ios: pass signing settings to archive

ios: avoid system default keychain writes
ios: set ci keychain in default domain
2026-06-25 22:19:25 -07:00 · 2026-06-25 22:16:24 -07:00 · 2026-06-25 22:14:25 -07:00 · 2026-06-25 22:12:17 -07:00 · 2026-06-25 22:10:06 -07:00 · 2026-06-25 22:07:12 -07:00
4 changed files with 38 additions and 23 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -91,8 +91,7 @@ jobs:
          developer_dir="$(xcode-select -p)"
          signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
          mkdir -p "${HOME}/Library/Keychains"
-          keychain_dir="$(cd "${HOME}/Library/Keychains" && pwd -P)"
+          keychain_name="${HOME}/Library/Keychains/login.keychain"
          keychain_path="${keychain_dir}/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
          certificate_path="${signing_dir}/appstore-signing.p12"
          wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
          profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
@@ -124,35 +123,39 @@ jobs:
            base_keychains+=("${existing_keychain}")
          done < <(security list-keychains -d user | sed 's/[ "]//g')
-          security delete-keychain "${keychain_path}" >/dev/null 2>&1 || true
+          security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true
-          rm -f "${keychain_path}"
+          rm -f "${HOME}/Library/Keychains/${keychain_name}-db"
-          security create-keychain -p "${keychain_password}" "${keychain_path}"
+          security create-keychain -p "${keychain_password}" "${keychain_name}"
-          security set-keychain-settings -lut 21600 "${keychain_path}"
+          security set-keychain-settings -lut 21600 "${keychain_name}"
-          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
+          security unlock-keychain -p "${keychain_password}" "${keychain_name}"
          security import "${wwdr_certificate_path}" \
-            -k "${keychain_path}" \
+            -k "${keychain_name}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild
          security import "${certificate_path}" \
-            -k "${keychain_path}" \
+            -k "${keychain_name}" \
            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
            -T /usr/bin/codesign \
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild \
            -T "${developer_dir}/usr/bin/xcodebuild"
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
          if [[ "${#base_keychains[@]}" -gt 0 ]]; then
-            security list-keychains -d user -s "${keychain_path}" "${base_keychains[@]}"
+            security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
            security list-keychains -s "${keychain_name}" "${base_keychains[@]}"
          else
-            security list-keychains -d user -s "${keychain_path}"
+            security list-keychains -d user -s "${keychain_name}"
            security list-keychains -s "${keychain_name}"
          fi
-          security default-keychain -d user -s "${keychain_path}"
+          security default-keychain -d user -s "${keychain_name}"
          keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
          security find-identity -v -p codesigning "${keychain_path}"
          security find-identity -v -p codesigning
          echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
          {
            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
            echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}"
            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
            echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
@@ -180,6 +183,7 @@ jobs:
          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security list-keychains -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains | sed 's/[ "]//g')
          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security find-identity -v -p codesigning
--- a/ios/.env.example
+++ b/ios/.env.example
@@ -7,7 +7,8 @@ SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_PROVISIONING_PROFILE_UUID=
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
-SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
+SYBIL_XCODE_CODE_SIGN_IDENTITY=6B74B268C4761720FB2051D01D8BB3E47B55D9F5
 SYBIL_EXPORT_SIGNING_CERTIFICATE=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -13,14 +13,15 @@ git tag release/v1.10.0
 git push origin release/v1.10.0
 ```
-The release job runs on the `xcode` runner label, imports the signing p12 into
+The release job runs on the `xcode` runner label, creates the runner user's
-a temporary per-user keychain, makes that keychain the user default for the
+login keychain from Gitea secrets, makes that keychain the user default for the
 duration of the job, installs the App Store provisioning profile in both the
 legacy MobileDevice directory and the Xcode UserData directory used by newer
 Xcode releases, builds and uploads the app with fastlane, then creates or
 updates the matching Gitea release with the generated IPA as an asset. The job
-restores the previous user default keychain and deletes the temporary signing
+restores the previous user default keychain and deletes the user login keychain
-keychain and installed profiles in an `always()` cleanup step.
+and installed profiles in an `always()` cleanup step. No signing material is
 installed into the system keychain.
 Required repository secrets:
@@ -47,8 +48,9 @@ default.
 Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
 exact certificate common name used when exporting a local p12 for secrets, while
-`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the certificate SHA-1 fingerprint
-selector that Xcode uses during archive/export.
+that Xcode uses during archive. `SYBIL_EXPORT_SIGNING_CERTIFICATE` defaults to
 the generic `Apple Distribution` selector used in the export options.
 The Release signing settings are also present in `Apps/Sybil/project.yml` so
 XcodeGen emits a manually signed App Store archive configuration. CI passes the
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -20,7 +20,8 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
-XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "6B74B268C4761720FB2051D01D8BB3E47B55D9F5" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
 EXPORT_SIGNING_CERTIFICATE = ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -433,8 +434,15 @@ platform :ios do
    xcode_args = [
      xcode_build_setting("MARKETING_VERSION", version),
-      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
+      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number),
      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
      xcode_build_setting("CODE_SIGN_IDENTITY", XCODE_CODE_SIGN_IDENTITY)
    ]
    if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
      xcode_args << xcode_build_setting("PROVISIONING_PROFILE", ENV.fetch("SYBIL_PROVISIONING_PROFILE_UUID"))
    end
    if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
      xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
      xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
@@ -457,7 +465,7 @@ platform :ios do
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_SPECIFIER
        },
-        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
+        signingCertificate: EXPORT_SIGNING_CERTIFICATE,
        teamID: TEAM_ID,
        manageAppVersionAndBuildNumber: false,
        uploadSymbols: true,
Author	SHA1	Message	Date
James Magahern	272ad0bbf0	ios: pass signing settings to archive Some checks failed TestFlight Release / testflight (push) Failing after 17s Details	2026-06-25 22:19:25 -07:00
James Magahern	de7b448bc5	ios: avoid system default keychain writes Some checks failed TestFlight Release / testflight (push) Failing after 16s Details	2026-06-25 22:16:24 -07:00
James Magahern	3c7fc51fdb	ios: set ci keychain in default domain Some checks failed TestFlight Release / testflight (push) Failing after 10s Details	2026-06-25 22:14:25 -07:00
James Magahern	0062f37b9f	ios: sign with disposable login keychain Some checks failed TestFlight Release / testflight (push) Failing after 17s Details	2026-06-25 22:12:17 -07:00
James Magahern	0ae551615f	ios: use signing identity fingerprint in ci Some checks failed TestFlight Release / testflight (push) Failing after 16s Details	2026-06-25 22:10:06 -07:00
James Magahern	88bef50ae7	ios: create named ci keychain in home Some checks failed TestFlight Release / testflight (push) Failing after 15s Details	2026-06-25 22:07:12 -07:00
James Magahern	0d069b4233	ios: create ci keychain by name Some checks failed TestFlight Release / testflight (push) Failing after 11s Details	2026-06-25 22:05:47 -07:00