macos keychain access

I’m trying to move our iOS CI over to github actions but I’m running into some issues building. These issues (fastlane just hangs when gym runs) seem to arise when using match.

Here’s the log that makes me think it’s keychain related

WARN [2019-09-26 13:46:14.52]: Could not configure imported keychain item (certificate) to prevent UI permission popup when code signing
Check if you supplied the correct keychain_password for keychain: /Users/runner/Library/Keychains/login.keychain-db
security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.

The docs say sudo is passwordless so I assumed the same for keychain. I seem to be wrong but I can’t find anything in the docs for it. Any help would be great.

2 Likes

Having the same issue - it seems there’s no way to access the login/system keychain. Creating a new keychain - while helps with certificate/profiles installs - still doesn’t allow it to access the system keychain which houses the WWDR root cert.

Make sure you are running Fastlane 2.131+ and simply add the setup_ci action before your match one like this:

# We have to specify `travis` here for now to have this action do something
# See: https://github.com/fastlane/fastlane/issues/15445
setup_ci(
  provider: "travis"
)

> https://docs.fastlane.tools/actions/setup_ci/

Unfortunately this did not resolve the issue. While the profiles/certs say they install correctly they cannot be found when trying to build an archive. Running the lane locally is fine. Note this is with Xcode 11 and a project w/Swift Packages but that doesn’t seem to be an issue when just building for tests.

No profiles for ‘<redacted>’ were found: Xcode couldn’t find any iOS App Development provisioning profiles matching ‘<redacted>’. Automatic signing is disabled and unable to generate a profile. To enable automatic signing, pass -allowProvisioningUpdates to xcodebuild. (in target ‘<redacted>’ from project ‘<redacted>’)

Fastfile for reference:

# Documentation: https://docs.fastlane.tools
# Available actions: https://docs.fastlane.tools/actions
# Plugins: https://docs.fastlane.tools/plugins/available-plugins

update_fastlane

# Runs unit tests
lane :test do
  setup_ci(provider: "travis")

  match(type: "development")

  cocoapods

  scan(devices: ["iPhone 11 Pro"], scheme: "REDACTED (Production)")
end

# Makes App Store compatible binary
lane :archive_and_export do
  setup_ci(provider: "travis")

  match(type: "development")
  match(type: "appstore")

  cocoapods

  increment_build_number(
    build_number: latest_testflight_build_number + 1,
    xcodeproj: "REDACTED.xcodeproj"
  )
  build_app(scheme: "REDACTED (Production)", export_options: { method: "app-store" }, clean: true)
  upload_to_testflight
end

Here is my workaround. You should create new keychain and install cert, provisining file.

Fastlane setting:

platform :ios do
  desc "Build release"
  lane :build_release do
 cocoapods()
  if is_ci
    create_keychain(
      name: "CI",
      password: ENV["MATCH_PASSWORD"],
      default_keychain: true,
      unlock: true,
      timeout: 3600,
      lock_when_sleeps: false
    )
    match(
      type: "appstore",
      readonly: true,
      keychain_name: "CI",
      keychain_password: ENV["MATCH_PASSWORD"]
    )
    sh("security list-keychains -d user")
    sh("security default-keychain -d user")
    sh("security find-identity -v -p codesigning CI")
    disable_automatic_code_signing(
      path: "Runner.xcodeproj",
      team_id: "ENV["TEAM_ID"]"
    )
    update_project_provisioning(
      xcodeproj: "Runner.xcodeproj",
      target_filter: "Runner",
      profile:ENV["sigh_myappid_appstore_profile-path"],
      code_signing_identity: "Apple Distribution: MY Corp. (TEAMI)",
    )
  else
    match(
      type: "appstore",
      readonly: true
    )
  end
  gym(
    workspace: "Runner.xcworkspace",
    scheme: "Runner",
    export_method: "app-store",
  )
end

  end

Github Actions Setting:

name: App-iOS

on:
  push:
    branches:
      - master

jobs:
  ios-testflight:
    name: iOS Testflight
    runs-on: macOS-latest
    steps:
      - name: Force xcode 11
        run: sudo xcode-select -switch /Applications/Xcode_11.1.app

      - uses: actions/checkout@v1

      - uses: actions/setup-java@v1
        with:
          java-version: '12.x'

      - uses: subosito/flutter-action@v1
        with:
          channel: 'stable'

      - name: flutter pub get
        run: flutter pub get

      # https://github.com/hashicorp/terraform-github-actions/issues/39
      - name: Setup SSH Keys and known_hosts for fastlane match
        env:
          PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
        # Copied from https://github.com/maddox/actions/blob/master/ssh/entrypoint.sh
        run: |
          SSH_PATH="$HOME/.ssh"

          mkdir -p "$SSH_PATH"
          touch "$SSH_PATH/known_hosts"

          echo "$PRIVATE_KEY" > "$SSH_PATH/id_rsa"

          chmod 700 "$SSH_PATH"
          ssh-keyscan github.com >> ~/.ssh/known_hosts
          chmod 600 "$SSH_PATH/known_hosts"
          chmod 600 "$SSH_PATH/id_rsa"

          eval $(ssh-agent)
          ssh-add "$SSH_PATH/id_rsa"

      - name: fastlane build and testflight deploy
        if: "!startsWith(github.event.head_commit.message, 'build') || !contains(github.event.head_commit.message, ' ***NO_CI***')"
        uses: maierj/fastlane-action@v0.10.0
        with:
          lane: 'appstore_testflight'
          subdirectory: 'ios'
        env:
          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
          FASTLANE_PASSWORD: ${{ secrets.FASTLANE_PASSWORD }}
2 Likes

I was able to get it to work - I missed a step and didn’t have the provisioning profile explicitly set in the project.