Skip to content

Commit d02fa12

Browse files
katipallyCopilot
andcommitted
ci: skip revoked distribution cert, let API key create fresh one
If the imported .p12 is revoked (Xcode rotated certs locally), security import fails non-fatally and we let -allowProvisioningUpdates + the App Manager API key create a fresh distribution cert + profiles. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
1 parent 8536b1c commit d02fa12

1 file changed

Lines changed: 23 additions & 10 deletions

File tree

.github/workflows/ios-testflight.yml

Lines changed: 23 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -94,16 +94,29 @@ jobs:
9494
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
9595
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
9696
97-
echo "$DIST_CERT_B64" | base64 -D > "$RUNNER_TEMP/dist.p12"
98-
security import "$RUNNER_TEMP/dist.p12" \
99-
-k "$KEYCHAIN_PATH" \
100-
-P "$DIST_CERT_PASSWORD" \
101-
-T /usr/bin/codesign \
102-
-T /usr/bin/security
103-
security set-key-partition-list \
104-
-S apple-tool:,apple:,codesign: \
105-
-s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
106-
rm "$RUNNER_TEMP/dist.p12"
97+
# Import the distribution certificate if provided.
98+
# If the cert is revoked, skip import — allowProvisioningUpdates will
99+
# create a fresh distribution certificate via the App Manager API key.
100+
if [[ -n "$DIST_CERT_B64" ]]; then
101+
echo "$DIST_CERT_B64" | base64 -D > "$RUNNER_TEMP/dist.p12"
102+
IMPORT_RC=0
103+
security import "$RUNNER_TEMP/dist.p12" \
104+
-k "$KEYCHAIN_PATH" \
105+
-P "$DIST_CERT_PASSWORD" \
106+
-T /usr/bin/codesign \
107+
-T /usr/bin/security 2>&1 || IMPORT_RC=$?
108+
rm -f "$RUNNER_TEMP/dist.p12"
109+
if [ $IMPORT_RC -ne 0 ]; then
110+
echo "::warning::Distribution cert import failed (rc=${IMPORT_RC}) — may be revoked. allowProvisioningUpdates will create a fresh cert."
111+
else
112+
security set-key-partition-list \
113+
-S apple-tool:,apple:,codesign: \
114+
-s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
115+
echo "Distribution certificate imported successfully."
116+
fi
117+
else
118+
echo "::warning::IOS_DISTRIBUTION_CERTIFICATE not set — relying on allowProvisioningUpdates."
119+
fi
107120
108121
- name: Write App Store Connect API key
109122
id: write-api-key

0 commit comments

Comments
 (0)