Sign release build with distribution certificate

.rubocop.yml

@@ -17,7 +17,7 @@ AllCops:
   SuggestExtensions: false
 
 Metrics/MethodLength:
-  Max: 16
+  Max: 30
 
 Style/HashSyntax:
   EnforcedShorthandSyntax: never

Gemfile.lock

@@ -10,31 +10,35 @@ GEM
     artifactory (3.0.17)
     ast (2.4.2)
     atomos (0.1.3)
-    aws-eventstream (1.3.0)
-    aws-partitions (1.1001.0)
-    aws-sdk-core (3.211.0)
+    aws-eventstream (1.4.0)
+    aws-partitions (1.1180.0)
+    aws-sdk-core (3.236.0)
       aws-eventstream (~> 1, >= 1.3.0)
       aws-partitions (~> 1, >= 1.992.0)
       aws-sigv4 (~> 1.9)
+      base64
+      bigdecimal
       jmespath (~> 1, >= 1.6.1)
-    aws-sdk-kms (1.95.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+      logger
+    aws-sdk-kms (1.116.0)
+      aws-sdk-core (~> 3, >= 3.234.0)
       aws-sigv4 (~> 1.5)
-    aws-sdk-s3 (1.169.0)
-      aws-sdk-core (~> 3, >= 3.210.0)
+    aws-sdk-s3 (1.202.0)
+      aws-sdk-core (~> 3, >= 3.234.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.5)
-    aws-sigv4 (1.10.1)
+    aws-sigv4 (1.12.1)
       aws-eventstream (~> 1, >= 1.0.2)
     babosa (1.0.4)
-    base64 (0.2.0)
+    base64 (0.3.0)
+    bigdecimal (3.3.1)
     claide (1.1.0)
     colored (1.2)
     colored2 (3.1.2)
     commander (4.6.0)
       highline (~> 2.0.0)
     declarative (0.0.20)
-    digest-crc (0.6.5)
+    digest-crc (0.7.0)
       rake (>= 12.0.0, < 14.0.0)
     domain_name (0.6.20240107)
     dotenv (2.8.1)
@@ -56,20 +60,20 @@ GEM
       faraday (>= 0.8.0)
       http-cookie (~> 1.0.0)
     faraday-em_http (1.0.0)
-    faraday-em_synchrony (1.0.0)
+    faraday-em_synchrony (1.0.1)
     faraday-excon (1.1.0)
     faraday-httpclient (1.0.1)
-    faraday-multipart (1.0.4)
-      multipart-post (~> 2)
+    faraday-multipart (1.1.1)
+      multipart-post (~> 2.0)
     faraday-net_http (1.0.2)
     faraday-net_http_persistent (1.2.0)
     faraday-patron (1.0.0)
     faraday-rack (1.0.0)
     faraday-retry (1.0.3)
     faraday_middleware (1.2.1)
       faraday (~> 1.0)
-    fastimage (2.3.1)
-    fastlane (2.225.0)
+    fastimage (2.4.0)
+    fastlane (2.228.0)
       CFPropertyList (>= 2.3, < 4.0.0)
       addressable (>= 2.8, < 3.0.0)
       artifactory (~> 3.0)
@@ -109,7 +113,7 @@ GEM
       tty-spinner (>= 0.8.0, < 1.0.0)
       word_wrap (~> 1.0.0)
       xcodeproj (>= 1.13.0, < 2.0.0)
-      xcpretty (~> 0.3.0)
+      xcpretty (~> 0.4.1)
       xcpretty-travis-formatter (>= 0.0.3, < 2.0.0)
     fastlane-sirp (1.0.0)
