Could not find a matching code signing identity for type 'AdHoc'. You can use cert to generate one

[dlxxl06]

New Issue Checklist

• Updated fastlane to the latest version
• I read the Contribution Guidelines
• I read docs.fastlane.tools
• I searched for existing GitHub issues

Issue Description

Complete output when running fastlane, including the stack trace and command used

No existing profiles found, that match the certificates you have installed locally! Creating a new provisioning profile for you
WARN [2017-12-07 18:10:40.07]: No certificates for filter: Certificate ID: 'NGMBD6E3T8'
ERROR [2017-12-07 18:11:40.09]: Unable to send the crash report.
ERROR [2017-12-07 18:11:40.09]: Please open an issue on GitHub if you need help!

Environment

fastlane --version 2.68.0 match 2.68.0 sigh 2.68.0

this is a enterprise account

match(type: "#{type}",
verbose: true,
force: true,
app_identifier: "#{app_identifier}",
git_branch: ENV['MATCH_INHOUSE_BRANCH'],
clone_branch_directly: true,
force_for_new_devices: true,
provisioning_name: "#{provisioning_name}",
username: "dlxdell@hotmail.com",
team_id: "SHDWRXPG6N")

[fastlane-bot]

It seems like this issue might be related to code signing 🚫

Have you seen our new Code Signing Troubleshooting Guide? It will help you resolve the most common code signing issues 👍

[fastlane-bot]

It seems like you have not included the output of fastlane env

To make it easier for us help you resolve this issue, please update the issue to include the output of fastlane env 👍

[dlxxl06]

i found this bug in match/runner.rb file

in line 170

def certificates_for_profile_and_platform
      case Sigh.config[:platform].to_s
      when 'ios', 'tvos'
        if profile_type == Spaceship.provisioning_profile.Development
          certificates = Spaceship.certificate.development.all
        elsif profile_type == Spaceship.provisioning_profile.InHouse
          certificates = Spaceship.certificate.in_house.all
        else
          certificates = Spaceship.certificate.production.all # Ad hoc or App Store
          **certificates = certificates | Spaceship.certificate.in_house.all #I add this line** 
        end

[ohayon]

Thanks for finding the code @dlxxl06 ! Could you point to which line it is exactly? I'm seeing a different line 70 on master than this code snippet you shared. 🚀

[akamud]

Is this fixed and released? I'm having the same issue with an enterprise account generating AdHoc profile.

[WennderSantos]

Hey!
Same here. Any update?

[akamud]

Feedback please?

[polmum]

Hey! I'm also having the same issue (an enterprise account trying to generate an AdHoc profile). The problem seems to be the one mentioned by @dlxxl06, and adding the code line he is proposing after line 180 in the following snippet should fix the issue.

fastlane/sigh/lib/sigh/runner.rb

Lines 174 to 181 in 181a4c1

	when 'ios', 'tvos'
	if profile_type == Spaceship.provisioning_profile.Development
	certificates = Spaceship.certificate.development.all
	elsif profile_type == Spaceship.provisioning_profile.InHouse
	certificates = Spaceship.certificate.in_house.all
	else
	certificates = Spaceship.certificate.production.all # Ad hoc or App Store
	end

[joshdholtz]

@polmum Thanks for linking that! Will look into 👀

[fastlane-bot]

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates.

Please make sure to update to the latest fastlane version and check if that solves the issue. Let us know if that works for you by adding a comment 👍

[akamud]

This has not been fixed and there is a code proposed as fix. It looks to me that a maintainer has to decide if it makes sense to add that code.

[joshdholtz]

Hey all 👋 I made what I think is a fix for how match will handle enterprise adhoc-ness ^ If you want to check it out that would be ❤️

[thebarndog]

Hmmm I'm still running into this issue @joshdholtz. I haven't seen this before, it definitely has to do with match and enterprise accounts creating adhoc certs. I'm on version 2.94.0. I ran bundle exec fastlane match nuke distribution and got the message that says there's nothing to nuke and then tried running bundle exec fastlane match adhoc and got the above message. It looks like cert generates and installs the certificate but then sigh can't find it later.

