[match] import P12 codesigning certificate to match's repo, updated, fixed

[razum2um]

Checklist

• I've run bundle exec rspec from the root directory to see all new and existing tests pass
• I've followed the fastlane code style and run bundle exec rubocop -a to ensure the code style is valid
• I've read the Contribution Guidelines
• I've updated the documentation if necessary.

Motivation and Context

Asked here #6900 and continued here #6972

Description

In comparison to #6972 it matches certificates by issuer and serial which according to rfc identify a unique certificate, I also addressed all the comments from previous version

[googlebot]

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If your company signed a CLA, they designated a Point of Contact who decides which employees are authorized to participate. You may need to contact the Point of Contact for your company and ask to be added to the group of authorized contributors. If you don't know who your Point of Contact is, direct the project maintainer to go/cla#troubleshoot.
• In order to pass this check, please resolve this problem and have the pull request author add another comment and the bot will run again.

[razum2um]

I signed it!

[googlebot]

CLAs look good, thanks!

[razum2um]

@milch I addressed your comments on the prev PR please take a look :)

[ByKeks]

need this very much

[endocrimes]

Looking good, I have a few grammar/spelling tweaks and some feature questions.

[endocrimes]

Grammar nitpick: "please consider using match's [import]...."

[endocrimes]

couple of grammar/spelling nits:
"it is advised that"
"feature that lets you" (no apostrophe)

[endocrimes]

Is there a corresponding docs pr?

[endocrimes]

"The command will validate the certificate and associate it with the Apple Developer Portal entity. This will ensure that the certificate is correctly processed by match and imported into the repository."?

[endocrimes]

"We could not find a matching certificate in the Apple Developer Portal"?

[endocrimes]

This currently breaks in the case where you specify import_certficate as an env var, but the password on the command line. Not sure how best to handle this though

[razum2um]

@dantoml not sure what do you mean. Anyway, fixed all other comments, thanks! Let me know if you need something else :)

[endocrimes]

@razum2um Hey, so currently:

if you ran:

MATCH_IMPORT_CERTIFICATE=/path_to_cert fastlane match import $CERTIFICATE_PASSWORD

it would fail to find the password, and could be somewhat confusing. This is however, potentially fine, I was mostly interested to see what your thoughts were and if you'd considered it.

[razum2um]

@dantoml I think specifying cert & pass in a different way is a strange choice. Should we really handle it? Maybe refuse positional arguments (but I'm rather not)?

[KrauseFx]

Should probably be fastlane match and not just match, right?

[razum2um]

@KrauseFx fixed, thanks :)
let me know, what can I do to get this finally merged? ;)

[KrauseFx]

Sorry to be so negative on this, but I'm not very comfortable merging this. I can already see this feature causing lots of incoming GitHub issues from people that import invalid certificates and keys, or mismatching profiles, causing more confusion. The beauty of match is that you can be sure things work as expected.

I said the same thing a few times in the past, I know that this is a feature people wish for, but I'm not super comfortable with it, and I don't think I'm the one ready to merge it.

[razum2um]

@KrauseFx I understand your worries, features are coming with the cost of supportability :)

What can we do in order to prevent "issues from people that import invalid certificates and keys" - check CNs, expiration dates?
Maybe print more info about supplied certificate as well as found ones on devportal?

Can we turn "so negative on this" to constructive suggestions?

[seclace]

@KrauseFx @dantoml Some news about this merge request? It looks very helpful to many.

[MajinRaph]

still nothing about this feature ? :)

[KrauseFx]

This is still my position: #9752 (comment)

If someone else feels comfortable reviewing, testing, merging and maintaining the code, I'm okay, but I won't sign off, sorry again, but that's my opinion on this feature (has nothing to do with the code)

[milch]

Maybe we can find a compromise if we can understand the exact reasons for wanting this. My understanding is the following:

• Due to customers or company regulations, it is not possible to give out the credentials that would allow match to create certificates and profiles
• At the same time, it is also not possible to run match on the account owner's computer once and then use readonly: true from the developer's computer
  • Why?
• Anything else?

[razum2um]

@matthewellis no, there was no such intention and last time I used it myself I synced dev certs, right, will sort it out as soon as I can

[razum2um]

@milch my reason (maybe I've just chosen wrong approach): we have different match repos with different credentials for different projects. We were trying to separate dev certificates as well, but apple restricted the number of total possible dev certificates to 5, so in order to maintain the flow I imported one created earlier into next project's match repo

[milch]

@razum2um Yeah, that doesn't sound like how match is intended to be used. The idea is more or less to have 1 match repo per Apple account. Is there a reason why you can't have a single repo for all projects?

[MajinRaph]

As for me, I think this feature is needed to prevent legacy enterprise certificates from being revoked by match at first use, as it would disable all the existing apps (unless I'm misunderstanding somehting).

[KrauseFx]

You don't necessarily have to nuke, if you still have a free spot for a new certificate, match will just use that 👍

[MajinRaph]

@KrauseFx sure, but if we have no spots left, the feature would be useful :P (even if, when we have two certificates, we can nuke the unused (yet) one)

And thank you for your answer (and for Fastlane, which is an amazing toolsuit)

[ohayon]

Hey folks! I am going to close this PR for now as it has been inactive for quite some time. That being said, please feel free to continue conversation on here and let us know if we should reopen it at any point! 🚀

[janpio]

@milch To add to your list, I learned that revoking an Enterprise cer/profile combination (via nuke) makes the app unusable that moment. So not like with a normal app store cert that you just replace with the next update, your users can't use your app until they get one built with the new cert.

[janpio]

As KrauseFx understandable is cautious about adding this to fastlane itself, how about reworking it into a plugin with its own Github repo @razum2um @MajinRaph? Then problems using it would end up at the issues of that repository and one could make sure that all information for this "advanced usage" is collected there.