ios: override iphoneos signing identity

.gitea/workflows/testflight-release.yml

@@ -85,6 +85,7 @@ jobs:
 
           keychain_password="$(uuidgen)"
           keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
+          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
           mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets
 
           printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
@@ -95,6 +96,7 @@ jobs:
           security set-keychain-settings -lut 21600 "${keychain_path}"
           security unlock-keychain -p "${keychain_password}" "${keychain_path}"
           security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${keychain_path}"
           security import ios/build/secrets/AppleWWDRCAG3.cer \
             -k "${keychain_path}" \
             -T /usr/bin/codesign \
@@ -108,7 +110,11 @@ jobs:
             -T /usr/bin/xcodebuild
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
           security find-identity -v -p codesigning "${keychain_path}"
-          echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}" >> "${GITHUB_ENV}"
+          {
+            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
+            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
+            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
+          } >> "${GITHUB_ENV}"
 
       - name: Build and upload to TestFlight
         working-directory: ios
@@ -124,6 +130,11 @@ jobs:
         run: |
           set -euo pipefail
 
+          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+
           SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
 
       - name: Locate IPA
@@ -213,4 +224,7 @@ jobs:
       - name: Clean up temporary keychain
         if: always()
         run: |
+          if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
+            security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
+          fi
           security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true

ios/.env.example

@@ -6,6 +6,7 @@ SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
+SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=
 

ios/fastlane/CI.md

@@ -14,10 +14,12 @@ git push origin release/v1.10.0
 ```
 
 The release job runs on the `xcode` runner label, imports the signing p12 into
-a temporary keychain, installs the App Store provisioning profile, builds and
+a temporary per-user keychain, makes that keychain the user default for the
+duration of the job, installs the App Store provisioning profile, builds and
 uploads the app with fastlane, then creates or updates the matching Gitea
-release with the generated IPA as an asset. The job deletes the temporary
+release with the generated IPA as an asset. The job restores the previous user
-signing keychain in an `always()` cleanup step.
+default keychain and deletes the temporary signing keychain in an `always()`
+cleanup step.
 
 Required repository secrets:
 
@@ -42,6 +44,11 @@ certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.
 
+Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
+exact certificate common name used when exporting a local p12 for secrets, while
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
+selector that Xcode uses during archive/export.
+
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The

ios/fastlane/Fastfile

@@ -20,6 +20,7 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -77,7 +78,7 @@ def release_version
 end
 
 def xcode_build_setting(key, value)
-  "#{key}=#{value.to_s.shellescape}"
+  "#{key.to_s.shellescape}=#{value.to_s.shellescape}"
 end
 
 def env_line(key, value)
@@ -410,7 +411,8 @@ platform :ios do
       xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
       xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
       xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
-      xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME)
+      xcode_build_setting("CODE_SIGN_IDENTITY", XCODE_CODE_SIGN_IDENTITY),
+      xcode_build_setting("CODE_SIGN_IDENTITY[sdk=iphoneos*]", XCODE_CODE_SIGN_IDENTITY)
     ]
     if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
       xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
@@ -433,7 +435,7 @@ platform :ios do
         provisioningProfiles: {
           APP_IDENTIFIER => PROFILE_SPECIFIER
         },
-        signingCertificate: SIGNING_CERTIFICATE_NAME,
+        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
         teamID: TEAM_ID,
         manageAppVersionAndBuildNumber: false,
         uploadSymbols: true,