fastlane: Create temporary Keychain for iOS signing

This is a new approach to signing the iOS app by using a temporary Keychain created only for that specific build and unlocked in advance. By doing it this way we can avoid issues with `errSecInternalComponent` appearing when there is no UI to open a Keychain password prompt when running build in CI. I've described this problem in details in: https://github.com/fastlane/fastlane/issues/15185 Thanks to `codesign:` partition ID being added to key partition list by Fastlane `match` when importing a Keychain this approach now works: https://github.com/fastlane/fastlane/pull/17456 Signed-off-by: Jakub Sokołowski <jakub@status.im>
2025-02-22 23:58:30 +00:00 · 2020-10-27 13:18:10 +01:00 · 2020-10-27 13:18:10 +01:00 · 3b780f4ff2
commit 3b780f4ff2
parent d8eb33e330
7 changed files with 117 additions and 91 deletions
--- a/ci/Jenkinsfile.android
+++ b/ci/Jenkinsfile.android
@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.5'
+library 'status-react-jenkins@v1.2.6'
 pipeline {
  agent { label 'linux' }
--- a/ci/Jenkinsfile.combined
+++ b/ci/Jenkinsfile.combined
@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.5'
+library 'status-react-jenkins@v1.2.6'
 pipeline {
  agent { label 'linux' }
--- a/ci/Jenkinsfile.ios
+++ b/ci/Jenkinsfile.ios
@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.5'
+library 'status-react-jenkins@v1.2.6'
 pipeline {
  agent { label 'macos-xcode-11.5' }
--- a/ci/Jenkinsfile.nix-cache
+++ b/ci/Jenkinsfile.nix-cache
@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.5'
+library 'status-react-jenkins@v1.2.6'
 pipeline {
  agent { label params.AGENT_LABEL }
--- a/ci/tools/Jenkinsfile.fastlane-clean
+++ b/ci/tools/Jenkinsfile.fastlane-clean
@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.5'
+library 'status-react-jenkins@v1.2.6'
 pipeline {
  agent { label 'macos' }
--- a/ci/tools/Jenkinsfile.playstore-meta
+++ b/ci/tools/Jenkinsfile.playstore-meta
@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.5'
+library 'status-react-jenkins@v1.2.6'
 pipeline {
  agent { label 'linux' }
--- a/fastlane/Fastfile
+++ b/fastlane/Fastfile
@ -11,18 +11,6 @@
 # There are a few env variables defined in the .env file in
 # this directory (fastlane/.env)
 # unlocks keychain if KEYCHAIN_PASSWORD variable is present
 # (to be used on CI machines)
 def unlock_keychain_if_needed
  return unless ENV['KEYCHAIN_PASSWORD']
  unlock_keychain(
    path: 'login.keychain',
    password: ENV['KEYCHAIN_PASSWORD'],
    set_default: true
  )
 end
 def curl_upload(url, file, auth, conn_timeout = 5, timeout = 60, retries = 3)
  rval = sh(
    'curl',
@ -81,6 +69,38 @@ def upload_to_saucelabs(file)
  end
 end
 # Helper which acts like a Python context manager
 def with(ctx)
    yield ctx.setup
 ensure
    ctx.teardown
 end
 # Creates temporary keychain for build duration
 class Keychain
  attr_accessor :name, :path, :pass
  def initialize(name)
    # We use epoch time to void clashes with CI builds
    @name = "#{name}_#{Time.now.to_f}.keychain-db"
    @path = "~/Library/Keychains/#{@name}"
    @pass = rand().to_s
    Fastlane::Actions::CreateKeychainAction.run(
      name: @name,
      password: @pass,
      unlock: true,
      # Lock it up after 25 minutes just in case we don't delete it.
      timeout: 1500,
      # To make Fastlane import WWDR certificate into it.
      default_keychain: true,
    )
  end
  # for use in with()
  def setup; self end
  def teardown; Fastlane::Actions::DeleteKeychainAction.run(name: @name) end
 end
 # builds an ios app with ad-hoc configuration and put it
 # to "status-ios" output folder
 # `readonly`:
@ -95,30 +115,33 @@ def build_ios_adhoc(readonly: false, pr_build: false)
  scheme = pr_build ? 'StatusImPR' : 'StatusIm'
  app_id = pr_build ? 'im.status.ethereum.pr' : 'im.status.ethereum'
-  match(
+  with Keychain.new('adhoc') do |kc|
-    type: 'adhoc',
+    match(
-    force_for_new_devices: true,
+      type: 'adhoc',
-    readonly: readonly,
+      readonly: readonly,
-    app_identifier: app_id,
+      app_identifier: app_id,
-    keychain_name: 'login.keychain'
+      force_for_new_devices: true,
-  )
+      keychain_name: kc.name,
      keychain_password: kc.pass
    )
-  build_ios_app(
+    build_ios_app(
-    scheme: scheme,
+      scheme: scheme,
-    workspace: 'ios/StatusIm.xcworkspace',
+      workspace: 'ios/StatusIm.xcworkspace',
-    configuration: 'Release',
+      configuration: 'Release',
-    clean: true,
+      clean: true,
-    export_method: 'ad-hoc',
+      export_method: 'ad-hoc',
-    output_name: 'StatusIm',
+      output_name: 'StatusIm',
-    output_directory: 'status-ios',
+      output_directory: 'status-ios',
-    export_options: {
+      export_options: {
-      signingStyle: 'manual',
+        signingStyle: 'manual',
-      provisioningProfiles: {
+        provisioningProfiles: {
-        "im.status.ethereum": "match AdHoc im.status.ethereum",
+          "im.status.ethereum": "match AdHoc im.status.ethereum",
