How to make CI build with Xcode project with automatic signing?

Code Signing Entitlements
Nicolai-Miracle OP
Created May ’24
Replies 2
Boosts 0
Views 1.2k
Participants 3

We have an iOS project that is configured with automatically managed signing. We cannot get automatic signing to work on our CI (GitHub Actions). To even get xcodebuild to archive we have to force it to not sign at all:

xcrun xcodebuild \
  -workspace app.xcworkspace \
  -scheme prod \
  -configuration 'Release'  \
  -destination generic/platform=iOS \
  -archivePath ./build/prod.xcarchive \
  CODE_SIGN_IDENTITY="" \
  CODE_SIGNING_REQUIRED=NO \
  CODE_SIGNING_ALLOWED=NO \
  clean archive

All our attempts to make xcodebuild archive do manual signing have failed.

In order to have the app properly signed with the right entitlements we then call codesign:

codesign -f \
  -s Distribution \
  --entitlements prod.entitlements \
  ./build/prod.xcarchive/Products/Applications/prod.app

Then we export the ipa:

xcrun xcodebuild \
  -exportArchive \
  -archivePath ./build \
  -exportOptionsPlist exportOptions.plist \
  -exportPath ./build

This seems to work so my question is: Is it supported to do manual signing this way? Is there a better way?

If we omit the codesign step, the app will still be signed - by exportArchive we assume, but then the entitlements are missing.

Replies  2
Boosts  0
Views  1.2k
Participants  3
DTS Engineer OP
Apple
May ’24
We cannot get automatic signing to work on our CI (GitHub Actions).

Can you get it working in Xcode Cloud?

If so, my advice is that you research this via the support resources for your CI provider. It’s likely that they’ve seen this before.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
Nicolai-Miracle OP
May ’24

Thank you for your answer. It helped a lot.

While it is not possible for us to go with Xcode Cloud, your comment did nudge me into look into what Xcode Cloud does for other apps where we do use Xcode Cloud. I got the problems with automatic signing resolved by using some of the same parameters as Xcode Cloud does.

I am quite puzzled as to why it required your comment for me to look at Xcode Cloud but that is one of the ways your work is so invaluable.

The result is

xcrun xcodebuild \
  -workspace app.xcworkspace \
  -scheme prod \
  -configuration 'Release'  \
  -destination generic/platform=iOS \
  -archivePath ./build/prod.xcarchive \
  CODE_SIGN_IDENTITY=- \
  AD_HOC_CODE_SIGNING_ALLOWED=YES \
  CODE_SIGN_STYLE=Automatic \
  DEVELOPMENT_TEAM=ZZZZZZZZZZ \
  clean archive

and no call to codesign is necessary

2
How to make CI build with Xcode project with automatic signing?
First post date Last post date
 
 
Q