ios: install ci profiles for xcode signing

.gitea/workflows/testflight-release.yml

@@ -84,25 +84,59 @@ jobs:
           : "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
 
           keychain_password="$(uuidgen)"
-          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
+          keychain_name="${SIGNING_KEYCHAIN}.keychain"
-          mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets
+          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
+          developer_dir="$(xcode-select -p)"
+          signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
+          certificate_path="${signing_dir}/appstore-signing.p12"
+          profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
+          profile_plist="${signing_dir}/profile.plist"
+          old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
+          xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
+          mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
 
-          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
+          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
-          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${HOME}/Library/MobileDevice/Provisioning Profiles/Sybil_AppStore_CI.mobileprovision"
+          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
+          security cms -D -i "${profile_path}" > "${profile_plist}"
+          profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
+          profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
+          old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
+          xcode_profile_path="${xcode_profile_dir}/${profile_uuid}.mobileprovision"
+          old_named_profile_path="${old_profile_dir}/Sybil_AppStore_CI.mobileprovision"
+          xcode_named_profile_path="${xcode_profile_dir}/Sybil_AppStore_CI.mobileprovision"
+          cp "${profile_path}" "${old_profile_path}"
+          cp "${profile_path}" "${xcode_profile_path}"
+          cp "${profile_path}" "${old_named_profile_path}"
+          cp "${profile_path}" "${xcode_named_profile_path}"
 
-          security create-keychain -p "${keychain_password}" "${keychain_path}"
+          security create-keychain -p "${keychain_password}" "${keychain_name}"
-          security set-keychain-settings -lut 21600 "${keychain_path}"
+          security set-keychain-settings -lut 21600 "${keychain_name}"
-          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
+          security unlock-keychain -p "${keychain_password}" "${keychain_name}"
-          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security import "${certificate_path}" \
-          security import ios/build/secrets/appstore-signing.p12 \
+            -k "${keychain_name}" \
-            -k "${keychain_path}" \
+            -f pkcs12 \
             -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
             -T /usr/bin/codesign \
             -T /usr/bin/security \
-            -T /usr/bin/xcodebuild
+            -T /usr/bin/xcodebuild \
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
+            -T "${developer_dir}/usr/bin/xcodebuild"
-          security find-identity -v -p codesigning "${keychain_path}"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
-          echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}" >> "${GITHUB_ENV}"
+          security list-keychains -d user -s "${keychain_name}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${keychain_name}"
+          security find-identity -v -p codesigning "${keychain_name}"
+          security find-identity -v -p codesigning
+          echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
+          {
+            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_name}"
+            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
+            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
+            echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
+            echo "SYBIL_SIGNING_DIR=${signing_dir}"
+            echo "SYBIL_OLD_PROFILE_PATH=${old_profile_path}"
+            echo "SYBIL_XCODE_PROFILE_PATH=${xcode_profile_path}"
+            echo "SYBIL_OLD_NAMED_PROFILE_PATH=${old_named_profile_path}"
+            echo "SYBIL_XCODE_NAMED_PROFILE_PATH=${xcode_named_profile_path}"
+          } >> "${GITHUB_ENV}"
 
       - name: Build and upload to TestFlight
         working-directory: ios
@@ -118,6 +152,12 @@ jobs:
         run: |
           set -euo pipefail
 
+          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security find-identity -v -p codesigning
+
           SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
 
       - name: Locate IPA
@@ -207,4 +247,13 @@ jobs:
       - name: Clean up temporary keychain
         if: always()
         run: |
-          security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true
+          if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
+            security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
+          fi
+          rm -f \
+            "${SYBIL_OLD_PROFILE_PATH:-}" \
+            "${SYBIL_XCODE_PROFILE_PATH:-}" \
+            "${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
+            "${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
+          rm -rf "${SYBIL_SIGNING_DIR:-}"
+          security delete-keychain "${SIGNING_KEYCHAIN}.keychain" || true

ios/.env.example

@@ -5,7 +5,9 @@ FASTLANE_HIDE_CHANGELOG=1
 SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
+SYBIL_PROVISIONING_PROFILE_UUID=
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
+SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
 

