iOS Code Signing & Provisioning

Hi,

what is the correct way to handle code signing for an ios project using github actions? Are there some examples?

Greetings,

Johannes

2 Likes

We recommend using https://docs.fastlane.tools/ for building and signing iOS applications.  We don’t have any specific quides today but it is something we are working on adding to the docs.  

2 Likes

Greate to hear, i would like to configure my ci without 3rd Party tools. :+1:t2:

2 Likes

Here is my working code sample with fastlane. It’s not vanilla github actions, but it maybe a reference.

Fastlane Setting:

default_platform(:ios)

def build_release
  cocoapods()
  if is_ci
    create_keychain(
      name: "CI",
      password: ENV["MATCH_PASSWORD"],
      default_keychain: true,
      unlock: true,
      timeout: 3600,
      lock_when_sleeps: false
    )
    match(
      type: "appstore",
      readonly: true,
      keychain_name: "CI",
      keychain_password: ENV["MATCH_PASSWORD"]
    )
    sh("security list-keychains -d user")
    sh("security default-keychain -d user")
    sh("security find-identity -v -p codesigning CI")
    disable_automatic_code_signing(
      path: "Runner.xcodeproj",
      team_id: "MYTEAMID"
    )
    update_project_provisioning(
      xcodeproj: "Runner.xcodeproj",
      target_filter: "Runner",
      profile:ENV["sigh_myappid_appstore_profile-path"],
      code_signing_identity: "Apple Distribution: MY Corp. (MYTEAMID)",
    )
  else
    match(
      type: "appstore",
      readonly: true
    )
  end
  gym(
    workspace: "Runner.xcworkspace",
    scheme: "Runner",
    export_method: "app-store",
  )
end

platform :ios do
  desc "Build release"
  lane :build_release do
    build_release
  end

  desc "Push a new beta build to TestFlight"
  lane :appstore_testflight do
    build_release
    pilot
  end

  desc "Push a new release build to the App Store"
  lane :appstore_release do
    build_release
    deliver
  end
e 

Github Actions Setting:

name: App-iOS

on:
  push:
    branches:
      - master

jobs:
  ios-testflight:
    name: iOS Testflight
    runs-on: macOS-latest
    steps:
      - name: Force xcode 11
        run: sudo xcode-select -switch /Applications/Xcode_11.1.app

      - uses: actions/checkout@v1

      - uses: actions/setup-java@v1
        with:
          java-version: '12.x'

      - uses: subosito/flutter-action@v1
        with:
          channel: 'stable'

      - name: flutter pub get
        run: flutter pub get

      # https://github.com/hashicorp/terraform-github-actions/issues/39
      - name: Setup SSH Keys and known_hosts for fastlane match
        env:
          PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        # Copied from https://github.com/maddox/actions/blob/master/ssh/entrypoint.sh
        run: |
          SSH_PATH="$HOME/.ssh"

          mkdir -p "$SSH_PATH"
          touch "$SSH_PATH/known_hosts"

          echo "$PRIVATE_KEY" > "$SSH_PATH/id_rsa"

          chmod 700 "$SSH_PATH"
          ssh-keyscan github.com >> ~/.ssh/known_hosts
          chmod 600 "$SSH_PATH/known_hosts"
          chmod 600 "$SSH_PATH/id_rsa"

          eval $(ssh-agent)
          ssh-add "$SSH_PATH/id_rsa"

      - name: fastlane build and testflight deploy
        if: "!startsWith(github.event.head_commit.message, 'build') || !contains(github.event.head_commit.message, ' ***NO_CI***')"
        uses: maierj/fastlane-action@v0.10.0
        with:
          lane: 'appstore_testflight'
          subdirectory: 'ios'
        env:
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          FASTLANE_PASSWORD: ${{ secrets.FASTLANE_PASSWORD }}
6 Likes

We’re using match and Google Cloud Service to manage our certificates and profiles. We use secrets to pass the credentials and convert it to a file.

- name: Create keys from secrets
  run: echo $KEYS > ./gc_keys.json
  env:
    KEYS: ${{ secrets.KEYS }}

Then combine both automatic and manual signing as per fastlane doc here.

First specifying the release’s provisioning profile in build settings and use this lane:

lane :release do
  sync_code_signing
  disable_automatic_code_signing(path: "my_project.xcodeproj")
  build_app
  enable_automatic_code_signing(path: "my_project.xcodeproj")
  upload_to_testflight
end
1 Like

True, I was also thinking in a similar way a couple of years back but scaling to different flavors, channels of deployment, uploading symbols, autmatic testing, screenshots, … so many things that are pack and parcel of a scalable deployment eventually turned out to be complicated for me. I was using XcodeBuild, Xcbuild etc. before but Fastlane has huge wealth of knowledge especially on iOS side of things. The community backing is also excellent. I still suggest you to give it a try, and snapback to your methods.

@ikhsan I am also using Google cloud Service to manage certificates and profiles. But I am unable to autheniticate it when I run github actions. 

Looks like you don’t have a Google Cloud gc_keys.json file yet. If you have one, make sure to put it into the ‘/Users/runner/runners/2.168.0/work/ios/ios’ directory and call it ‘gc_keys.json’.

And I am getting this error. How I can set Screts in Github? Or how can I set Env. Variables in Workflow ? Kindly let me know. Thanks!

This is doable on GH Actions (or any CI) without fastlane.

First, base64-encode your .p12 and provisioning profile, and add them as Secrets to your app’s repo.

Then follow the steps in this script: