From 97d8ffd09181233fb1a203d3f78e6efd64f2fd5e Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:01:18 +1100 Subject: [PATCH 01/13] =?UTF-8?q?Update=20Fastlane=20=E2=80=93=20Routine?= =?UTF-8?q?=20before=20further=20work?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Gemfile.lock | 77 ++++++++++++++++++++++++++++------------------------ 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/Gemfile.lock b/Gemfile.lock index b4378acb..1326a59c 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -10,31 +10,35 @@ GEM artifactory (3.0.17) ast (2.4.2) atomos (0.1.3) - aws-eventstream (1.3.0) - aws-partitions (1.1001.0) - aws-sdk-core (3.211.0) + aws-eventstream (1.4.0) + aws-partitions (1.1180.0) + aws-sdk-core (3.236.0) aws-eventstream (~> 1, >= 1.3.0) aws-partitions (~> 1, >= 1.992.0) aws-sigv4 (~> 1.9) + base64 + bigdecimal jmespath (~> 1, >= 1.6.1) - aws-sdk-kms (1.95.0) - aws-sdk-core (~> 3, >= 3.210.0) + logger + aws-sdk-kms (1.116.0) + aws-sdk-core (~> 3, >= 3.234.0) aws-sigv4 (~> 1.5) - aws-sdk-s3 (1.169.0) - aws-sdk-core (~> 3, >= 3.210.0) + aws-sdk-s3 (1.202.0) + aws-sdk-core (~> 3, >= 3.234.0) aws-sdk-kms (~> 1) aws-sigv4 (~> 1.5) - aws-sigv4 (1.10.1) + aws-sigv4 (1.12.1) aws-eventstream (~> 1, >= 1.0.2) babosa (1.0.4) - base64 (0.2.0) + base64 (0.3.0) + bigdecimal (3.3.1) claide (1.1.0) colored (1.2) colored2 (3.1.2) commander (4.6.0) highline (~> 2.0.0) declarative (0.0.20) - digest-crc (0.6.5) + digest-crc (0.7.0) rake (>= 12.0.0, < 14.0.0) domain_name (0.6.20240107) dotenv (2.8.1) @@ -56,11 +60,11 @@ GEM faraday (>= 0.8.0) http-cookie (~> 1.0.0) faraday-em_http (1.0.0) - faraday-em_synchrony (1.0.0) + faraday-em_synchrony (1.0.1) faraday-excon (1.1.0) faraday-httpclient (1.0.1) - faraday-multipart (1.0.4) - multipart-post (~> 2) + faraday-multipart (1.1.1) + multipart-post (~> 2.0) faraday-net_http (1.0.2) faraday-net_http_persistent (1.2.0) faraday-patron (1.0.0) @@ -68,8 +72,8 @@ GEM faraday-retry (1.0.3) faraday_middleware (1.2.1) faraday (~> 1.0) - fastimage (2.3.1) - fastlane (2.225.0) + fastimage (2.4.0) + fastlane (2.228.0) CFPropertyList (>= 2.3, < 4.0.0) addressable (>= 2.8, < 3.0.0) artifactory (~> 3.0) @@ -109,7 +113,7 @@ GEM tty-spinner (>= 0.8.0, < 1.0.0) word_wrap (~> 1.0.0) xcodeproj (>= 1.13.0, < 2.0.0) - xcpretty (~> 0.3.0) + xcpretty (~> 0.4.1) xcpretty-travis-formatter (>= 0.0.3, < 2.0.0) fastlane-sirp (1.0.0) sysrandom (~> 1.0) @@ -130,12 +134,12 @@ GEM google-apis-core (>= 0.11.0, < 2.a) google-apis-storage_v1 (0.31.0) google-apis-core (>= 0.11.0, < 2.a) - google-cloud-core (1.7.1) + google-cloud-core (1.8.0) google-cloud-env (>= 1.0, < 3.a) google-cloud-errors (~> 1.0) google-cloud-env (1.6.0) faraday (>= 0.17.3, < 3.0) - google-cloud-errors (1.4.0) + google-cloud-errors (1.5.0) google-cloud-storage (1.47.0) addressable (~> 2.8) digest-crc (~> 0.4) @@ -151,40 +155,43 @@ GEM os (>= 0.9, < 2.0) signet (>= 0.16, < 2.a) highline (2.0.3) - http-cookie (1.0.7) + http-cookie (1.0.8) domain_name (~> 0.5) - httpclient (2.8.3) + httpclient (2.9.0) + mutex_m jmespath (1.6.2) - json (2.7.5) - jwt (2.9.3) + json (2.15.2) + jwt (2.10.2) base64 language_server-protocol (3.17.0.3) + logger (1.7.0) mini_magick (4.13.2) mini_mime (1.1.5) - multi_json (1.15.0) + multi_json (1.17.0) multipart-post (2.4.1) + mutex_m (0.3.0) nanaimo (0.4.0) - naturally (2.2.1) + naturally (2.3.0) nkf (0.2.0) - optparse (0.5.0) + optparse (0.8.0) os (1.1.4) parallel (1.26.3) parser (3.3.5.1) ast (~> 2.4.1) racc - plist (3.7.1) - public_suffix (6.0.1) + plist (3.7.2) + public_suffix (6.0.2) racc (1.8.1) rainbow (3.1.1) - rake (13.2.1) + rake (13.3.1) regexp_parser (2.9.2) representable (3.2.0) declarative (< 0.1.0) trailblazer-option (>= 0.1.1, < 0.2.0) uber (< 0.2.0) retriable (3.1.2) - rexml (3.3.9) - rouge (2.0.7) + rexml (3.4.4) + rouge (3.28.0) rubocop (1.68.0) json (~> 2.3) language_server-protocol (>= 3.17.0) @@ -199,12 +206,12 @@ GEM parser (>= 3.3.1.0) ruby-progressbar (1.13.0) ruby2_keywords (0.0.5) - rubyzip (2.3.2) + rubyzip (2.4.1) security (0.1.5) - signet (0.19.0) + signet (0.21.0) addressable (~> 2.8) faraday (>= 0.17.5, < 3.a) - jwt (>= 1.5, < 3.0) + jwt (>= 1.5, < 4.0) multi_json (~> 1.10) simctl (1.6.10) CFPropertyList @@ -228,8 +235,8 @@ GEM