macOS cloud runner app signing

nitinkumar.piparava · November 5, 2021, 9:11am

I could not find any document for macOS cloud runner build setup, There is no guide on how we can set up or import iOS distribution certificate or profile to cloud runner. I have followed some of GitHub guides and that seems not to work for GitLab.

Here is what I tried so far.

 # create temporary keychain
    - security create-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH
    - security set-keychain-settings -lu -t 216000 $KEYCHAIN_PATH
    - security unlock-keychain -p $KEYCHAIN_PASSWORD $KEYCHAIN_PATH

    # import certificate to keychain
    - security import Certificate_Profiles/Distribution_Certificate_Chr0next.p12 -P $IOS_P12_PASSWORD -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
    - security list-keychain -d user -s $KEYCHAIN_PATH

    # apply provisioning profile
    - mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
    - cp Certificate_Profiles/AppStore.mobileprovision ~/Library/MobileDevice/Provisioning\ Profiles

Archive failed error message, it works fine if I run on my local GitLab runner.

** ARCHIVE FAILED **
2432The following build commands failed:
2433	PhaseScriptExecution [CP]\ Embed\ Pods\ Frameworks /Users/gitlab/Library/Developer/Xcode/DerivedData/Chronext-fppnnvwqhitkbmevauzvohgmkssm/Build/Intermediates.noindex/ArchiveIntermediates/Chronext/IntermediateBuildFilesPath/Chronext.build/Release-iphoneos/Chronext.build/Script-6F0EE1FE5DBAEDF37214B4D7.sh

Still, the archive fails and it seems the keychain is an issue. I am not sure even if Gitlab has any kind of documentation for the same, I tried and couldn’t find anything.

Anyone knows or has any idea please feel free to share.

jim.power · April 1, 2022, 2:58pm

I’m not sure if you just used a dummy name for the provisioning profile but when you “install” it (ie, copy it to the right folder) it needs to be named by its uuid, you can see an example in this SO answer.

Copied here:

PROVISION_FILE ="my_profile.mobileprovision"
uuid=`security cms -D -i ${PROVISION_FILE } | grep -aA1 UUID | grep -o "[-a-zA-Z0-9]\{36\}"`
cp "$PROVISION_FILE " ~/Library/MobileDevice/Provisioning\ Profiles/$uuid.mobileprovision

roger.qiu · May 19, 2022, 11:07am

I’m confused about this too.

The gitlab docs mention Code signing for SaaS runners on macOS | GitLab but I don’t want to use fastlane. I know what tools need to be used.

More importantly how do I know how to unlock the keychain?

Your example shows $KEYCHAIN_PASSWORD and $KEYCHAIN_PATH.

Where are these coming from? Since the OS was setup by gitlab, how doe we know what these values are? Are they set by default when we run the gitlab runners?

I’m talking about the gitlab shared runners atm.

ritzk · January 13, 2023, 5:09pm

Create a new keychain and use it ?

      - security create-keychain -p "password" "keychain/path/gitlab.keychain"
      - security default-keychain -s "keychain/path/gitlab.keychain"
      - security unlock-keychain -p "password" "keychain/path/gitlab.keychain"
      - security list-keychains
      - security import "mycert.p12" -P password -A -t cert -f pkcs12 -k "keychain/path/gitlab.keychain" -T /usr/bin/codesign
      - |-
        security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "password" "keychain/path/gitlab.keychain"

      - cp "ios-cert.mobileprovision" ~/Library/MobileDevice/Provisioning\ Profiles/${IOS_UUID}.mobileprovision
      - cp "tvos-cert.mobileprovision" ~/Library/MobileDevice/Provisioning\ Profiles/${TVOS_UUID}.mobileprovision
      # find and check valid code-signing certficates
      - security find-identity -p codesigning -v
      - export CODESIGN_ALLOCATE="$( xcrun --find codesign_allocate )"

and run your build. Alternatively, lookup fastlane.