       sysrandom (~> 1.0)
@@ -130,12 +134,12 @@ GEM
       google-apis-core (>= 0.11.0, < 2.a)
     google-apis-storage_v1 (0.31.0)
       google-apis-core (>= 0.11.0, < 2.a)
-    google-cloud-core (1.7.1)
+    google-cloud-core (1.8.0)
       google-cloud-env (>= 1.0, < 3.a)
       google-cloud-errors (~> 1.0)
     google-cloud-env (1.6.0)
       faraday (>= 0.17.3, < 3.0)
-    google-cloud-errors (1.4.0)
+    google-cloud-errors (1.5.0)
     google-cloud-storage (1.47.0)
       addressable (~> 2.8)
       digest-crc (~> 0.4)
@@ -151,40 +155,43 @@ GEM
       os (>= 0.9, < 2.0)
       signet (>= 0.16, < 2.a)
     highline (2.0.3)
-    http-cookie (1.0.7)
+    http-cookie (1.0.8)
       domain_name (~> 0.5)
-    httpclient (2.8.3)
+    httpclient (2.9.0)
+      mutex_m
     jmespath (1.6.2)
-    json (2.7.5)
-    jwt (2.9.3)
+    json (2.15.2)
+    jwt (2.10.2)
       base64
     language_server-protocol (3.17.0.3)
+    logger (1.7.0)
     mini_magick (4.13.2)
     mini_mime (1.1.5)
-    multi_json (1.15.0)
+    multi_json (1.17.0)
     multipart-post (2.4.1)
+    mutex_m (0.3.0)
     nanaimo (0.4.0)
-    naturally (2.2.1)
+    naturally (2.3.0)
     nkf (0.2.0)
-    optparse (0.5.0)
+    optparse (0.8.0)
     os (1.1.4)
     parallel (1.26.3)
     parser (3.3.5.1)
       ast (~> 2.4.1)
       racc
-    plist (3.7.1)
-    public_suffix (6.0.1)
+    plist (3.7.2)
+    public_suffix (6.0.2)
     racc (1.8.1)
     rainbow (3.1.1)
-    rake (13.2.1)
+    rake (13.3.1)
     regexp_parser (2.9.2)
     representable (3.2.0)
       declarative (< 0.1.0)
       trailblazer-option (>= 0.1.1, < 0.2.0)
       uber (< 0.2.0)
     retriable (3.1.2)
-    rexml (3.3.9)
-    rouge (2.0.7)
+    rexml (3.4.4)
+    rouge (3.28.0)
     rubocop (1.68.0)
       json (~> 2.3)
       language_server-protocol (>= 3.17.0)
@@ -199,12 +206,12 @@ GEM
       parser (>= 3.3.1.0)
     ruby-progressbar (1.13.0)
     ruby2_keywords (0.0.5)
-    rubyzip (2.3.2)
+    rubyzip (2.4.1)
     security (0.1.5)
-    signet (0.19.0)
+    signet (0.21.0)
       addressable (~> 2.8)
       faraday (>= 0.17.5, < 3.a)
-      jwt (>= 1.5, < 3.0)
+      jwt (>= 1.5, < 4.0)
       multi_json (~> 1.10)
     simctl (1.6.10)
       CFPropertyList
@@ -228,8 +235,8 @@ GEM
       colored2 (~> 3.1)
       nanaimo (~> 0.4.0)
       rexml (>= 3.3.6, < 4.0)
-    xcpretty (0.3.0)
-      rouge (~> 2.0.7)
+    xcpretty (0.4.1)
+      rouge (~> 3.28.0)
     xcpretty-travis-formatter (1.0.1)
       xcpretty (~> 0.2, >= 0.0.7)
 

