fix(mobile): fix keychain setup - add all WWDR certs and set partition after match import

.github/workflows/build-mobile.yml

@@ -251,7 +251,7 @@ jobs:
           security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
           security default-keychain -s build.keychain
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
-          security set-keychain-settings -t 3600 -u build.keychain
+          security set-keychain-settings -t 3600 -l -u build.keychain
           
           # Add keychain to search list (required for codesign to find certificates)
           security list-keychains -d user -s build.keychain login.keychain
@@ -259,20 +259,23 @@ jobs:
           # Download and install Apple WWDR certificates (required for code signing)
           curl -sL https://developer.apple.com/certificationauthority/AppleWWDRCA.cer -o AppleWWDRCA.cer
           curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o AppleWWDRCAG3.cer
-          security import AppleWWDRCA.cer -k build.keychain -T /usr/bin/codesign
-          security import AppleWWDRCAG3.cer -k build.keychain -T /usr/bin/codesign
-          
-          # Set key partition list to allow codesign access
-          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer -o AppleWWDRCAG4.cer
+          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer -o AppleWWDRCAG5.cer
+          curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer -o AppleWWDRCAG6.cer
+          security import AppleWWDRCA.cer -k build.keychain -T /usr/bin/codesign || true
+          security import AppleWWDRCAG3.cer -k build.keychain -T /usr/bin/codesign || true
+          security import AppleWWDRCAG4.cer -k build.keychain -T /usr/bin/codesign || true
+          security import AppleWWDRCAG5.cer -k build.keychain -T /usr/bin/codesign || true
+          security import AppleWWDRCAG6.cer -k build.keychain -T /usr/bin/codesign || true
 
       - name: Build and deploy to TestFlight
         env:
           FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }}
           MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
           MATCH_GIT_BASIC_AUTHORIZATION: ${{ steps.match-auth.outputs.base64_token }}
-          KEYCHAIN_NAME: build.keychain-db
+          KEYCHAIN_NAME: build.keychain
           KEYCHAIN_PASSWORD: ${{ github.run_id }}
-          MATCH_KEYCHAIN_NAME: build.keychain-db
+          MATCH_KEYCHAIN_NAME: build.keychain
           MATCH_KEYCHAIN_PASSWORD: ${{ github.run_id }}
           APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }}
           APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }}

mobile/ios/fastlane/Fastfile

@@ -48,13 +48,21 @@ platform :ios do
   
   # Helper method to sync certificates and profiles using match
   def sync_code_signing(app_identifiers:, readonly: true)
+    keychain = ENV["KEYCHAIN_NAME"] || "login.keychain"
+    keychain_password = ENV["KEYCHAIN_PASSWORD"] || ""
+    
     match(
       type: "appstore",
       app_identifier: app_identifiers,
       readonly: readonly,
-      keychain_name: ENV["KEYCHAIN_NAME"] || "login.keychain",
-      keychain_password: ENV["KEYCHAIN_PASSWORD"] || ""
+      keychain_name: keychain,
+      keychain_password: keychain_password
     )
+    
+    # Set key partition list after match imports certificates (required for CI)
+    if ENV["CI"] && !keychain_password.empty?
+      sh("security set-key-partition-list -S apple-tool:,apple: -s -k \"#{keychain_password}\" #{keychain} 2>/dev/null || true")
+    end
   end
   
   # Helper method to get version from pubspec.yaml