1

I'm trying to automate the creation of an .ipa file for development step. I have an enterprise licence, and I use a distribution cert. (It's a Distribution certificate for an Enterprise distribution. So I don't publish on app store)

Here my code so far, I try to do the whole signing process manually:

#!/bin/bash 
PROFILE_PATH="XX/XXX/XXX.mobileprovision"
PROFILE_NAME="XXXXXXX"
KEYCHAIN="/Users/XXXX/Library/Keychains/login.keychain-db"
PASSWORD="XXXX"
CERT_PASS="XXXX"
CERT_PATH="./XXX/XXX"
ARCHIVE_PATH="./XXX/myApp.xcarchive"
IPA_PATH="./XXX/myApp.ipa"
EXPORT_PATH="./XXX/exportHouse.plist"


sleep 5

open "${PROFILE_PATH}"

sleep 5

security list-keychains
security unlock-keychain -p ${PASSWORD} ${KEYCHAIN}
security -q import ${CERT_PATH}.p12 -k ${KEYCHAIN} -P ${CERT_PASS}  -T /usr/bin/codesign
security set-keychain-settings ${KEYCHAIN}
security set-key-partition-list -S apple-tool:,apple: -s -k ${PASSWORD}

# Make the archive file
xcodebuild \
  DEVELOPMENT_TEAM="4CVDA82G9X" \
  PROVISIONING_PROFILE_SPECIFIER=${PROFILE_NAME} \
  CODE_SIGN_IDENTITY="iPhone Distribution" \
  CODE_SIGN_STYLE="Manual" \
  OTHER_CODE_SIGN_FLAGS="--keychain ${KEYCHAIN}" \
  -scheme ispektor \
  -workspace ./platforms/ios/myApp.xcworkspace \
  -archivePath ${ARCHIVE_PATH} \
  archive

sleep 5
# Make the IPA file 
xcodebuild \
        -exportArchive \
        -archivePath ${ARCHIVE_PATH} \
        -exportPath ${IPA_PATH} \
        -exportOptionsPlist exportAppStore.plist \
        -exportOptionsPlist ${EXPORT_PATH} \

Problem :

I can download the ipa file; however, when I launch it on my phone, it opens and closes immediately :

When we look at logs we have (I've selected only the related parts):


Executing launch request for application ...

Submitting job ...

 <Error>: failed to get pid for label UIKitApplication: No such process (3)

 <Error>: Failed to start job for application<com.myApp.mobileApp>: <NSError: 0x100545e20; domain: NSPOSIXErrorDomain; code: 3; reason: "No such process"> {
    userInfo = {
        RBLaunchdOperation = launch_get_running_pid_4SB;
        RBLaunchdJobLabel = UIKitApplication:com.myApp.mobileApp[7207][rb-legacy];
    }
}
<Notice>: Trust evaluate failure: [leaf AnchorApple ChainLength IssuerCommonName LeafMarkerOid MissingIntermediate SubjectCommonName]

Potential cause : I think this come from my initial certificate, as I import it manually on line 21, this certificate is "not trusted" .And When I do everything with xcode and set "Automatically manage signing" it works.

When I manually force "always trusted", I can't compile :

note: Constructing build description
error: Invalid trust settings. Restore system default trust settings for certificate "iPhone Distribution: XXXX" in order to sign code with it. (in target 'myApp' from project 'myApp')

And when it says "restore" it mean trust --> untrust.

So I need to do the same as "Automatically manage signing " but with CLI.

auspicious99
  • 3,902
  • 1
  • 44
  • 58
LexaGC
  • 110
  • 3
  • 13
  • _I could download the ipa file and launch it on my phone, but it open and close immediatly_ Just to be clear: Is the ipa created with an app store cert or enterprise cert? – mfaani Dec 02 '20 at 20:31
  • Hi @Honey , as I mention at the beginning, it's an Distribution certificate for an Enterprise distribution . So I don't publish on appstore, I just ftp the .ipa and manifest.plist on my company server. – LexaGC Dec 02 '20 at 21:01
  • Does [this](https://stackoverflow.com/a/62141458/5175709) solve it? – mfaani Dec 02 '20 at 22:40
  • Quick answer is no, first of all as I said "When I manually force "always trusted" I can't compile" and second I want to do it by CLI. When I do this process manually without CLI, the cert isn't "not trusted" or "Always trusted" it's just trusted. This job is done by xcode when we managed cert/team – LexaGC Dec 03 '20 at 07:48

2 Answers2

1

I solved it

The root cause was: iPhone Distribution certificate was not trusted in the keychain.

If I force "always trusted" it won't work.

I needed to download the Apple Worldwide Developer Relations Certification Authority, BUT on their website (https://www.apple.com/certificateauthority/) there are two certificates: one last until 2023 and another 2030. It didn't change anything when I added the 2023 one, but the 2030 one made my Distribution certificate trusted!

So you need iPhone Distribution Certificate + this AWDRCA

auspicious99
  • 3,902
  • 1
  • 44
  • 58
LexaGC
  • 110
  • 3
  • 13
  • I think at some point you accidentally either delete a keychain item or sabotaged just as in the link I mentioned. Otherwise this problem doesn't happen by itself. Regardless happy that you solved it – mfaani Dec 07 '20 at 23:41
  • I manually erase everything (factory restart of my OS), I want to be able to deploy from a complete fresh new mac. I don't re-test it yet :D Thanks for your help! – LexaGC Dec 08 '20 at 11:12
1

The reason your distribution certificate was signed by the Apple Worldwide Developer Relations Certification Intermediate Certificate that expires in 2030, not the former one that expires on February 7, 2023. Even though it is still a few more years to 2023, the best practice for certificate renewal is to do it early, e.g., with a 3rd of its lifetime left before expiry, and then to stop signing with the previous certificate (even though it still hasn't reached its expiry yet).

In your case, as Apple explains,

The current Apple Worldwide Developer Relations Certification Intermediate Certificate is set to expire on February 07, 2023. The renewed certificate will be used to sign new iOS Distribution Certificates issued after September 2, 2020 for the Apple Developer Enterprise Program.

So your distribution certificate was most likely issued after September 2, 2020, and therefore signed with the Apple Worldwide Developer Relations Certification Intermediate Certificate that expires in 2030.

auspicious99
  • 3,902
  • 1
  • 44
  • 58