ios/Apps/Sybil/project.yml

@@ -32,6 +32,12 @@ targets:
         INFOPLIST_KEY_UILaunchScreen_Generation: YES
         INFOPLIST_KEY_UISupportedInterfaceOrientations_iPhone: UIInterfaceOrientationPortrait
         INFOPLIST_KEY_UISupportedInterfaceOrientations_iPad: UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight
+      configs:
+        Release:
+          CODE_SIGN_STYLE: Manual
+          CODE_SIGN_IDENTITY: Apple Distribution
+          "CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution
+          PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
 
 schemes:
   Sybil:

ios/fastlane/CI.md

@@ -14,10 +14,13 @@ git push origin release/v1.10.0
 ```
 
 The release job runs on the `xcode` runner label, imports the signing p12 into
-a temporary keychain, installs the App Store provisioning profile, builds and
+a temporary per-user keychain, makes that keychain the user default for the
-uploads the app with fastlane, then creates or updates the matching Gitea
+duration of the job, installs the App Store provisioning profile in both the
-release with the generated IPA as an asset. The job deletes the temporary
+legacy MobileDevice directory and the Xcode UserData directory used by newer
-signing keychain in an `always()` cleanup step.
+Xcode releases, builds and uploads the app with fastlane, then creates or
+updates the matching Gitea release with the generated IPA as an asset. The job
+restores the previous user default keychain and deletes the temporary signing
+keychain and installed profiles in an `always()` cleanup step.
 
 Required repository secrets:
 
@@ -42,6 +45,17 @@ certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.
 
+Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
+exact certificate common name used when exporting a local p12 for secrets, while
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
+selector that Xcode uses during archive/export.
+
+The Release signing settings are also present in `Apps/Sybil/project.yml` so
+XcodeGen emits a manually signed App Store archive configuration. CI passes the
+installed provisioning profile UUID to Fastlane as
+`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
+project before archiving.
+
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The

ios/fastlane/Fastfile

@@ -20,6 +20,7 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -54,6 +55,30 @@ def app_project_settings
   YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base")
 end
 
+def apply_release_signing_settings
+  require "xcodeproj"
+
+  project = Xcodeproj::Project.open(PROJECT_FILE)
+  target = project.targets.find { |candidate| candidate.name == TARGET }
+  UI.user_error!("Could not find target #{TARGET} in #{PROJECT_FILE}") unless target
+
+  target.build_configurations.each do |configuration|
+    next unless configuration.name == "Release"
+
+    settings = configuration.build_settings
+    settings["CODE_SIGN_STYLE"] = "Manual"
+    settings["DEVELOPMENT_TEAM"] = TEAM_ID
+    settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
+    settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+    if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
+      settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
+      settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
+    end
+  end
+  project.save
+end
+
 def local_marketing_version
   app_project_settings.fetch("MARKETING_VERSION").to_s
 end
@@ -77,7 +102,7 @@ def release_version
 end
 
 def xcode_build_setting(key, value)
-  "#{key}=#{value.to_s.shellescape}"
+  "#{key.to_s.shellescape}=#{value.to_s.shellescape}"
 end
 
 def env_line(key, value)
@@ -188,6 +213,67 @@ def recreate_app_store_profile(certificate_id)
   profile_path
 end
 
+def signing_identity_p12(p12_path, p12_password)
+  work_dir = File.join(SIGNING_OUTPUT_DIR, "single-identity")
+  FileUtils.rm_rf(work_dir)
+  FileUtils.mkdir_p(work_dir)
+
+  all_pem = File.join(work_dir, "all.pem")
+  stdout, stderr, status = Open3.capture3(
+    "openssl", "pkcs12",
+    "-in", p12_path,
+    "-nodes",
+    "-passin", "pass:#{p12_password}",
+    "-out", all_pem
+  )
+  UI.user_error!("Could not inspect exported p12\n#{stderr}\n#{stdout}") unless status.success?
