ios: trust Apple root in CI signing keychain

ios: install Apple WWDR intermediate in CI
ios: avoid default keychain mutation in ci
2026-06-25 21:12:53 -07:00 · 2026-06-25 21:11:01 -07:00 · 2026-06-25 21:08:32 -07:00 · 2026-06-25 21:07:38 -07:00
2 changed files with 15 additions and 1 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -89,11 +89,19 @@ jobs:

          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${HOME}/Library/MobileDevice/Provisioning Profiles/Sybil_AppStore_CI.mobileprovision"
+          curl -fsSL https://www.apple.com/appleca/AppleIncRootCertificate.cer -o ios/build/secrets/AppleIncRootCertificate.cer
+          curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o ios/build/secrets/AppleWWDRCAG3.cer

          security create-keychain -p "${keychain_password}" "${keychain_path}"
          security set-keychain-settings -lut 21600 "${keychain_path}"
          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security add-trusted-cert -r trustRoot -k "${keychain_path}" ios/build/secrets/AppleIncRootCertificate.cer
+          security import ios/build/secrets/AppleWWDRCAG3.cer \
+            -k "${keychain_path}" \
+            -T /usr/bin/codesign \
+            -T /usr/bin/security \
+            -T /usr/bin/xcodebuild
          security import ios/build/secrets/appstore-signing.p12 \
            -k "${keychain_path}" \
            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
@@ -101,6 +109,8 @@ jobs:
            -T /usr/bin/security \
            -T /usr/bin/xcodebuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
+          security find-identity -v -p codesigning "${keychain_path}"
+          echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}" >> "${GITHUB_ENV}"

      - name: Build and upload to TestFlight
        working-directory: ios
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -349,7 +349,11 @@ platform :ios do
      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
      xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME)
-    ].join(" ")
+    ]
+    if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
+      xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
+    end
+    xcode_args = xcode_args.join(" ")

    ipa_path = build_app(
      project: PROJECT_FILE,
Author	SHA1	Message	Date
James Magahern	b8676027db	ios: trust Apple root in CI signing keychain Some checks failed TestFlight Release / testflight (push) Failing after 8s Details	2026-06-25 21:12:53 -07:00
James Magahern	d36d2c60a3	ios: install Apple WWDR intermediate in CI Some checks failed TestFlight Release / testflight (push) Failing after 18s Details	2026-06-25 21:11:01 -07:00
James Magahern	3d7031bb40	ios: avoid default keychain mutation in ci Some checks failed TestFlight Release / testflight (push) Failing after 17s Details	2026-06-25 21:08:32 -07:00
James Magahern	fa9b725c77	ios: expose signing keychain to xcodebuild Some checks failed TestFlight Release / testflight (push) Failing after 9s Details	2026-06-25 21:07:38 -07:00