1

Certificates renewal

rgaudin edited this page 2024-11-26 15:08:56 +00:00

Table of Contents

• Creating a Certificate (GUI way)

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

The CI and CD workflows require several Apple-provided certificates and info to work.

Secret Name	Name	Origin	Expiry	Requires Account Holder?	Used in External CI?
APPLE_STORE_AUTH_KEY	App Store Connect API Key	https://appstoreconnect.apple.com/access/integrations/api	Never expires	Yes	Yes
APPLE_STORE_AUTH_KEY_ID	App Store Connect API Key ID	https://appstoreconnect.apple.com/access/integrations/api	-	-	Yes
APPLE_STORE_AUTH_KEY_ISSUER_ID	App Store Connect API Key Issuer ID	https://appstoreconnect.apple.com/access/integrations/api	-	-	Yes
APPLE_DEVELOPMENT_SIGNING_CERTIFICATE	Apple Development Certificate	https://developer.apple.com/account/resources/certificates/list	1 year	No	Yes
APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD	Apple Development Certificate Password		-	-	Yes
APPLE_DEVELOPMENT_SIGNING_IDENTITY	Apple Development Signing Identity	Certificate (based on creator)	-	-	No
APPLE_DISTRIBUTION_SIGNING_CERTIFICATE	Apple Distribution Certificate	https://developer.apple.com/account/resources/certificates/list	1 year	-	No
APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD	Apple Distribution Certificate Password		-	-	No
APPLE_DISTRIBUTION_SIGNING_IDENTITY	Apple Distribution Signing Identity	Certificate (based on Team ID)	-	-	No
APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE	Apple Developer ID Application Certificate	https://developer.apple.com/account/resources/certificates/list	5 years	Yes	No
APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD	Apple Developer ID Certificate Password		-	-	No
APPLE_DEVELOPER_ID_SIGNING_IDENTITY	Apple Developer ID Signing Identity	Certificate (based on Team ID)	-	-	No
APPLE_SIGNING_ALTOOL_USERNAME	Apple Account (Developer in Team)		-	-	No
APPLE_SIGNING_ALTOOL_PASSWORD	App-specific password for account	https://account.apple.com/account/manage (app-specific passwords)	-	-	No
APPLE_SIGNING_TEAM	Apple Team ID (not secret)	https://developer.apple.com/account	-	-	No

• The *_SIGNING_CERTIFICATE secrets are base64 encoded in GH.
• The signing certificates are usually limited in number (5 I think for Development)
• Distribution certificate is used for App Store distribution
• Developer ID is used for off-store (ie. .app/.dmg) distribution. It is limited to one and can only be created by Account Holder but last longer.

Creating a Certificate (GUI way)

• Open Keychain Access
• (Menubar) Keychain Access –> Certificate Assistant –> Request a Certificate from a Certificate Authority…
  • User Email Address: Your email address
  • Common Name: A short descriptive name for the certificate. Used in Keychain Access. Has no other consequence.
  • Pick Saved to disk
  • Continue and chose appropriate filename.
• in Apple Developer's Certificates page, choose Create then select correct type and then attach the CSR created above.
• Apple will offer to download the certificate (.cer extension).
• Double-click the downloaded Certificate to open it in Keychain Access
• Right-click -> Get info
  • The Common Name is your _SIGNING_IDENTITY value)
• Select both the private key and the downloaded certificate (1)
• Right-click -> Export 2 items
  • Select P12 file format
  • Set a password (will be the _P12_PASSWORD value)
• Now retrieve the _CERTIFICATE value with base64 -i /path/to/xxx.p12 | pbcopy.

⚠️ The private key is created by Keychain Access at CSR-creation and stored using the Common Name you chose then. In Certificates tab you might have the private key displayed as a subitem of the certificate. If not, selecting both certificate and private kety for export requires finding both in same list but they have different names.

• Feature Request