colored2 (~> 3.1) nanaimo (~> 0.4.0) rexml (>= 3.3.6, < 4.0) - xcpretty (0.3.0) - rouge (~> 2.0.7) + xcpretty (0.4.1) + rouge (~> 3.28.0) xcpretty-travis-formatter (1.0.1) xcpretty (~> 0.2, >= 0.0.7) From bd3f81232220d22728253a83dab3ea13a031f282 Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 13:25:59 +1100 Subject: [PATCH 02/13] Extract logic for dev code signing fetch in dedicated lane --- fastlane/Fastfile | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index e34dbd5b..81cd78c3 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -53,8 +53,13 @@ lane :upload_release do ) end -desc 'Download the development signing certificates to this machine' +desc 'Download all certificates and provisioning profiles for code signing' lane :set_up_signing do |readonly: true| + set_up_signing_development(readonly: readonly) +end + +desc 'Download the development signing certificates to this machine' +lane :set_up_signing_development do |readonly: true| require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) sync_code_signing( From 93f6c6e204fbbea4cbb6ccdea25360bbbe95a197 Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:01:44 +1100 Subject: [PATCH 03/13] Add lane to fetch distribution certificate --- fastlane/Fastfile | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index 81cd78c3..d0120ae5 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -56,6 +56,7 @@ end desc 'Download all certificates and provisioning profiles for code signing' lane :set_up_signing do |readonly: true| set_up_signing_development(readonly: readonly) + set_up_signing_release(readonly: readonly) end desc 'Download the development signing certificates to this machine' @@ -78,6 +79,33 @@ lane :set_up_signing_development do |readonly: true| ) end +desc 'Download the release signing certificates to this machine' +lane :set_up_signing_release do |readonly: true| + require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) + + get_certificates( + development: false, + team_id: APPLE_TEAM_ID, + api_key: app_store_connect_api_key + ) + + UI.message "Path #{lane_context[SharedValues::CERT_FILE_PATH]}" + UI.message "ID #{lane_context[SharedValues::CERT_CERTIFICATE_ID]}" + # sync_code_signing( + # platform: 'macos', + # app_identifier: APPLE_BUNDLE_IDENTIFIER, + # team_id: APPLE_TEAM_ID, + # api_key: app_store_connect_api_key, + # type: '', + + # storage_mode: 's3', + # s3_region: 'us-east-2', + # s3_bucket: 'a8c-fastlane-match', + + # readonly: readonly + # ) +end + def create_release_zip File.delete(ZIP_FILE_PATH) if File.file? ZIP_FILE_PATH From f146bc0293ff9719552a1be0bf108886d0b0c4ea Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:10:01 +1100 Subject: [PATCH 04/13] Remove unused `readonly` option --- fastlane/Fastfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index d0120ae5..9f620ba1 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -80,7 +80,7 @@ lane :set_up_signing_development do |readonly: true| end desc 'Download the release signing certificates to this machine' -lane :set_up_signing_release do |readonly: true| +lane :set_up_signing_release do require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) get_certificates( From 70d9a68b80aae49fdbb984ae9c0b255ea6553bad Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:10:11 +1100 Subject: [PATCH 05/13] Do not attempt to create new certificate --- fastlane/Fastfile | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index 9f620ba1..b8e50b07 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -85,6 +85,12 @@ lane :set_up_signing_release do get_certificates( development: false, + + # Do not create a new certificate. + # Always and only attempt to acquire existing one. + generate_apple_certs: false, + force: false, + team_id: APPLE_TEAM_ID, api_key: app_store_connect_api_key ) From 7cc53b0c7f2453aa5168bcf075d492ea474c06a0 Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:31:24 +1100 Subject: [PATCH 06/13] Differentiate between development and release certificates --- Makefile | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/Makefile b/Makefile index f478c8b3..f41fe915 100644 --- a/Makefile +++ b/Makefile @@ -4,6 +4,9 @@ RELEASE_VERSION = $(shell .build/release/hostmgr --version) SWIFTLINT_VERSION=$(shell