Hide find-certificate output when using cert

[RaedShari]

Discussed in #21350

^{Originally posted by RaedShari June 21, 2023}

My current lane looks like:

lane :beta do
api_key = app_store_connect_api_key()
increment_build_number()
get_certificates(api_key: api_key)
get_provisioning_profile(api_key: api_key)
build_app(xcargs: "-allowProvisioningUpdates")
upload_to_testflight(api_key: api_key)
end

When my GitLab CI/CD job runs, I can see it logs some sensitive contents "my certificates".

[08:52:33]: Creating authorization token for App Store Connect API
[08:52:33]: Fetching profiles...
[08:52:34]: Verifying certificates...
[08:52:34]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/ec2-user/Library/Keychains/login.keychain-db
[08:52:34]: ▸ -----BEGIN CERTIFICATE-----
[08:52:34]: ▸ ################################
[08:52:34]: ▸ ################################

These logs are accessible by any user having access to the repo. Is there any option to silent this logs and preventing them from being logged?

[AnubisFUp]

@RaedShari Hi! I found temporary solution on my local setup. I just edit $HOME/.gem/gems/fastlane-2.214.0/fastlane_core/lib/fastlane_core/cert_checker.rb file on 119 line. And pass print arguments to backticks function.

From this
Helper.backticks("security find-certificate -a -c '#{certificate_name}' -p #{wwdr_keychain.shellescape}")
to this
Helper.backticks("security find-certificate -a -c '#{certificate_name}' -p #{wwdr_keychain.shellescape}", print: false)

It looks like it now show all commands output to the console by default. You can remove this by correcting the main function in this file. Set print to false
https://github.com/fastlane/fastlane/blob/master/fastlane_core/lib/fastlane_core/helper.rb#L301C45-L301C45

[tiankaima]

@RaedShari Hi! I found temporary solution on my local setup. I just edit $HOME/.gem/gems/fastlane-2.214.0/fastlane_core/lib/fastlane_core/cert_checker.rb file on 119 line. And pass print arguments to backticks function.

From this Helper.backticks("security find-certificate -a -c '#{certificate_name}' -p #{wwdr_keychain.shellescape}") to this Helper.backticks("security find-certificate -a -c '#{certificate_name}' -p #{wwdr_keychain.shellescape}", print: false)

It looks like it now show all commands output to the console by default. You can remove this by correcting the main function in this file. Set print to false https://github.com/fastlane/fastlane/blob/master/fastlane_core/lib/fastlane_core/helper.rb#L301C45-L301C45

Sounds cool but this doesn't seem much a solution than a temporary fix, in that sense you could just output the result to a file to hide the key something like this

I'd prefer an option to just silent the output, rather than tricks that hacks the project itself, after all it's CI/CD, nobody can expect tricks like changing some line in source code to work forever