ci: fix iOS signing, use same keychain name

Using different temporary keychains does not work if we do not set
`default_keychain=true`, because `codesign` then can't find the cert:
```
error: No signing certificate "iOS Distribution" found: No "iOS Distribution" signing certificate matching team ID
```
But if we set `default_keychain=true` then we cause a race condition
when the keychain is deleted by a parallel job while another is using it
as its default.

For this reason we have to use a static keychain name and keep it
between builds.

I tried disabling `default_keychain=true` in #11378 but it worked only
because the default user keychain already had the cert.

Signed-off-by: Jakub Sokołowski <jakub@status.im>
Signed-off-by: Andrea Maria Piana <andrea.maria.piana@gmail.com>

ci/Jenkinsfile.android

@@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.6'
+library 'status-react-jenkins@v1.2.5'
 
 pipeline {
   agent { label 'linux' }

ci/Jenkinsfile.combined

@@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.6'
+library 'status-react-jenkins@v1.2.5'
 
 pipeline {
   agent { label 'linux' }

ci/Jenkinsfile.ios

@@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.6'
+library 'status-react-jenkins@v1.2.5'
 
 pipeline {
   agent { label 'macos-xcode-11.5' }

ci/Jenkinsfile.nix-cache

@@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.6'
+library 'status-react-jenkins@v1.2.5'
 
 pipeline {
   agent { label params.AGENT_LABEL }

ci/tools/Jenkinsfile.fastlane-clean

@@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.6'
+library 'status-react-jenkins@v1.2.5'
 
 pipeline {
   agent { label 'macos' }

ci/tools/Jenkinsfile.playstore-meta

@@ -1,4 +1,4 @@
-library 'status-react-jenkins@v1.2.6'
+library 'status-react-jenkins@v1.2.5'
 
 pipeline {
   agent { label 'linux' }

fastlane/Fastfile

@@ -69,36 +69,30 @@ def upload_to_saucelabs(file)
   end
 end
 
-# Helper which acts like a Python context manager
+# Creates and unlocks a keychain into which Fastlane match imports signing keys and certs.
-def with(ctx)
-    yield ctx.setup
-ensure
-    ctx.teardown
-end
-
-# Creates temporary keychain for build duration
 class Keychain
-  attr_accessor :name, :path, :pass
+  attr_accessor :name, :pass
 
   def initialize(name)
-    # We use epoch time to void clashes with CI builds
+    # Local devs will not have KEYCHAIN_PASSWORD set, and will be prompted for password.
-    @name = "#{name}_#{Time.now.to_f}.keychain-db"
+    return "login.keychain-db" unless ENV['KEYCHAIN_PASSWORD']
-    @path = "~/Library/Keychains/#{@name}"
+    # We user the same keychain every time because we need to set a default.
-    @pass = rand().to_s
+    @name = "#{name}.keychain-db"
+    @pass = ENV['KEYCHAIN_PASSWORD']
     Fastlane::Actions::CreateKeychainAction.run(
       name: @name,
       password: @pass,
       unlock: true,
+      # Fastlane can't find the signing cert without setting a default.
+      default_keychain: true,
+      # Deleting the keychain would cause race condition for parallel jobs.
+      require_create: false,
       # Lock it up after 25 minutes just in case we don't delete it.
-      timeout: 1500,
+      lock_when_sleeps: true,
-      # Setting a default can cause a race condition with parallel jobs.
+      lock_after_timeout: true,
-      default_keychain: false,
+      timeout: 1500
     )
   end
-
-  # for use in with()
-  def setup; self end
-  def teardown; Fastlane::Actions::DeleteKeychainAction.run(name: @name) end
 end
 
 # builds an ios app with ad-hoc configuration and put it
@@ -115,7 +109,8 @@ def build_ios_adhoc(readonly: false, pr_build: false)
   scheme = pr_build ? 'StatusImPR' : 'StatusIm'
   app_id = pr_build ? 'im.status.ethereum.pr' : 'im.status.ethereum'
 
-  with Keychain.new('adhoc') do |kc|
+  kc = Keychain.new('fastlane')
+
   match(
     type: 'adhoc',
     readonly: readonly,
@@ -142,7 +137,6 @@ def build_ios_adhoc(readonly: false, pr_build: false)
     }
   )
 end
-end
 
 # builds an ios app with e2e configuration and put it
 # to "status-ios" output folder
@@ -151,7 +145,8 @@ def build_ios_e2e
   showsdks_output = sh('xcodebuild', '-showsdks')
   simulator_sdk = showsdks_output.scan(/iphonesimulator\d\d?\.\d\d?/).first
 
-  with Keychain.new('adhoc') do |kc|
+  kc = Keychain.new('fastlane')
+
   match(
     type: 'adhoc',
     readonly: true,
@@ -181,7 +176,6 @@ def build_ios_e2e
     # ...and we don't need an .ipa file for them, because we use .app directly
     skip_package_ipa: true
   )
-  end
 
   zip(
     path: 'status-ios/Build/Products/Release-iphonesimulator/StatusIm.app',
@@ -231,7 +225,8 @@ platform :ios do
 
   desc '`fastlane ios release` builds a release & uploads it to TestFlight'
   lane :release do
-    with Keychain.new('adhoc') do |kc|
+    kc = Keychain.new('fastlane')
+
     match(
       type: 'appstore',
       readonly: true,
@@ -254,7 +249,6 @@ platform :ios do
         "ITSAppUsesNonExemptEncryption": false
       }
     )
-    end
 
     upload_to_testflight(
       ipa: 'status-ios/StatusIm.ipa',