Skip to content

Certificates renewal

Jump to bottom
rgaudin edited this page Nov 26, 2024 · 1 revision

The CI and CD workflows require several Apple-provided certificates and info to work.

Secret Name Name Origin Expiry Requires Account Holder? Used in External CI?
APPLE_STORE_AUTH_KEY App Store Connect API Key https://appstoreconnect.apple.com/access/integrations/api Never expires Yes Yes
APPLE_STORE_AUTH_KEY_ID App Store Connect API Key ID https://appstoreconnect.apple.com/access/integrations/api - - Yes
APPLE_STORE_AUTH_KEY_ISSUER_ID App Store Connect API Key Issuer ID https://appstoreconnect.apple.com/access/integrations/api - - Yes
APPLE_DEVELOPMENT_SIGNING_CERTIFICATE Apple Development Certificate https://developer.apple.com/account/resources/certificates/list 1 year No Yes
APPLE_DEVELOPMENT_SIGNING_P12_PASSWORD Apple Development Certificate Password - - Yes
APPLE_DEVELOPMENT_SIGNING_IDENTITY Apple Development Signing Identity Certificate (based on creator) - - No
APPLE_DISTRIBUTION_SIGNING_CERTIFICATE Apple Distribution Certificate https://developer.apple.com/account/resources/certificates/list 1 year - No
APPLE_DISTRIBUTION_SIGNING_P12_PASSWORD Apple Distribution Certificate Password - - No
APPLE_DISTRIBUTION_SIGNING_IDENTITY Apple Distribution Signing Identity Certificate (based on Team ID) - - No
APPLE_DEVELOPER_ID_SIGNING_CERTIFICATE Apple Developer ID Application Certificate https://developer.apple.com/account/resources/certificates/list 5 years Yes No
APPLE_DEVELOPER_ID_SIGNING_P12_PASSWORD Apple Developer ID Certificate Password - - No
APPLE_DEVELOPER_ID_SIGNING_IDENTITY Apple Developer ID Signing Identity Certificate (based on Team ID) - - No
APPLE_SIGNING_ALTOOL_USERNAME Apple Account (Developer in Team) - - No
APPLE_SIGNING_ALTOOL_PASSWORD App-specific password for account https://account.apple.com/account/manage (app-specific passwords) - - No
APPLE_SIGNING_TEAM Apple Team ID (not secret) https://developer.apple.com/account - - No
  • The *_SIGNING_CERTIFICATE secrets are base64 encoded in GH.
  • The signing certificates are usually limited in number (5 I think for Development)
  • Distribution certificate is used for App Store distribution
  • Developer ID is used for off-store (ie. .app/.dmg) distribution. It is limited to one and can only be created by Account Holder but last longer.

Creating a Certificate (GUI way)

  • Open Keychain Access
  • (Menubar) Keychain Access –> Certificate Assistant –> Request a Certificate from a Certificate Authority…
    • User Email Address: Your email address
    • Common Name: A short descriptive name for the certificate. Used in Keychain Access. Has no other consequence.
    • Pick Saved to disk
    • Continue and chose appropriate filename.
  • in Apple Developer's Certificates page, choose Create then select correct type and then attach the CSR created above.
  • Apple will offer to download the certificate (.cer extension).
  • Double-click the downloaded Certificate to open it in Keychain Access
  • Right-click -> Get info
    • The Common Name is your _SIGNING_IDENTITY value)
  • Select both the private key and the downloaded certificate (1)
  • Right-click -> Export 2 items
    • Select P12 file format
    • Set a password (will be the _P12_PASSWORD value)
  • Now retrieve the _CERTIFICATE value with base64 -i /path/to/xxx.p12 | pbcopy.

⚠️ The private key is created by Keychain Access at CSR-creation and stored using the Common Name you chose then. In Certificates tab you might have the private key displayed as a subitem of the certificate. If not, selecting both certificate and private kety for export requires finding both in same list but they have different names.

Clone this wiki locally