mirror of
https://github.com/outbackdingo/firezone.git
synced 2026-01-27 18:18:55 +00:00
chore(apple): Clean up certs in Swift CI (#5471)
Our provisioning profiles / distribution certs expire in a month. I've regenerated them and noted the instructions for doing so.
This commit is contained in:
Jamil
@@ -7,10 +7,10 @@
|
||||
<key>provisioningProfiles</key>
|
||||
<dict>
|
||||
<key>dev.firezone.firezone</key>
|
||||
<string>b32a5853-699d-4f19-85d3-5b13b1ac5dbb</string>
|
||||
<string>9aafa0f8-4b68-49c8-b023-0d4576142e1f</string>
|
||||
|
||||
<key>dev.firezone.firezone.network-extension</key>
|
||||
<string>23402aaa-f72c-4947-a795-23a9cf495968</string>
|
||||
<string>49b53dcc-efaf-4171-9f3b-ca8c46e41069</string>
|
||||
</dict>
|
||||
</dict>
|
||||
</plist>
|
||||
|
||||
@@ -5,7 +5,7 @@ APP_GROUP_ID[sdk=macosx*] = 47R2M6779T.group.dev.firezone.firezone
|
||||
APP_GROUP_ID[sdk=iphoneos*] = group.dev.firezone.firezone
|
||||
CODE_SIGN_STYLE = Manual
|
||||
CODE_SIGN_IDENTITY = Apple Distribution: Firezone, Inc. (47R2M6779T)
|
||||
IOS_APP_PROVISIONING_PROFILE_IDENTIFIER = b32a5853-699d-4f19-85d3-5b13b1ac5dbb
|
||||
MACOS_APP_PROVISIONING_PROFILE_IDENTIFIER = 70055d90-0252-4ee5-a60c-4d6f3840ee62
|
||||
IOS_NE_PROVISIONING_PROFILE_IDENTIFIER = 23402aaa-f72c-4947-a795-23a9cf495968
|
||||
MACOS_NE_PROVISIONING_PROFILE_IDENTIFIER = 1e965794-0b2c-46d3-a955-d96aacf25546
|
||||
IOS_APP_PROVISIONING_PROFILE_IDENTIFIER = 9aafa0f8-4b68-49c8-b023-0d4576142e1f
|
||||
MACOS_APP_PROVISIONING_PROFILE_IDENTIFIER = 5a382464-185f-456c-8e21-da43c920f958
|
||||
IOS_NE_PROVISIONING_PROFILE_IDENTIFIER = 49b53dcc-efaf-4171-9f3b-ca8c46e41069
|
||||
MACOS_NE_PROVISIONING_PROFILE_IDENTIFIER = b79986e4-4b54-43b3-9634-724e4a98ed64
|
||||
|
||||
@@ -119,3 +119,87 @@ item is missing. You can remove the keychain item with the following command:
|
||||
```bash
|
||||
security delete-generic-password -s "dev.firezone.firezone"
|
||||
```
|
||||
|
||||
## Generating new signing certificates and provisioning profiles
|
||||
|
||||
Certs are only good for a year, then you need to generate new ones. Since we use
|
||||
GitHub CI, we have to use manually-managed signing and provisioning. Here's how
|
||||
you populate the required GitHub secrets.
|
||||
|
||||
### Certificates
|
||||
|
||||
You first need two certs: The build / signing cert (Apple Distribution) and the
|
||||
installer cert (Mac Installer Distribution). You can generate these in the Apple
|
||||
Developer portal.
|
||||
|
||||
These are the secrets in GH actions:
|
||||
|
||||
```
|
||||
APPLE_BUILD_CERTIFICATE_BASE64
|
||||
APPLE_BUILD_CERTIFICATE_P12_PASSWORD
|
||||
APPLE_MAC_INSTALLER_CERTIFICATE_BASE64
|
||||
APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD
|
||||
```
|
||||
|
||||
How to do it:
|
||||
|
||||
1. Go to
|
||||
[Apple Developer](https://developer.apple.com/account/resources/certificates/list)
|
||||
1. Click the "+" button to generate a new distribution certificate for App Store
|
||||
1. It will ask for a CSR. Open Keychain Access, go to Keychain Access ->
|
||||
Certificate Assistant -> Request a Certificate from a Certificate Authority
|
||||
and follow the prompts. Make sure to select "save to disk" to save the CSR.
|
||||
1. Upload the CSR to Apple Developer. Download the resulting certificate.
|
||||
Double-click to install it in Keychain Access.
|
||||
1. Right-click the cert in Keychain access. Export the certificate, choose p12
|
||||
file. Make sure to set a password -- this is the
|
||||
`APPLE_BUILD_CERTIFICATE_P12_PASSWORD`.
|
||||
1. Convert the p12 file to base64:
|
||||
```bash
|
||||
cat cert.p12 | base64
|
||||
```
|
||||
1. Save the base64 output as `APPLE_BUILD_CERTIFICATE_BASE64`.
|
||||
|
||||
Repeat the steps above but choose "Mac Installer certificate" instead of
|
||||
"distribution certificate" in step 2, and save the resulting base64 and password
|
||||
as `APPLE_MAC_INSTALLER_CERTIFICATE_BASE64` and
|
||||
`APPLE_MAC_INSTALLER_CERTIFICATE_P12_PASSWORD`.
|
||||
|
||||
### Provisioning profiles
|
||||
|
||||
```
|
||||
APPLE_IOS_APP_PROVISIONING_PROFILE
|
||||
APPLE_IOS_NE_PROVISIONING_PROFILE
|
||||
APPLE_MACOS_APP_PROVISIONING_PROFILE
|
||||
APPLE_MACOS_NE_PROVISIONING_PROFILE
|
||||
```
|
||||
|
||||
1. Go to
|
||||
[Apple Developer](https://developer.apple.com/account/resources/profiles/list)
|
||||
1. Click the "+" button to generate a new provisioning profile for App Store
|
||||
1. Select the appropriate app ID and distribution certificate you just created.
|
||||
You'll need a provisioning profile for each app and network extension, so 4
|
||||
total (mac app, mac network extension, ios app, ios network extension).
|
||||
1. Download the resulting provisioning profiles.
|
||||
1. Encode to base64 and save each using the secrets names above:
|
||||
|
||||
```bash
|
||||
cat profile.mobileprovision | base64
|
||||
```
|
||||
|
||||
1. Now, you need to update the XCConfig to use these. Edit
|
||||
Firezone/xcconfig/release.xcconfig and update the provisioning profile UUIDs.
|
||||
The UUID can be found by grepping for them in the provisioning profile files
|
||||
themselves, or just opening them in a text editor and looking halfway down
|
||||
the file.
|
||||
1. Now, for iOS only, you need to edit Firezone/ExportOptions.plist and update
|
||||
the provisioning profile UUIDs there as well.
|
||||
|
||||
### Runner keychain password
|
||||
|
||||
This can be randomly generated. It's only used ephemerally to load the secrets
|
||||
into the runner's keychain for the build.
|
||||
|
||||
```
|
||||
APPLE_RUNNER_KEYCHAIN_PASSWORD
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user