-        "im.status.ethereum.pr": "match AdHoc im.status.ethereum.pr"
+          "im.status.ethereum.pr": "match AdHoc im.status.ethereum.pr"
        }
      }
-    }
+    )
-  )
+  end
 end
 # builds an ios app with e2e configuration and put it
@ -128,34 +151,37 @@ def build_ios_e2e
  showsdks_output = sh('xcodebuild', '-showsdks')
  simulator_sdk = showsdks_output.scan(/iphonesimulator\d\d?\.\d\d?/).first
-  match(
+  with Keychain.new('adhoc') do |kc|
-    type: 'adhoc',
+    match(
-    force_for_new_devices: true,
+      type: 'adhoc',
-    readonly: true,
+      readonly: true,
-    keychain_name: 'login.keychain'
+      force_for_new_devices: true,
-  )
+      keychain_name: kc.name,
      keychain_password: kc.pass
    )
-  build_ios_app(
+    build_ios_app(
-    # Creating a build for the iOS Simulator
+      # Creating a build for the iOS Simulator
-    # 1. https://medium.com/rocket-fuel/fastlane-to-the-simulator-87549b2601b9
+      # 1. https://medium.com/rocket-fuel/fastlane-to-the-simulator-87549b2601b9
-    sdk: simulator_sdk,
+      sdk: simulator_sdk,
-    destination: 'generic/platform=iOS Simulator',
+      destination: 'generic/platform=iOS Simulator',
-    # 2. fixing compilations issues as stated in https://stackoverflow.com/a/20505258
+      # 2. fixing compilations issues as stated in https://stackoverflow.com/a/20505258
-    #    it looks like i386 isn't supported by React Native
+      #    it looks like i386 isn't supported by React Native
-    xcargs: 'ARCHS="x86_64" ONLY_ACTIVE_ARCH=NO',
+      xcargs: 'ARCHS="x86_64" ONLY_ACTIVE_ARCH=NO',
-    # 3. directory where to up StatusIm.app
+      # 3. directory where to up StatusIm.app
-    derived_data_path: 'status-ios',
+      derived_data_path: 'status-ios',
-    output_name: 'StatusIm.app',
+      output_name: 'StatusIm.app',
-    # -------------------------------------
+      # -------------------------------------
-    # Normal stuff
+      # Normal stuff
-    scheme: 'StatusIm',
+      scheme: 'StatusIm',
-    workspace: 'ios/StatusIm.xcworkspace',
+      workspace: 'ios/StatusIm.xcworkspace',
-    configuration: 'Release',
+      configuration: 'Release',
-    # Simulator apps can't be archived...
+      # Simulator apps can't be archived...
-    skip_archive: true,
+      skip_archive: true,
-    # ...and we don't need an .ipa file for them, because we use .app directly
+      # ...and we don't need an .ipa file for them, because we use .app directly
-    skip_package_ipa: true
+      skip_package_ipa: true
-  )
+    )
  end
  zip(
    path: 'status-ios/Build/Products/Release-iphonesimulator/StatusIm.app',
@ -181,7 +207,6 @@ platform :ios do
  desc 'It creates an .ipa that can be used by a list of devices, registeded in the App Store Connect.'
  desc 'This .ipa is ready to be distibuted through diawi.com'
  lane :adhoc do
    unlock_keychain_if_needed
    build_ios_adhoc(readonly: true)
  end
@ -189,47 +214,48 @@ platform :ios do
  desc 'This lane is used for SauceLabs end-to-end testing.'
  desc 'It creates an .app that can be used inside of a iPhone simulator.'
  lane :e2e do
    unlock_keychain_if_needed
    build_ios_e2e
  end
  desc '`fastlane ios pr` - makes a new pr build'
  desc 'This lane builds a new adhoc build and leaves an .ipa that is ad-hoc signed (can be uploaded to diawi)'
  lane :pr do
    unlock_keychain_if_needed
    build_ios_adhoc(pr_build: true)
  end
  desc '`fastlane ios nightly` - makes a new nightly'
  desc 'This lane builds a new nightly and leaves an .ipa that is ad-hoc signed (can be uploaded to diawi)'
  lane :nightly do
    unlock_keychain_if_needed
    build_ios_adhoc()
  end
  desc '`fastlane ios release` builds a release & uploads it to TestFlight'
  lane :release do
-    match(
+    with Keychain.new('adhoc') do |kc|
-      type: 'appstore',
+      match(
-      readonly: true,
+        type: 'appstore',
-      app_identifier: 'im.status.ethereum',
+        readonly: true,
-      keychain_name: 'login.keychain'
+        app_identifier: 'im.status.ethereum',
-    )
+        keychain_name: kc.name,
        keychain_password: kc.pass
      )
      build_ios_app(
        scheme: 'StatusIm',
        workspace: 'ios/StatusIm.xcworkspace',
        configuration: 'Release',
        clean: true,
        export_method: 'app-store',
        output_directory: 'status-ios',
        include_symbols: false,
        export_options: {
          "combileBitcode": true,
          "uploadBitcode": false,
          "ITSAppUsesNonExemptEncryption": false
        }
      )
    end
    build_ios_app(
      scheme: 'StatusIm',
      workspace: 'ios/StatusIm.xcworkspace',
      configuration: 'Release',
      clean: true,
      export_method: 'app-store',
      output_directory: 'status-ios',
      include_symbols: false,
      export_options: {
        "combileBitcode": true,
        "uploadBitcode": false,
        "ITSAppUsesNonExemptEncryption": false
      }
    )
    upload_to_testflight(
      ipa: 'status-ios/StatusIm.ipa',
      skip_waiting_for_build_processing: true