Here's the output when I run it:

[17:32:04]: Successfully loaded '/Users/brendan/Github/MY_PROJECT/fastlane/Matchfile' 📄
+----------------+------------------------------------------+

|        Detected Values from './fastlane/Matchfile'        |

+----------------+------------------------------------------+

| git_url        | https://github.com/somecompany/mobile-certs |

| git_branch     | ios-repo                               |

| type           | enterprise                               |

| app_identifier | [BUNDLE_IDENTIFIER]           |

| username       | admin@somecompany.com                       |

| team_id        | TEAM_ID                               |

| readonly       | false                                    |

| platform       | ios                                      |

+----------------+------------------------------------------+
+-----------------------+------------------------------------------+

|                     Summary for match 2.94.0                     |

+-----------------------+------------------------------------------+

| type                  | adhoc                                    |

| git_url               | https://github.com/somecompany/mobile-certs |

| git_branch            | ios-repo                              |

| app_identifier        | [BUNDLE_ID]           |

| username              | admin@somecompany.com                       |

| keychain_name         | login.keychain                           |

| readonly              | false                                    |

| team_id               | TEAM_ID                               |

| verbose               | false                                    |

| force                 | false                                    |

| skip_confirmation     | false                                    |

| shallow_clone         | false                                    |

| clone_branch_directly | false                                    |

| force_for_new_devices | false                                    |

| skip_docs             | false                                    |

| platform              | ios                                      |

+-----------------------+------------------------------------------+
[17:32:04]: Cloning remote git repo...

[17:32:04]: If cloning the repo takes too long, you can use the clone_branch_directly option in match.

[17:32:05]: Checking out branch ios-repo...

[17:32:05]: 🔓  Successfully decrypted certificates repo

[17:32:05]: Verifying that the certificate and profile are still valid on the Dev Portal...

[17:32:06]: Couldn't find a valid code signing identity in the git repo for distribution... creating one for you now
+---------------+----------------------------------------------------+

|                      Summary for cert 2.94.0                       |

+---------------+----------------------------------------------------+

| development   | false                                              |

| force         | true                                               |

| username      | admin@somecompany.com                                 |

| team_id       | TEAM_ID                                        |

| keychain_path | /Users/brendan/Library/Keychains/login.keychain-db |

| platform      | ios                                                |

+---------------+----------------------------------------------------+
[17:32:06]: Starting login with user 'admin@somecompany.com'

[17:32:08]: Successfully logged in

[17:32:09]: Successfully generated CERT_ID which was imported to the local machine.

[17:32:10]: Verifying the certificate is properly installed locally...

[17:32:10]: Successfully installed certificate CERT_ID
+-------------------------------------+----------------------------------------+

|                           Summary for sigh 2.94.0                            |

+-------------------------------------+----------------------------------------+

| app_identifier                      | BUNDLE_IDENTIFIER             |

| username                            | admin@somecompany.com                     |

| force                               | true                                   |

| cert_id                             | CERT_ID                             |

| provisioning_name                   | match AdHoc somecompany.App |

| ignore_profiles_with_different_name | true                                   |

| team_id                             | TEAM_ID                             |

| platform                            | ios                                    |

| adhoc                               | true                                   |

| development                         | false                                  |

| skip_install                        | false                                  |

| skip_fetch_profiles                 | false                                  |

| skip_certificate_verification       | false                                  |

| readonly                            | false                                  |

+-------------------------------------+----------------------------------------+
[17:32:10]: Starting login with user 'admin@somecompany.com'

[17:32:11]: Successfully logged in

[17:32:11]: Fetching profiles...

[17:32:12]: Verifying certificates...

[17:32:12]: No existing profiles found, that match the certificates you have installed locally! Creating a new provisioning profile for you

[17:32:12]: No certificates for filter: Certificate ID: 'CERT_ID'
[!] Could not find a matching code signing identity for type 'AdHoc'. It is recommended to use match to manage code signing for you, more information on https://codesigning.guide. If you don't want to do so, you can also use cert to generate a new one: https://fastlane.tools/cert

When I run bundle exec fastlane match adhoc --verbose there's some interesting tidbits:

INFO [2018-05-04 17:38:04.49]: $ security import /var/folders/75/0wbpwdwx57n2z6xny5v54b1c0000gn/T/d20180504-43786-1m62zx/certs/distribution/TJ3TY8CM59.p12 -k '/Users/brendan/Library/Keychains/login.keychain-db' -P '' -T /usr/bin/codesign -T /usr/bin/security
INFO [2018-05-04 17:38:04.59]: ▸ 1 key imported.
INFO [2018-05-04 17:38:04.61]: $ security set-key-partition-list -S apple-tool:,apple: -k '' /Users/brendan/Library/Keychains/login.keychain-db
security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.