awk '/^swiftlint_version:/ {print $$2}' .swiftlint.yml) RUBY_VERSION = $(shell cat .ruby-version) +CERTIFICATE_NAME_DEBUG = Apple Development: Created via API (886NX39KP6) +CERTIFICATE_NAME_RELEASE = Apple Distribution: Automattic, Inc. (PZYM8XX95Q) + clean: rm -rf .build @@ -16,8 +19,8 @@ build: cp .build/arm64-apple-macosx/release/hostmgr .build/artifacts/release/hostmgr cp .build/arm64-apple-macosx/release/hostmgr-helper .build/artifacts/release/hostmgr-helper - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API (886NX39KP6)" .build/artifacts/release/hostmgr --force --verbose - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API (886NX39KP6)" .build/artifacts/release/hostmgr-helper --force --verbose + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_RELEASE}" .build/artifacts/release/hostmgr --force --verbose + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_RELEASE}" .build/artifacts/release/hostmgr-helper --force --verbose verify-signing: build @echo "--- Checking Code Signing" @@ -42,19 +45,19 @@ release: build create-vm-debug: @echo "--- Building and Signing hostmgr for Local Development" swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API" .build/arm64-apple-macosx/debug/hostmgr -v + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr -v ./.build/arm64-apple-macosx/debug/hostmgr vm create xcode-143 --disk-size 92 build-debug: @echo "--- Building and Signing for Local Development" swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API" .build/arm64-apple-macosx/debug/hostmgr -v + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr -v build-helper-debug: @echo "--- Building and Signing helper for Local Development" swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API" .build/arm64-apple-macosx/debug/hostmgr-helper -v + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr-helper -v run-helper-debug: build-debug build-helper-debug ./.build/arm64-apple-macosx/debug/hostmgr-helper --debug true From 934dd1d57e0aab9725aafd301c606b96c52342c7 Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:31:42 +1100 Subject: [PATCH 07/13] Give up using `cert` for distribution certificate --- fastlane/Fastfile | 39 ++++++++++++++------------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index b8e50b07..1d9a585d 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -80,36 +80,25 @@ lane :set_up_signing_development do |readonly: true| end desc 'Download the release signing certificates to this machine' -lane :set_up_signing_release do +lane :set_up_signing_release do |readonly: true| require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) - get_certificates( - development: false, + # This will downaload a provisioning profile which we don't use. + # The purpose of the lane is to setup the distribution certificate in the machine's keychain. + # This will make it accessible by the rest the rest of the automation later on. + sync_code_signing( + platform: 'macos', + app_identifier: APPLE_BUNDLE_IDENTIFIER, + team_id: APPLE_TEAM_ID, + api_key: app_store_connect_api_key, + type: 'appstore', - # Do not create a new certificate. - # Always and only attempt to acquire existing one. - generate_apple_certs: false, - force: false, + storage_mode: 's3', + s3_region: 'us-east-2', + s3_bucket: 'a8c-fastlane-match', - team_id: APPLE_TEAM_ID, - api_key: app_store_connect_api_key + readonly: readonly ) - - UI.message "Path #{lane_context[SharedValues::CERT_FILE_PATH]}" - UI.message "ID #{lane_context[SharedValues::CERT_CERTIFICATE_ID]}" - # sync_code_signing( - # platform: 'macos', - # app_identifier: APPLE_BUNDLE_IDENTIFIER, - # team_id: APPLE_TEAM_ID, - # api_key: app_store_connect_api_key, - # type: '', - - # storage_mode: 's3', - # s3_region: 'us-east-2', - # s3_bucket: 'a8c-fastlane-match', - - # readonly: readonly - # ) end def create_release_zip From 9e351842e32b7ee014722b81f75be784d6c3eea3 Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 5 Nov 2025 14:41:37 +1100 Subject: [PATCH 08/13] DRY call to `sync_code_singing` for documentation purposes --- fastlane/Fastfile | 58 ++++++++++++++++++++--------------------------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index 1d9a585d..f485c6e9 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -61,44 +61,12 @@ end desc 'Download the development signing certificates to this machine' lane :set_up_signing_development do |readonly: true| - require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) - - sync_code_signing( - platform: 'macos', - app_identifier: APPLE_BUNDLE_IDENTIFIER, - team_id: APPLE_TEAM_ID, - api_key: app_store_connect_api_key, - type: 'development', - certificate_id: 'Apple Development: Created via API (886NX39KP6)', - - storage_mode: 's3', - s3_region: 'us-east-2', - s3_bucket: 'a8c-fastlane-match', - - readonly: readonly - ) + set_up_certificate_in_keychain(type: 'development', readonly: readonly) end desc 'Download the release signing certificates to this machine' lane :set_up_signing_release do |readonly: true| - require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) - - # This will downaload a provisioning profile which we don't use. - # The purpose of the lane is to setup the distribution certificate in the machine's keychain. - # This will make it accessible by the rest the rest of the automation later on. - sync_code_signing( - platform: 'macos', - app_identifier: APPLE_BUNDLE_IDENTIFIER, - team_id: APPLE_TEAM_ID, - api_key: app_store_connect_api_key, - type: 'appstore', - - storage_mode: 's3', - s3_region: 'us-east-2', - s3_bucket: 'a8c-fastlane-match', - - readonly: readonly - ) + set_up_certificate_in_keychain(type: 'appstore', readonly: readonly) end def create_release_zip @@ -126,3 +94,25 @@ def get_required_env!(key) UI.user_error!("Environment variable `#{key}` is not set.") end + +def set_up_certificate_in_keychain(type:, readonly:) + require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) + + # This will fetch the certificate and provisioning profile for the given type from remote storage. + # It will then set them up in the local keychain, where 'codesign' looks for identities. + # + # Notice we do not need the provisioning profile because we sign with 'codesign' elsewhere. + # However, there is no other way to set up the certificate in the keychain. + # Fastlane offers a tool called cert, but it only downloads certificates. + sync_code_signing( + platform: 'macos', + app_identifier: APPLE_BUNDLE_IDENTIFIER, + team_id: APPLE_TEAM_ID, + api_key: app_store_connect_api_key, + type: type, + storage_mode: 's3', + s3_region: 'us-east-2', + s3_bucket: 'a8c-fastlane-match', + readonly: readonly + ) +end From 4d09be62319457ac051f32230b695b5407213be1 Mon Sep 17 00:00:00 2001 From: Olivier Halligon Date: Wed, 5 Nov 2025 13:43:44 +0100 Subject: [PATCH 09/13] Add `--force` to `codesign` for debug too --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index f41fe915..ee52b8da 100644 --- a/Makefile +++ b/Makefile @@ -45,19 +45,19 @@ release: build create-vm-debug: @echo "--- Building and Signing hostmgr for Local Development" swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr -v + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr --force --verbose ./.build/arm64-apple-macosx/debug/hostmgr vm create xcode-143 --disk-size 92 build-debug: @echo "--- Building and Signing for Local Development" swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr -v + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr --force --verbose build-helper-debug: @echo "--- Building and Signing helper for Local Development" swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr-helper -v + codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr-helper --force --verbose run-helper-debug: build-debug build-helper-debug ./.build/arm64-apple-macosx/debug/hostmgr-helper --debug true From 5d8e249209ba54a95050007a23cd9e70a8e1c109 Mon Sep 17 00:00:00 2001 From: Olivier Halligon Date: Wed, 5 Nov 2025 13:48:13 +0100 Subject: [PATCH 10/13] Remove useless Make target MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The name of that target was not super clear, and looking at the implementation we can see it has some `xcode-143` hardcoded value not up-to-date and confusing (as it will not match what's in the VM at the end of this command nowadays…). Given this feels like a target that is a bit too-specific (i.e. if we go that route why wouldn't we create Make targets for every single `hostmgr` command to test too?) and