-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Renew iOS Fastlane match Profiles #8745
Comments
There is the
|
According to closed and unresolved Fastlane issues: Wtf, reading Fastlane match issues it seems like they are suggesting nuking profiles and re-creating them:
But then again:
|
I attempted to remove the certificate manually from the Apple Developer portal:
Which indicates to me that the https://github.com/status-im/ios-certificates repo has not been updated. |
I tried running:
On one of the |
I could manually try removing the |
I made this attempt in https://github.com/status-im/ios-certificates/commit/a822307fe08e5daa566e496b53abf9f8db39348e, lets see if this forces re-creation. |
That didn't work. Considering all our Profiles are managed by Fastlane match using |
I've done the deed:
Which seems to have worked, at least for one of the 3 profiles: |
And this seems to have created 2 commits in the
Which seems to be what we want. I assume that during a new release build a new AppStore cert will be created as well. |
Well, now we're getting some new errors at least:
From: https://ci.status.im/job/status-react/job/prs/job/ios/job/PR-8722/32/consoleFull |
There was some other stuff there:
Of which the main part is:
|
There's an issue that seems to show this error too: Apparently:
|
Interestingly if I run the suggested
Which might be part of the problem. But that error shows up on |
But then again, there's also this:
Which would indicate that the keychain at
|
I've decided to re-create the
We'll see if that does anything. |
In this build the keychain access errors do not show up: |
It states:
So I tried the password and it seems to work fine:
|
What a useless fucking error, what the FUCK does |
I opened the project in XCode to see if it was broken and I saw an error in the Signing section. |
I'm starting ton think that |
I tried adding
It still fails with the same error:
There's absolutely NOTHING useful in |
Apparently |
Yuuuuuup, without
With
Just kill me. |
This is some great Apple documentation:
|
I tried things mentioned here: |
I found something that matches what I'm thinking:
So what I need to check is one by one all the relations between the Provisioning Profile, Bundle ID, and Certs. |
I also found this which suggests checking for expired ceritifcates: |
During the build Fastlane
|
Now, comparing those to the contents of
|
Same goes for the info on the Apple Developer portal:
|
I just noticed something! The Certificate type on the site is |
I attempted to fix this using this commit: 4222014
So that doesn't seem to be the issue. |
Based on what I found in this issue, I attempted to allow all apps on our CI hosts to access those certs. Steps:
Let's see if that does it. |
That didn't do shit... but I have another idea based on this comment: # helper for proper teradown of resource
def with(ctx)
yield ctx.setup
ensure
ctx.teardown
end
# This is a helper for match and signing to avoid having to
# approve of the keychain access through the UI dialog.
# Details: https://github.com/status-im/status-react/issues/8745
class Keychain
attr_accessor :name, :pass
@@pass = "temppassword"
def initialize(name)
# We use epoch time to void clashes with CI builds
@name = "#{name}_#{Time.now.to_f}.keychain-db"
@path = "~/Library/Keychains/#{@name}"
Fastlane::Actions::CreateKeychainAction.run(
name: @name,
password: @@pass,
timeout: false,
)
end
# for use in with()
def setup
self
end
def teardown
if not File.exist? File.expand_path(@path)
raise "Keychain file missing: #{@path}"
end
Fastlane::Actions::DeleteKeychainAction.run(
name: @name
)
end
end So now we can run with Keychain.new('adhoc') do |kc|
match()
build_ios_app()
end I'm trying this in the |
Okay, it appears the approach with the temporary keychain works, but only partially. Despite Fastlane match using it, as we can see here:
It still attempts to import the WWDR(
Which I think is what causes the need for the UI interaction prompt for the password. So when I removed the
Which might mean that Fastlane requires Links: |
This error comes from here: def self.wwdr_keychain
priority = [
"security list-keychains -d user",
"security default-keychain -d user"
]
priority.each do |command|
keychains = Helper.backticks(command, print: FastlaneCore::Globals.verbose?).split("\n")
unless keychains.empty?
# Select first keychain name from returned keychains list
return keychains[0].strip.tr('"', '')
end
end
return ""
end Which for Jenkins clearly is
Unless it doesn't exist:
So it seems the only way would be to temporarily set the default user keychain to the one we created for the sake of the build with
Which sounds kinda dodgy considering we run multiple builds on the same host. |
Actually, this is even simpler because
|
It does work:
But the question is how will this affect parallel builds on the same host? This might be a form of a weird race condition. |
Looks like even despite that change I still get the same |
And despite using a temporary and unlocked from the start keychain, I still get the password prompt from I really hoped I could finally fix this prompt issue by using a temporary keychain, but apparently not. EDIT: What's even weirder is that after I click |
I've applied the manual fix to all |
Okay, so here is what I learned from this... exercise in productive and well documented madness:
I'm not sure if this weird behavior is due to how Fastlane uses |
Opened an issue with Fastlane: fastlane/fastlane#15185 |
@jakubgs i dont know how i got here, since i have no match/signing issues, or why i read this entire thread, but damn, what a masterpiece. Not only did i enjoy it, but this is kind of indexable troubleshooting is what i imagine must be like to debug software in heaven. Web searchable, insightful, entertaining, and complete. Now i want a collection of your debugging in this format, technology agnostic without any organization or additional context in coffee table book print format. I would non ironically read it cover to cover. |
@rromanchuk thanks, appreciate it. The thing is, when dealing with issues like that you HAVE to create detailed notes, otherwise you'll either accidentally stumble on a solution - hightly unlikely - or you'll just go insane through an endless process of trial and error without any learning occurring. If you like this, you might like some of my other hits:
Most of my research is unfortunately hidden in various private repos, since I work with infrastructure, and that most of the time has to be kept private, even if the repos themselves do not contain any actual secrets. |
It appears our iOS Profiles created by Fastlane match are expiring today:
![expired_ios_certs](https://user-images.githubusercontent.com/2212681/62946470-bcbd6a00-bdae-11e9-97dc-0c39882a2b69.png)
This was spotted in #8722.
The text was updated successfully, but these errors were encountered: