ios: override iphoneos signing identity

ios: use disposable keychain as ci default
ios: use generic xcode signing selector
2026-06-25 21:29:35 -07:00 · 2026-06-25 21:27:19 -07:00 · 2026-06-25 21:25:13 -07:00 · 2026-06-25 21:20:31 -07:00
4 changed files with 31 additions and 7 deletions
--- a/.gitea/workflows/testflight-release.yml
+++ b/.gitea/workflows/testflight-release.yml
@@ -85,6 +85,7 @@ jobs:

          keychain_password="$(uuidgen)"
          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
+          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
          mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets

          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
@@ -95,6 +96,7 @@ jobs:
          security set-keychain-settings -lut 21600 "${keychain_path}"
          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${keychain_path}"
          security import ios/build/secrets/AppleWWDRCAG3.cer \
            -k "${keychain_path}" \
            -T /usr/bin/codesign \
@@ -108,7 +110,11 @@ jobs:
            -T /usr/bin/xcodebuild
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
          security find-identity -v -p codesigning "${keychain_path}"
-          echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}" >> "${GITHUB_ENV}"
+          {
+            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
+            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
+            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
+          } >> "${GITHUB_ENV}"

      - name: Build and upload to TestFlight
        working-directory: ios
@@ -124,6 +130,11 @@ jobs:
        run: |
          set -euo pipefail

+          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+
          SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta

      - name: Locate IPA
@@ -213,4 +224,7 @@ jobs:
      - name: Clean up temporary keychain
        if: always()
        run: |
+          if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
+            security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
+          fi
          security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true
--- a/ios/.env.example
+++ b/ios/.env.example
@@ -6,6 +6,7 @@ SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
 SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
+SYBIL_XCODE_CODE_SIGN_IDENTITY=Apple Distribution
 SYBIL_SIGNING_CERTIFICATE_ID=
 SYBIL_SIGNING_KEYCHAIN=

--- a/ios/fastlane/CI.md
+++ b/ios/fastlane/CI.md
@@ -14,10 +14,12 @@ git push origin release/v1.10.0
 ```

 The release job runs on the `xcode` runner label, imports the signing p12 into
-a temporary keychain, installs the App Store provisioning profile, builds and
+a temporary per-user keychain, makes that keychain the user default for the
+duration of the job, installs the App Store provisioning profile, builds and
 uploads the app with fastlane, then creates or updates the matching Gitea
-release with the generated IPA as an asset. The job deletes the temporary
-signing keychain in an `always()` cleanup step.
+release with the generated IPA as an asset. The job restores the previous user
+default keychain and deletes the temporary signing keychain in an `always()`
+cleanup step.

 Required repository secrets:

@@ -42,6 +44,11 @@ certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.

+Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
+exact certificate common name used when exporting a local p12 for secrets, while
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the generic `Apple Distribution`
+selector that Xcode uses during archive/export.
+
 If the Apple team has reached the Distribution certificate limit, set
 `SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
 key exists in the local login keychain before running `create_ci_signing`. The
--- a/ios/fastlane/Fastfile
+++ b/ios/fastlane/Fastfile
@@ -20,6 +20,7 @@ APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
 SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -77,7 +78,7 @@ def release_version
 end

 def xcode_build_setting(key, value)
-  "#{key}=#{value.to_s.shellescape}"
+  "#{key.to_s.shellescape}=#{value.to_s.shellescape}"
 end

 def env_line(key, value)
@@ -410,7 +411,8 @@ platform :ios do
      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
-      xcode_build_setting("CODE_SIGN_IDENTITY", SIGNING_CERTIFICATE_NAME)
+      xcode_build_setting("CODE_SIGN_IDENTITY", XCODE_CODE_SIGN_IDENTITY),
+      xcode_build_setting("CODE_SIGN_IDENTITY[sdk=iphoneos*]", XCODE_CODE_SIGN_IDENTITY)
    ]
    if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
      xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
@@ -433,7 +435,7 @@ platform :ios do
        provisioningProfiles: {
          APP_IDENTIFIER => PROFILE_SPECIFIER
        },
-        signingCertificate: SIGNING_CERTIFICATE_NAME,
+        signingCertificate: XCODE_CODE_SIGN_IDENTITY,
        teamID: TEAM_ID,
        manageAppVersionAndBuildNumber: false,
        uploadSymbols: true,
Author	SHA1	Message	Date
James Magahern	f445730a41	ios: override iphoneos signing identity Some checks failed TestFlight Release / testflight (push) Failing after 16s Details	2026-06-25 21:29:35 -07:00
James Magahern	76cb808c33	ios: use disposable keychain as ci default Some checks failed TestFlight Release / testflight (push) Failing after 15s Details	2026-06-25 21:27:19 -07:00
James Magahern	e167bd983f	ios: use generic xcode signing selector Some checks failed TestFlight Release / testflight (push) Failing after 19s Details	2026-06-25 21:25:13 -07:00
James Magahern	e4dd91564f	ios: unlock signing keychain before build Some checks failed TestFlight Release / testflight (push) Failing after 17s Details	2026-06-25 21:20:31 -07:00