Skip to content
Latchkey

How to Set Up an App Store Connect API Key in GitHub Actions

An App Store Connect API key replaces Apple ID passwords in CI; store the .p8 as a base64 secret alongside its key id and issuer id.

Generate an API key in App Store Connect (Users and Access to Integrations). Store the .p8 contents base64-encoded plus the key id and issuer id as secrets, then write the key back to disk on the runner for notarytool, altool, or fastlane.

Steps

  • Create an API key in App Store Connect and download the .p8 once.
  • Store base64 of the .p8, the Key ID, and the Issuer ID as repo secrets.
  • Decode the key to disk on the runner and pass --key/--key-id/--issuer.

Workflow

.github/workflows/ci.yml
steps:
  - name: Write API key
    env:
      ASC_KEY_B64: ${{ secrets.ASC_API_KEY_BASE64 }}
    run: |
      mkdir -p ~/private_keys
      echo "$ASC_KEY_B64" | base64 --decode > ~/private_keys/AuthKey.p8
  - name: Use with notarytool
    run: |
      xcrun notarytool history \
        --key ~/private_keys/AuthKey.p8 \
        --key-id "${{ secrets.ASC_KEY_ID }}" \
        --issuer "${{ secrets.ASC_ISSUER_ID }}"

Gotchas

  • The .p8 is downloadable only once; if lost, revoke and generate a new key.
  • fastlane expects the key under ~/.appstoreconnect/private_keys/AuthKey_<KEYID>.p8 for auto-discovery.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →