Skip to content
Latchkey

How to Install a Provisioning Profile and p12 in CI

Store the .p12 and .mobileprovision as base64 secrets, decode them on the runner, and import into a throwaway keychain scoped to the build.

When you do not use match, decode the p12 and provisioning profile from secrets, import the cert into a temporary keychain, and copy the profile where Xcode expects it.

Steps

  • Add secrets: IOS_P12_B64, IOS_P12_PASSWORD, IOS_PROFILE_B64.
  • Decode both into $RUNNER_TEMP and import the cert into a new keychain.
  • Copy the profile into ~/Library/MobileDevice/Provisioning Profiles/.

Workflow

.github/workflows/ci.yml
- name: Import signing material
  env:
    P12_B64: ${{ secrets.IOS_P12_B64 }}
    P12_PASSWORD: ${{ secrets.IOS_P12_PASSWORD }}
    PROFILE_B64: ${{ secrets.IOS_PROFILE_B64 }}
    KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
  run: |
    echo "$P12_B64" | base64 -d > "$RUNNER_TEMP/cert.p12"
    echo "$PROFILE_B64" | base64 -d > "$RUNNER_TEMP/app.mobileprovision"
    security create-keychain -p "$KEYCHAIN_PASSWORD" ci.keychain
    security set-keychain-settings -lut 3600 ci.keychain
    security unlock-keychain -p "$KEYCHAIN_PASSWORD" ci.keychain
    security import "$RUNNER_TEMP/cert.p12" -k ci.keychain -P "$P12_PASSWORD" -T /usr/bin/codesign
    security list-keychains -d user -s ci.keychain
    mkdir -p "$HOME/Library/MobileDevice/Provisioning Profiles"
    cp "$RUNNER_TEMP/app.mobileprovision" "$HOME/Library/MobileDevice/Provisioning Profiles/"

Gotchas

  • The apple-actions/import-codesign-certs action wraps this flow if you prefer a maintained step.
  • Set a keychain lock timeout and delete the keychain afterward so identities do not linger.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →