Skip to content
Latchkey

fastlane match "Could not decrypt ... wrong passphrase" certificate error in CI

fastlane match stores encrypted certificates and profiles in a git repo and decrypts them with MATCH_PASSWORD. When that passphrase is missing or wrong on the runner, match cannot decrypt the repo and signing assets are unavailable.

What this error means

fastlane match fails with "Could not decrypt the repo, please make sure you use the right passphrase" or prompts for a passphrase that CI cannot answer.

fastlane
[!] Could not decrypt the repo, please make sure you use the right passphrase.

Common causes

MATCH_PASSWORD is unset or incorrect

The encryption passphrase is not provided to the job, or a different one was used, so the AES-encrypted certificates cannot be decrypted.

The match repo was re-encrypted with a new passphrase

After a match nuke or passphrase rotation, an old MATCH_PASSWORD no longer decrypts the repo.

How to fix it

Provide MATCH_PASSWORD as a secret

  1. Store the match passphrase as a CI secret.
  2. Expose it as MATCH_PASSWORD in the job environment.
  3. Run match in readonly mode so CI only fetches existing assets.
.github/workflows/ci.yml
env:
  MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
run: fastlane match appstore --readonly

Re-sync the passphrase after rotation

If the repo was re-encrypted, update the stored secret to the new passphrase used when the certificates were created.

How to prevent it

  • Keep MATCH_PASSWORD in CI secrets and inject it for every match call.
  • Run match --readonly in CI so jobs never regenerate certificates.
  • Update the secret whenever the match passphrase is rotated.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →