diff --git a/.github/workflows/build-mobile.yml b/.github/workflows/build-mobile.yml index 6308587602..93e77c1ab0 100644 --- a/.github/workflows/build-mobile.yml +++ b/.github/workflows/build-mobile.yml @@ -251,7 +251,7 @@ jobs: security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain security default-keychain -s build.keychain security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain - security set-keychain-settings -t 3600 -u build.keychain + security set-keychain-settings -t 3600 -l -u build.keychain # Add keychain to search list (required for codesign to find certificates) security list-keychains -d user -s build.keychain login.keychain @@ -259,20 +259,23 @@ jobs: # Download and install Apple WWDR certificates (required for code signing) curl -sL https://developer.apple.com/certificationauthority/AppleWWDRCA.cer -o AppleWWDRCA.cer curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o AppleWWDRCAG3.cer - security import AppleWWDRCA.cer -k build.keychain -T /usr/bin/codesign - security import AppleWWDRCAG3.cer -k build.keychain -T /usr/bin/codesign - - # Set key partition list to allow codesign access - security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" build.keychain + curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer -o AppleWWDRCAG4.cer + curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG5.cer -o AppleWWDRCAG5.cer + curl -sL https://www.apple.com/certificateauthority/AppleWWDRCAG6.cer -o AppleWWDRCAG6.cer + security import AppleWWDRCA.cer -k build.keychain -T /usr/bin/codesign || true + security import AppleWWDRCAG3.cer -k build.keychain -T /usr/bin/codesign || true + security import AppleWWDRCAG4.cer -k build.keychain -T /usr/bin/codesign || true + security import AppleWWDRCAG5.cer -k build.keychain -T /usr/bin/codesign || true + security import AppleWWDRCAG6.cer -k build.keychain -T /usr/bin/codesign || true - name: Build and deploy to TestFlight env: FASTLANE_TEAM_ID: ${{ secrets.FASTLANE_TEAM_ID }} MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }} MATCH_GIT_BASIC_AUTHORIZATION: ${{ steps.match-auth.outputs.base64_token }} - KEYCHAIN_NAME: build.keychain-db + KEYCHAIN_NAME: build.keychain KEYCHAIN_PASSWORD: ${{ github.run_id }} - MATCH_KEYCHAIN_NAME: build.keychain-db + MATCH_KEYCHAIN_NAME: build.keychain MATCH_KEYCHAIN_PASSWORD: ${{ github.run_id }} APP_STORE_CONNECT_API_KEY_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ID }} APP_STORE_CONNECT_API_KEY_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_API_KEY_ISSUER_ID }} diff --git a/mobile/ios/fastlane/Fastfile b/mobile/ios/fastlane/Fastfile index 2d5f6972ef..d550ca4351 100644 --- a/mobile/ios/fastlane/Fastfile +++ b/mobile/ios/fastlane/Fastfile @@ -48,13 +48,21 @@ platform :ios do # Helper method to sync certificates and profiles using match def sync_code_signing(app_identifiers:, readonly: true) + keychain = ENV["KEYCHAIN_NAME"] || "login.keychain" + keychain_password = ENV["KEYCHAIN_PASSWORD"] || "" + match( type: "appstore", app_identifier: app_identifiers, readonly: readonly, - keychain_name: ENV["KEYCHAIN_NAME"] || "login.keychain", - keychain_password: ENV["KEYCHAIN_PASSWORD"] || "" + keychain_name: keychain, + keychain_password: keychain_password ) + + # Set key partition list after match imports certificates (required for CI) + if ENV["CI"] && !keychain_password.empty? + sh("security set-key-partition-list -S apple-tool:,apple: -s -k \"#{keychain_password}\" #{keychain} 2>/dev/null || true") + end end # Helper method to get version from pubspec.yaml