How to Set Up an App Store Connect API Key in GitHub Actions
An App Store Connect API key replaces Apple ID passwords in CI; store the .p8 as a base64 secret alongside its key id and issuer id.
Generate an API key in App Store Connect (Users and Access to Integrations). Store the .p8 contents base64-encoded plus the key id and issuer id as secrets, then write the key back to disk on the runner for notarytool, altool, or fastlane.
Steps
- Create an API key in App Store Connect and download the
.p8once. - Store base64 of the
.p8, the Key ID, and the Issuer ID as repo secrets. - Decode the key to disk on the runner and pass
--key/--key-id/--issuer.
Workflow
.github/workflows/ci.yml
steps:
- name: Write API key
env:
ASC_KEY_B64: ${{ secrets.ASC_API_KEY_BASE64 }}
run: |
mkdir -p ~/private_keys
echo "$ASC_KEY_B64" | base64 --decode > ~/private_keys/AuthKey.p8
- name: Use with notarytool
run: |
xcrun notarytool history \
--key ~/private_keys/AuthKey.p8 \
--key-id "${{ secrets.ASC_KEY_ID }}" \
--issuer "${{ secrets.ASC_ISSUER_ID }}"Gotchas
- The
.p8is downloadable only once; if lost, revoke and generate a new key. - fastlane expects the key under
~/.appstoreconnect/private_keys/AuthKey_<KEYID>.p8for auto-discovery.
Related guides
How to Notarize a macOS App in GitHub ActionsSign and notarize a macOS app on a GitHub Actions runner with codesign, xcrun notarytool submit --wait, and x…
How to Use fastlane match for Code Signing in GitHub ActionsSync signing certificates and provisioning profiles in CI with fastlane match readonly on a GitHub Actions ma…