJECT_FILE
-      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
+    )
      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
      xcode_build_setting("CODE_SIGN_IDENTITY", "Apple Distribution")
    ].join(" ")
-    ipa_path = build_app(
+    increment_build_number(
      build_number: build_number,
      xcodeproj: PROJECT_FILE
    )
    sync_signing(api_key: api_key, readonly: true)
    verify_ci_signing
    xcargs = [
      "DEVELOPMENT_TEAM=#{TEAM_ID.shellescape}",
      "CODE_SIGN_STYLE=Manual",
      "CODE_SIGN_IDENTITY=Apple\\ Distribution",
      "PROVISIONING_PROFILE_SPECIFIER=#{PROFILE_NAME.shellescape}"
    ]
    if ci?
      xcargs << "CODE_SIGN_KEYCHAIN=#{ci_keychain_path.shellescape}"
      xcargs << "OTHER_CODE_SIGN_FLAGS=#{("--keychain #{ci_keychain_path}").shellescape}"
    end
    build_app(
      project: PROJECT_FILE,
      scheme: SCHEME,
      clean: true,
      sdk: "iphoneos",
      export_method: "app-store",
-      output_directory: File.join(IOS_ROOT, "build/fastlane"),
+      codesigning_identity: "Apple Distribution",
-      output_name: "Sybil-#{version}-#{build_number}.ipa",
+      xcargs: xcargs.join(" "),
      xcargs: xcode_args,
      export_options: {
        method: "app-store",
        destination: "export",
        signingStyle: "manual",
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_SPECIFIER
        },
        teamID: TEAM_ID,
-        manageAppVersionAndBuildNumber: false,
+        provisioningProfiles: {
-        uploadSymbols: true,
+          APP_IDENTIFIER => PROFILE_NAME
-        stripSwiftSymbols: true
+        }
      }
    )
    ipa_path ||= lane_context[SharedValues::IPA_OUTPUT_PATH]
    UI.user_error!("IPA export failed; no IPA path was returned") unless present?(ipa_path) && File.exist?(ipa_path)
    upload_to_testflight(
      api_key: api_key,
      app_identifier: APP_IDENTIFIER,
      ipa: ipa_path,
      skip_waiting_for_build_processing: true
    )
  ensure
    cleanup_ci_signing
  end
 end
--- a/ios/fastlane/README.md
+++ b/ios/fastlane/README.md
@@ -1,48 +0,0 @@
 fastlane documentation
 ----
 # Installation
 Make sure you have the latest version of the Xcode command line tools installed:
 ```sh
 xcode-select --install
 ```
 For _fastlane_ installation instructions, see [Installing _fastlane_](https://docs.fastlane.tools/#installing-fastlane)
 # Available Actions
 ## iOS
 ### ios version
 ```sh
 [bundle exec] fastlane ios version
 ```
 Show the version Fastlane will stamp into the next TestFlight archive
 ### ios create_ci_signing
 ```sh
 [bundle exec] fastlane ios create_ci_signing
 ```
 Create CI signing certificate/profile and write ignored secret material under build/signing
 ### ios beta
 ```sh
 [bundle exec] fastlane ios beta
 ```
 Build Sybil and upload it to TestFlight
 ----
 This README.md is auto-generated and will be re-generated every time [_fastlane_](https://fastlane.tools) is run.
 More information about _fastlane_ can be found on [fastlane.tools](https://fastlane.tools).
 The documentation of _fastlane_ can be found on [docs.fastlane.tools](https://docs.fastlane.tools).
`@@ -1,3 +1,3 @@`
	`source "https://rubygems.org"`	`source "https://rubygems.org"`

	`gem "fastlane", "~> 2.227"`	`gem "fastlane"`