How to Install a Provisioning Profile and p12 in CI
Store the .p12 and .mobileprovision as base64 secrets, decode them on the runner, and import into a throwaway keychain scoped to the build.
When you do not use match, decode the p12 and provisioning profile from secrets, import the cert into a temporary keychain, and copy the profile where Xcode expects it.
Steps
- Add secrets:
IOS_P12_B64,IOS_P12_PASSWORD,IOS_PROFILE_B64. - Decode both into
$RUNNER_TEMPand import the cert into a new keychain. - Copy the profile into
~/Library/MobileDevice/Provisioning Profiles/.
Workflow
.github/workflows/ci.yml
- name: Import signing material
env:
P12_B64: ${{ secrets.IOS_P12_B64 }}
P12_PASSWORD: ${{ secrets.IOS_P12_PASSWORD }}
PROFILE_B64: ${{ secrets.IOS_PROFILE_B64 }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
echo "$P12_B64" | base64 -d > "$RUNNER_TEMP/cert.p12"
echo "$PROFILE_B64" | base64 -d > "$RUNNER_TEMP/app.mobileprovision"
security create-keychain -p "$KEYCHAIN_PASSWORD" ci.keychain
security set-keychain-settings -lut 3600 ci.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" ci.keychain
security import "$RUNNER_TEMP/cert.p12" -k ci.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign
security list-keychains -d user -s ci.keychain
mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles"
cp "$RUNNER_TEMP/app.mobileprovision" "$HOME/Library/MobileDevice/Provisioning Profiles/"Gotchas
- The
apple-actions/import-codesign-certsaction wraps this flow if you prefer a maintained step. - Set a keychain lock timeout and delete the keychain afterward so identities do not linger.
Related guides
How to Set Up iOS Code Signing in CI With fastlane matchSet up iOS code signing in CI with fastlane match, syncing certificates and profiles from an encrypted git re…
How to Use an App Store Connect API Key in CIAuthenticate to App Store Connect in CI with a .p8 API key, passing the key ID, issuer ID, and base64 key con…