Makefile

@@ -4,9 +4,24 @@ RELEASE_VERSION = $(shell .build/release/hostmgr --version)
 SWIFTLINT_VERSION=$(shell awk '/^swiftlint_version:/ {print $$2}' .swiftlint.yml)
 RUBY_VERSION = $(shell cat .ruby-version)
 
+CERTIFICATE_NAME_DEBUG = Apple Development: Created via API (886NX39KP6)
+CERTIFICATE_NAME_RELEASE = Apple Distribution: Automattic, Inc. (PZYM8XX95Q)
+
 clean:
 	rm -rf .build
 
+fetch-codesignging:
+	bundle install
+	bundle exec fastlane set_up_signing
+
+fetch-codesignging-debug:
+	bundle install
+	bundle exec fastlane set_up_signing_development
+
+fetch-codesignging-release:
+	bundle install
+	bundle exec fastlane set_up_signing_release
+
 build:
 	@echo "--- Building Release"
 	swift build -c release --arch arm64
@@ -16,8 +31,8 @@ build:
 	cp .build/arm64-apple-macosx/release/hostmgr .build/artifacts/release/hostmgr
 	cp .build/arm64-apple-macosx/release/hostmgr-helper .build/artifacts/release/hostmgr-helper
 
-	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API (886NX39KP6)" .build/artifacts/release/hostmgr --force --verbose
-	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API (886NX39KP6)" .build/artifacts/release/hostmgr-helper --force --verbose
+	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_RELEASE}" .build/artifacts/release/hostmgr --force --verbose
+	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_RELEASE}" .build/artifacts/release/hostmgr-helper --force --verbose
 
 verify-signing: build
 	@echo "--- Checking Code Signing"
@@ -39,22 +54,15 @@ release: build
 	git tag $(RELEASE_VERSION)
 	git push origin $(RELEASE_VERSION)
 
-create-vm-debug:
-	@echo "--- Building and Signing hostmgr for Local Development"
-	swift build
-	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API" .build/arm64-apple-macosx/debug/hostmgr -v
-
-	./.build/arm64-apple-macosx/debug/hostmgr vm create xcode-143 --disk-size 92
-
 build-debug:
 	@echo "--- Building and Signing for Local Development"
 	swift build
-	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API" .build/arm64-apple-macosx/debug/hostmgr -v
+	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr --force --verbose
 
 build-helper-debug:
 	@echo "--- Building and Signing helper for Local Development"
 	swift build
-	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "Apple Development: Created via API" .build/arm64-apple-macosx/debug/hostmgr-helper -v
+	codesign --entitlements Sources/hostmgr/hostmgr.entitlements -s "${CERTIFICATE_NAME_DEBUG}" .build/arm64-apple-macosx/debug/hostmgr-helper --force --verbose
 
 run-helper-debug: build-debug build-helper-debug
 	./.build/arm64-apple-macosx/debug/hostmgr-helper --debug true

fastlane/Fastfile

@@ -53,24 +53,20 @@ lane :upload_release do
   )
 end
 
-desc 'Download the development signing certificates to this machine'
+desc 'Download all certificates and provisioning profiles for code signing'
 lane :set_up_signing do |readonly: true|
-  require_env_vars!(*ASC_API_KEY_ENV_VARS, *CODE_SIGNING_STORAGE_ENV_VARS)
-
-  sync_code_signing(
-    platform: 'macos',
-    app_identifier: APPLE_BUNDLE_IDENTIFIER,
-    team_id: APPLE_TEAM_ID,
-    api_key: app_store_connect_api_key,
-    type: 'development',
-    certificate_id: 'Apple Development: Created via API (886NX39KP6)',
+  set_up_signing_development(readonly: readonly)
+  set_up_signing_release(readonly: readonly)
+end
 
-    storage_mode: 's3',
-    s3_region: 'us-east-2',
-    s3_bucket: 'a8c-fastlane-match',
+desc 'Download the development signing certificates to this machine'
+lane :set_up_signing_development do |readonly: true|
+  set_up_certificate_in_keychain(type: 'development', readonly: readonly)
+end
 
-    readonly: readonly
-  )
+desc 'Download the release signing certificates to this machine'
+lane :set_up_signing_release do |readonly: true|
+  set_up_certificate_in_keychain(type: 'appstore', readonly: readonly)
 end
 
 def create_release_zip
@@ -98,3 +94,31 @@ def get_required_env!(key)
 
   UI.user_error!("Environment variable `#{key}` is not set.")
 end
+
+def set_up_certificate_in_keychain(type:, readonly:)
+  require_env_vars!(*CODE_SIGNING_STORAGE_ENV_VARS)
+  if readonly
+    api_key = nil
+  else
+    require_env_vars!(*ASC_API_KEY_ENV_VARS)
+    api_key = app_store_connect_api_key
+  end
+
+  # This will fetch the certificate and provisioning profile for the given type from remote storage.
+  # It will then set them up in the local keychain, where 'codesign' looks for identities.
+  #
+  # Notice we do not need the provisioning profile because we sign with 'codesign' elsewhere.
+  # However, there is no other way to set up the certificate in the keychain.
+  # Fastlane offers a tool called cert, but it only downloads certificates.
+  sync_code_signing(
+    platform: 'macos',
+    app_identifier: APPLE_BUNDLE_IDENTIFIER,
+    team_id: APPLE_TEAM_ID,
+    api_key: api_key,
+    type: type,
+    storage_mode: 's3',
+    s3_region: 'us-east-2',
+    s3_bucket: 'a8c-fastlane-match',
+    readonly: readonly
+  )
+end