+
+  records = File.read(all_pem).split(/(?=Bag Attributes\n)/)
+  cert_record = records.find do |record|
+    record.include?("friendlyName: #{SIGNING_CERTIFICATE_NAME}") && record.include?("-----BEGIN CERTIFICATE-----")
+  end
+  UI.user_error!("Could not find #{SIGNING_CERTIFICATE_NAME} certificate in exported p12") unless cert_record
+
+  local_key_id = cert_record[/localKeyID: (.+)/, 1].to_s.strip
+  UI.user_error!("Could not resolve localKeyID for #{SIGNING_CERTIFICATE_NAME}") unless present?(local_key_id)
+
+  key_record = records.find do |record|
+    record.include?("localKeyID: #{local_key_id}") && record.include?("-----BEGIN PRIVATE KEY-----")
+  end
+  UI.user_error!("Could not find private key for #{SIGNING_CERTIFICATE_NAME}") unless key_record
+
+  cert_path = File.join(work_dir, "identity.cer.pem")
+  key_path = File.join(work_dir, "identity.key.pem")
+  File.write(cert_path, cert_record[/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m])
+  File.write(key_path, key_record[/-----BEGIN PRIVATE KEY-----.*?-----END PRIVATE KEY-----/m])
+
+  root_cer = File.join(work_dir, "AppleIncRootCertificate.cer")
+  wwdr_cer = File.join(work_dir, "AppleWWDRCAG3.cer")
+  root_pem = File.join(work_dir, "AppleIncRootCertificate.pem")
+  wwdr_pem = File.join(work_dir, "AppleWWDRCAG3.pem")
+  chain_pem = File.join(work_dir, "chain.pem")
+  run_silent("curl", "-fsSL", "https://www.apple.com/appleca/AppleIncRootCertificate.cer", "-o", root_cer, error_message: "Could not download Apple root certificate")
+  run_silent("curl", "-fsSL", "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer", "-o", wwdr_cer, error_message: "Could not download Apple WWDR G3 certificate")
+  run_silent("openssl", "x509", "-inform", "DER", "-in", root_cer, "-out", root_pem, error_message: "Could not convert Apple root certificate")
+  run_silent("openssl", "x509", "-inform", "DER", "-in", wwdr_cer, "-out", wwdr_pem, error_message: "Could not convert Apple WWDR G3 certificate")
+  File.write(chain_pem, File.read(wwdr_pem) + File.read(root_pem))
+
+  single_p12_path = File.join(work_dir, "appstore-signing.p12")
+  run_silent(
+    "openssl", "pkcs12", "-export",
+    "-inkey", key_path,
+    "-in", cert_path,
+    "-certfile", chain_pem,
+    "-name", SIGNING_CERTIFICATE_NAME,
+    "-out", single_p12_path,
+    "-passout", "pass:#{p12_password}",
+    error_message: "Could not create single-identity p12"
+  )
+  FileUtils.cp(single_p12_path, p12_path)
+ensure
+  FileUtils.rm_rf(work_dir) if present?(work_dir)
+end
+
 def app_store_connect_key_options
   key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
   issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
@@ -293,6 +379,7 @@ platform :ios do
       end
 
       UI.user_error!("Could not find exported p12 at #{p12_path}") unless File.exist?(p12_path)
+      signing_identity_p12(p12_path, p12_password)
 
       profile_path = recreate_app_store_profile(cert_id)
       UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path)
@@ -341,14 +428,11 @@ platform :ios do
     UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/)
 
     sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")
+    apply_release_signing_settings
 
     xcode_args = [
       xcode_build_setting("MARKETING_VERSION", version),
-      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number),
+      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
-      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
-      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
-      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
-      xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME)
     ]
     if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
       xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
@@ -371,7 +455,7 @@ platform :ios do
         provisioningProfiles: {
           APP_IDENTIFIER => PROFILE_SPECIFIER
         },
-        signingCertificate: SIGNING_CERTIFICATE_NAME,
+        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
         teamID: TEAM_ID,
         manageAppVersionAndBuildNumber: false,
         uploadSymbols: true,