in practice it's easier to just run `make build-debug` then run the command we want to test manually afterwards so we can adjust it to what we want to test, it made more sense to me to remove it to avoid adding confusion in the Makefile. --- Makefile | 7 ------- 1 file changed, 7 deletions(-) diff --git a/Makefile b/Makefile index ee52b8da..c130fd35 100644 --- a/Makefile +++ b/Makefile @@ -42,13 +42,6 @@ release: build git tag $(RELEASE_VERSION) git push origin $(RELEASE_VERSION) -create-vm-debug: - @echo "--- Building and Signing hostmgr for Local Development" - swift build - codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr --force --verbose - - ./.build/arm64-apple-macosx/debug/hostmgr vm create xcode-143 --disk-size 92 - build-debug: @echo "--- Building and Signing for Local Development" swift build From 3bbeea21791cecdc89acc0c3a736d548b216264e Mon Sep 17 00:00:00 2001 From: Olivier Halligon Date: Wed, 5 Nov 2025 14:33:17 +0100 Subject: [PATCH 11/13] Fix `set_up_certificate_in_keychain` To not require the ASC API Key when in `readonly` mode --- fastlane/Fastfile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fastlane/Fastfile b/fastlane/Fastfile index f485c6e9..ba99d7e3 100644 --- a/fastlane/Fastfile +++ b/fastlane/Fastfile @@ -96,7 +96,13 @@ def get_required_env!(key) end def set_up_certificate_in_keychain(type:, readonly:) - require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS) + require_env_vars!(*CODE_SIGNING_STORAGE_ENV_VARS) + if readonly + api_key = nil + else + require_env_vars!(*ASC_API_KEY_ENV_VARS) + api_key = app_store_connect_api_key + end # This will fetch the certificate and provisioning profile for the given type from remote storage. # It will then set them up in the local keychain, where 'codesign' looks for identities. @@ -108,7 +114,7 @@ def set_up_certificate_in_keychain(type:, readonly:) platform: 'macos', app_identifier: APPLE_BUNDLE_IDENTIFIER, team_id: APPLE_TEAM_ID, - api_key: app_store_connect_api_key, + api_key: api_key, type: type, storage_mode: 's3', s3_region: 'us-east-2', From daecdaaf23f7de7ec05d768210807a5cc8cf3913 Mon Sep 17 00:00:00 2001 From: Olivier Halligon Date: Wed, 5 Nov 2025 14:42:03 +0100 Subject: [PATCH 12/13] Add `fetch-codesigning*` recipes to `Makefile` Those only call the corresponding fastlane lanes and nothing esle; but it helps discoverability Note that I deliberately didn't add those recipes as dependency to the `build:`/`build-debug:`/`build-helper-debug:` recipes, despite those recipes indeed needing the code signing identities to have been fetched and be present in the keychain for `codesign` to work as expected. This is because those fastlane lanes require the `MATCH_S3_ACCESS_KEY` and `MATCH_S3_SECRET_ACCESS_KEY` env vars to be declared locally for them to run, but we don't usually have those set in all our shell sessions unless we `export` them explicitly first. Conversely, we usually already have the necessary certificates in our keychain already when we're working on `hostmgr` so there's no need to re-fetch them systematically from S3 every single time we want to `build` or `build-debug`. --- Makefile | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/Makefile b/Makefile index c130fd35..56645d4e 100644 --- a/Makefile +++ b/Makefile @@ -10,6 +10,18 @@ CERTIFICATE_NAME_RELEASE = Apple Distribution: Automattic, Inc. (PZYM8XX95Q) clean: rm -rf .build +fetch-codesignging: + bundle install + bundle exec fastlane set_up_signing + +fetch-codesignging-debug: + bundle install + bundle exec fastlane set_up_signing_development + +fetch-codesignging-release: + bundle install + bundle exec fastlane set_up_signing_release + build: @echo "--- Building Release" swift build -c release --arch arm64 From 6441b37874c86d98745f6ac672584901eaee9697 Mon Sep 17 00:00:00 2001 From: Olivier Halligon Date: Wed, 5 Nov 2025 14:44:56 +0100 Subject: [PATCH 13/13] Make Rubocop more lenient on method length --- .rubocop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.rubocop.yml b/.rubocop.yml index 10d36b09..c20a0319 100644 --- a/.rubocop.yml +++ b/.rubocop.yml @@ -17,7 +17,7 @@ AllCops: SuggestExtensions: false Metrics/MethodLength: - Max: 16 + Max: 30 Style/HashSyntax: EnforcedShorthandSyntax: never