INFO [2018-05-04 17:38:04.70]: ▸ 1 certificate imported.
INFO [2018-05-04 17:38:04.72]: $ security set-key-partition-list -S apple-tool:,apple: -k '' /Users/brendan/Library/Keychains/login.keychain-db
security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.

Importing the key and cert both succeed but this message is printed out to the console. This also gets printed:

bundler: failed to load command: fastlane (/Users/brendan/Github/MY_PROJECT/vendor/ruby/2.3.0/bin/fastlane)

[thebarndog]

@joshdholtz I did a bit more digging, it looks like maybe it's a bug in Spaceship. I UI.important(Spaceship.certificate.production.all) and that was empty despite cert creating one and the filter later being derived. I'll look into it some more this weekend and see what I can find.

[thebarndog]

I was able to figure it out! Turns out the bug is in Sigh and how it uses Spaceship.

First, to get certs, there's a call to https://developer.apple.com/services-account/PLATFORM_ID/account/ios/certificate/listCertRequests.action that happens. The parameters for that request are teamId, pageSize, pageNumber, sort, and types. For enterprise accounts (note: accounts, not certificates or profiles, the entire account/team is an In-House team), when you query this endpoint after authenticating with a value of R58UK2EWSO for types, which is the certificate identifier that Spaceship has defined for Production in this mapping:

 IOS_CERTIFICATE_TYPE_IDS = {
        "5QPB9NHCEI" => Development,
        "R58UK2EWSO" => Production,
        "9RQEK7MSXA" => InHouse,
        "LA30L5BJEU" => Certificate,
        "BKLRAVXMGM" => DevelopmentPush,
        "UPV3DW712I" => ProductionPush,
        "Y3B2F3TYSI" => Passbook,
        "3T2ZP62QW8" => WebsitePush,
        "E5D663CMZW" => VoipPush,
        "4APLUP237T" => ApplePay
      }

the list returns empty so it was failing despite the certificate existing in the developer portal. I went through and tried a couple different ones and it turns out if you're trying to fetch an adhoc certificate from an enterprise account, you can get it but only if the value of types is 9RQEK7MSXA or InHouse. The fix is really easy actually, I just added this:

elsif profile_type == Spaceship.provisioning_profile.AdHoc && Spaceship.client.in_house?
     certificates = Spaceship.certificate.in_house.all
else

in this method (runner.rb: 172, the last elsif clause under ios, tvos):

def certificates_for_profile_and_platform
      case Sigh.config[:platform].to_s
      when 'ios', 'tvos'
        if profile_type == Spaceship.provisioning_profile.Development
          certificates = Spaceship.certificate.development.all
        elsif profile_type == Spaceship.provisioning_profile.InHouse
          certificates = Spaceship.certificate.in_house.all
        elsif profile_type == Spaceship.provisioning_profile.AdHoc && Spaceship.client.in_house?
          certificates = Spaceship.certificate.in_house.all
        else
          certificates = Spaceship.certificate.production.all # Ad hoc or App Store
        end

      when 'macos'
        if profile_type == Spaceship.provisioning_profile.Development
          certificates = Spaceship.certificate.mac_development.all
        elsif profile_type == Spaceship.provisioning_profile.AppStore
          certificates = Spaceship.certificate.mac_app_distribution.all
        elsif profile_type == Spaceship.provisioning_profile.Direct
          certificates = Spaceship.certificate.developer_id_application.all
        else
          certificates = Spaceship.certificate.mac_app_distribution.all
        end
      end

When that happens, both the adhoc and enterprise certificate we use returned from the API call and match was able to set up adhoc certificates successfully. I can put up a PR that fixes this if that sounds good @KrauseFx @joshdholtz

[joshdholtz]

@startupthekid Great find! If you want to put up a PR for this and mention me that would be ❤️ I would be happy to test it out 🙃

_{Sent with GitHawk}

[thebarndog]

Definitely! I'll get that up today.

[dkpalmer]

+1. Just ran into this.

[thebarndog]

Addressed in #12467