ios: use generic xcode signing selector

ios: unlock signing keychain before build
2026-06-25 21:25:13 -07:00 · 2026-06-25 21:20:31 -07:00
4 changed files with 18 additions and 4 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -108,7 +108,10 @@ jobs:
            -T /usr/bin/xcodebuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
          security find-identity -v -p codesigning "${keychain_path}"
-          echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}" >> "${GITHUB_ENV}"
+          {
            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
          } >> "${GITHUB_ENV}"
      - name: Build and upload to TestFlight
        working-directory: ios
@@ -124,6 +127,10 @@ jobs:
        run: |
          set -euo pipefail
          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
          SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
      - name: Locate IPA
--- a/ios/.env.example
+++ b/ios/.env.example
@@ -6,6 +6,7 @@ SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
 SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -42,6 +42,11 @@ certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.
 Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
 exact certificate common name used when exporting a local p12 for secrets, while
 `SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
 selector that Xcode uses during archive/export.
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -20,6 +20,7 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
 XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -77,7 +78,7 @@ def release_version
 end
 def xcode_build_setting(key, value)
-  "#{key}=#{value.to_s.shellescape}"
+  "#{key.to_s.shellescape}=#{value.to_s.shellescape}"
 end
 def env_line(key, value)
@@ -410,7 +411,7 @@ platform :ios do
      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
-      xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME)
+      xcode_build_setting("CODE_SIGN_IDENTITY", XCODE_CODE_SIGN_IDENTITY)
    ]
    if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
      xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
@@ -433,7 +434,7 @@ platform :ios do
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_SPECIFIER
        },
-        signingCertificate: SIGNING_CERTIFICATE_NAME,
+        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
        teamID: TEAM_ID,
        manageAppVersionAndBuildNumber: false,
        uploadSymbols: true,
Author	SHA1	Message	Date
James Magahern	e167bd983f	ios: use generic xcode signing selector Some checks failed TestFlight Release / testflight (push) Failing after 19s Details	2026-06-25 21:25:13 -07:00
James Magahern	e4dd91564f	ios: unlock signing keychain before build Some checks failed TestFlight Release / testflight (push) Failing after 17s Details	2026-06-25 21:20:31 -07:00