Menu
Before you get mad at my question, I know there is not one best way to setup Fastlane, but I would like to understand better the different approaches that you can take when you start using it.
I am setting up Fastlane for a project. Now I only have it on my local machine but I would like to set it up on a CI environment (in my case GitLab-CI, but I guess it is not that important).
Disclosure, I am not only newbie on setting up Fastlane but also on setting up by myself a CI (I have used both of them though, π )
After reading the documentation for code sign (https://docs.fastlane.tools/codesigning/getting-started/) I can see the different alternatives but I am not sure what are the limitations of each of them on a CI environment. In summary, what would be good practice to sign the builds when: submitting to Testflight, running unit tests, submitting to the AppStore, and so on.
The options are:
matchcert and sigh My dissertation so far:
match:
match to have a working development profile. Not sure about the benefit to release to Testflight/Appstore.cert and sigh:
To use it just requires a couple of lines before build_app:
get_certificates # cert
get_provisioning_profile # sigh
build_app
It downloads the certificate and profile in the root of the project.
Xcode codesigning feature:
Give to the build_app extra parameter:
build_app(workspace: "Chordify.xcworkspace", scheme: "Chordify", export_xcargs: "-allowProvisioningUpdates")
This is equivalent as having Automatically Manage Signing on Xcode (but on command line is disabled by default)
Manually:
Fastlane has a set of real examples so you can see their Fastfile, Appfile, Gymfile, Metadata, ... (https://github.com/fastlane/examples). This is awesome, however, there is no common pattern and I cannot see the reasons they went for this or that approach.
Other general questions I have regarding code signing with Fastlane:
Do we need the Appfile with apple ID to be there? In that case it would make sense to create a specific ID just for this purpose, right? A developer role, for example?
Security vs practicality vs ease of use/setup. Are these concepts tight to one method or the other?
What is best in what context? (think of big vs small teams; everybody should be able to use it vs there should be some security constraints; need of CI integration; ...)
Last but not least... Are there any special considerations for a CI environment regarding code signing?
279
fastlane works very well in Continuous Integration setups. It for example automatically generates a JUnit report for you that allows Continuous Integration systems, like Jenkins , access the results of your deployment.
Automatic code signing means automatically managing the provisioning profiles that are available on your Apple Developer Portal account. If you set up some form of authentication to your Apple account, Bitrise can download and install the provisioning profile for your app during the build process.
Use the match_nuke action to revoke your certificates and provisioning profiles. Don't worry, apps that are already available in the App Store / TestFlight will still work. Builds distributed via Ad Hoc or Enterprise will be disabled after nuking your account, so you'll have to re-upload a new build.
The concept of match is described in the codesigning guide. With match you store your private keys and certificates in a git repo to sync them across machines. This makes it easy to onboard new team-members and set up new Mac machines. This approach is secure and uses technology you already use.
Even though this was asked a long time ago and the question is very broad, I suggest reading this article I've written that cover most of your questions: https://medium.com/revelo-tech/setting-up-automatic-ios-release-with-fastlane-and-match-on-ci-cd-server-16c3f1d79bc5
But let me highlight a few of the questions and answers:
I know that with existing project it revokes the current certificates. Does it mean only the first time?
Usually yes, but you can regenerate them anytime you want or need (such as when, for example, your certificates are leaked).
What are the pitfalls of current certificates being revoked if Fastlane already uses the new ones?
This is not a big deal. These certificates don't work the same as the Android signing Keystore, and they can be easily swapped.
When I was discussing this with my Android colleague he was very surprised to use a versioning system to store certificates.
It seemed weird for me as well, but the above answer helps to explain it. The android signing config doesn't change often and it's not easy to replace it in case it leaks. Besides that the iOS certificates work differently because they need to be regenerated if a new device is added to the list of allowed devices to install the app.
I guess there should be a way to specify where to put them instead of there, maybe? We should ignore this files or clean the repository after that. I don't think they should be commited to the repository.
"The provisioning profiles are installed in ~/Library/MobileDevice/Provisioning Profiles while the certificates and private keys are installed in your Keychain." (from the fastlane docs) Hence there's no need to clear the repo or worry about it.
Xcode codesigning feature:
The best way when using fastlane match is to use manually configured signing and refer to the article above. Basically after getting the certificates from the repo, you can select them on the Xcode. It usually starts with match ...
146
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
