fastlane match "Could not decrypt ... wrong passphrase" certificate error in CI
fastlane match stores encrypted certificates and profiles in a git repo and decrypts them with MATCH_PASSWORD. When that passphrase is missing or wrong on the runner, match cannot decrypt the repo and signing assets are unavailable.
What this error means
fastlane match fails with "Could not decrypt the repo, please make sure you use the right passphrase" or prompts for a passphrase that CI cannot answer.
[!] Could not decrypt the repo, please make sure you use the right passphrase.Common causes
MATCH_PASSWORD is unset or incorrect
The encryption passphrase is not provided to the job, or a different one was used, so the AES-encrypted certificates cannot be decrypted.
The match repo was re-encrypted with a new passphrase
After a match nuke or passphrase rotation, an old MATCH_PASSWORD no longer decrypts the repo.
How to fix it
Provide MATCH_PASSWORD as a secret
- Store the match passphrase as a CI secret.
- Expose it as MATCH_PASSWORD in the job environment.
- Run match in readonly mode so CI only fetches existing assets.
env:
MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
run: fastlane match appstore --readonlyRe-sync the passphrase after rotation
If the repo was re-encrypted, update the stored secret to the new passphrase used when the certificates were created.
How to prevent it
- Keep MATCH_PASSWORD in CI secrets and inject it for every match call.
- Run match
--readonlyin CI so jobs never regenerate certificates. - Update the secret whenever the match passphrase is rotated.