ios: use signing identity fingerprint in ci

.gitea/workflows/testflight-release.yml

@@ -84,23 +84,85 @@ jobs:
           : "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
 
           keychain_password="$(uuidgen)"
-          keychain_path="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db"
+          previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
-          mkdir -p "${HOME}/Library/Keychains" "${HOME}/Library/MobileDevice/Provisioning Profiles" ios/build/secrets
+          if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then
+            previous_default_keychain=""
+          fi
+          developer_dir="$(xcode-select -p)"
+          signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
+          mkdir -p "${HOME}/Library/Keychains"
+          keychain_name="${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain"
+          certificate_path="${signing_dir}/appstore-signing.p12"
+          wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
+          profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
+          profile_plist="${signing_dir}/profile.plist"
+          old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
+          xcode_profile_dir="${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
+          mkdir -p "${old_profile_dir}" "${xcode_profile_dir}"
 
-          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > ios/build/secrets/appstore-signing.p12
+          printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
-          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${HOME}/Library/MobileDevice/Provisioning Profiles/Sybil_AppStore_CI.mobileprovision"
+          printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
+          curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
+          openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
+          profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
+          profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
+          old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
+          xcode_profile_path="${xcode_profile_dir}/${profile_uuid}.mobileprovision"
+          old_named_profile_path="${old_profile_dir}/Sybil_AppStore_CI.mobileprovision"
+          xcode_named_profile_path="${xcode_profile_dir}/Sybil_AppStore_CI.mobileprovision"
+          cp "${profile_path}" "${old_profile_path}"
+          cp "${profile_path}" "${xcode_profile_path}"
+          cp "${profile_path}" "${old_named_profile_path}"
+          cp "${profile_path}" "${xcode_named_profile_path}"
 
-          security create-keychain -p "${keychain_password}" "${keychain_path}"
+          base_keychains=()
-          security set-keychain-settings -lut 21600 "${keychain_path}"
+          while IFS= read -r existing_keychain; do
-          security unlock-keychain -p "${keychain_password}" "${keychain_path}"
+            [[ -z "${existing_keychain}" ]] && continue
-          security list-keychains -d user -s "${keychain_path}" $(security list-keychains -d user | sed 's/[ "]//g')
+            [[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue
-          security import ios/build/secrets/appstore-signing.p12 \
+            [[ ! -e "${existing_keychain}" ]] && continue
-            -k "${keychain_path}" \
+            base_keychains+=("${existing_keychain}")
-            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
+          done < <(security list-keychains -d user | sed 's/[ "]//g')
+
+          security delete-keychain "${keychain_name}" >/dev/null 2>&1 || true
+          rm -f "${HOME}/Library/Keychains/${keychain_name}-db"
+          security create-keychain -p "${keychain_password}" "${keychain_name}"
+          security set-keychain-settings -lut 21600 "${keychain_name}"
+          security unlock-keychain -p "${keychain_password}" "${keychain_name}"
+          security import "${wwdr_certificate_path}" \
+            -k "${keychain_name}" \
             -T /usr/bin/codesign \
             -T /usr/bin/security \
             -T /usr/bin/xcodebuild
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
+          security import "${certificate_path}" \
+            -k "${keychain_name}" \
+            -P "${APPSTORE_CERTIFICATES_PASSWORD}" \
+            -T /usr/bin/codesign \
+            -T /usr/bin/security \
+            -T /usr/bin/xcodebuild \
+            -T "${developer_dir}/usr/bin/xcodebuild"
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
+          if [[ "${#base_keychains[@]}" -gt 0 ]]; then
+            security list-keychains -d user -s "${keychain_name}" "${base_keychains[@]}"
+          else
+            security list-keychains -d user -s "${keychain_name}"
+          fi
+          security default-keychain -d user -s "${keychain_name}"
+          keychain_path="$(security list-keychains -d user | sed 's/[ "]//g' | head -n 1)"
+          security find-identity -v -p codesigning "${keychain_path}"
+          security find-identity -v -p codesigning
+          echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
+          {
+            echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
+            echo "SYBIL_SIGNING_KEYCHAIN_NAME=${keychain_name}"
+            echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
+            echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
+            echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
+            echo "SYBIL_SIGNING_DIR=${signing_dir}"
+            echo "SYBIL_OLD_PROFILE_PATH=${old_profile_path}"
+            echo "SYBIL_XCODE_PROFILE_PATH=${xcode_profile_path}"
+            echo "SYBIL_OLD_NAMED_PROFILE_PATH=${old_named_profile_path}"
+            echo "SYBIL_XCODE_NAMED_PROFILE_PATH=${xcode_named_profile_path}"
+          } >> "${GITHUB_ENV}"
 
       - name: Build and upload to TestFlight
         working-directory: ios
@@ -116,6 +178,12 @@ jobs:
         run: |
           set -euo pipefail
 
+          security unlock-keychain -p "${SYBIL_SIGNING_KEYCHAIN_PASSWORD}" "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security list-keychains -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}" $(security list-keychains -d user | sed 's/[ "]//g')
+          security default-keychain -d user -s "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security find-identity -v -p codesigning "${SYBIL_SIGNING_KEYCHAIN_PATH}"
+          security find-identity -v -p codesigning
+
           SYBIL_VERSION_TAG="${TAG_NAME}" bundle exec fastlane ios beta
 
       - name: Locate IPA
@@ -205,4 +273,14 @@ jobs:
       - name: Clean up temporary keychain
         if: always()
         run: |
-          security delete-keychain "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db" || true
+          if [[ -n "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN:-}" ]]; then
+            security default-keychain -d user -s "${SYBIL_PREVIOUS_DEFAULT_KEYCHAIN}" || true
+          fi
+          rm -f \
+            "${SYBIL_OLD_PROFILE_PATH:-}" \
+            "${SYBIL_XCODE_PROFILE_PATH:-}" \
+            "${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
+            "${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
+          security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true
+          rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db
+          rm -rf "${SYBIL_SIGNING_DIR:-}"

ios/.env.example

@@ -5,6 +5,12 @@ FASTLANE_HIDE_CHANGELOG=1
 SYBIL_APP_STORE_APPLE_ID=6759442828
 SYBIL_PROVIDER_PUBLIC_ID=c043d167-ad88-4036-84ea-76c223f1b1b2
 SYBIL_PROVISIONING_PROFILE_SPECIFIER=Sybil AppStore CI
+SYBIL_PROVISIONING_PROFILE_UUID=
+SYBIL_CODE_SIGN_IDENTITY=Apple Distribution: James Magahern (DQQH5H6GBD)
+SYBIL_XCODE_CODE_SIGN_IDENTITY=6B74B268C4761720FB2051D01D8BB3E47B55D9F5
+SYBIL_EXPORT_SIGNING_CERTIFICATE=Apple Distribution
+SYBIL_SIGNING_CERTIFICATE_ID=
+SYBIL_SIGNING_KEYCHAIN=
 
 # App Store Connect API key settings for TestFlight upload and signing setup.
 APP_STORE_CONNECT_API_KEY_ID=

ios/Apps/Sybil/project.yml

@@ -32,6 +32,12 @@ targets:
         INFOPLIST_KEY_UILaunchScreen_Generation: YES
         INFOPLIST_KEY_UISupportedInterfaceOrientations_iPhone: UIInterfaceOrientationPortrait
         INFOPLIST_KEY_UISupportedInterfaceOrientations_iPad: UIInterfaceOrientationPortrait UIInterfaceOrientationPortraitUpsideDown UIInterfaceOrientationLandscapeLeft UIInterfaceOrientationLandscapeRight
+      configs:
+        Release:
+          CODE_SIGN_STYLE: Manual
+          CODE_SIGN_IDENTITY: Apple Distribution
+          "CODE_SIGN_IDENTITY[sdk=iphoneos*]": Apple Distribution
+          PROVISIONING_PROFILE_SPECIFIER: Sybil AppStore CI
 
 schemes:
   Sybil:

ios/fastlane/CI.md

@@ -14,10 +14,13 @@ git push origin release/v1.10.0
 ```
 
 The release job runs on the `xcode` runner label, imports the signing p12 into
-a temporary keychain, installs the App Store provisioning profile, builds and
+a temporary per-user keychain, makes that keychain the user default for the
-uploads the app with fastlane, then creates or updates the matching Gitea
+duration of the job, installs the App Store provisioning profile in both the
-release with the generated IPA as an asset. The job deletes the temporary
+legacy MobileDevice directory and the Xcode UserData directory used by newer
-signing keychain in an `always()` cleanup step.
+Xcode releases, builds and uploads the app with fastlane, then creates or
+updates the matching Gitea release with the generated IPA as an asset. The job
+restores the previous user default keychain and deletes the temporary signing
+keychain and installed profiles in an `always()` cleanup step.
 
 Required repository secrets:
 
@@ -42,6 +45,26 @@ certificate and provisioning profile values into the repository secrets listed
 above. The workflow uses the `Sybil AppStore CI` provisioning profile name by
 default.
 
+Fastlane keeps two signing names separate. `SYBIL_CODE_SIGN_IDENTITY` is the
+exact certificate common name used when exporting a local p12 for secrets, while
+`SYBIL_XCODE_CODE_SIGN_IDENTITY` defaults to the certificate SHA-1 fingerprint
+that Xcode uses during archive. `SYBIL_EXPORT_SIGNING_CERTIFICATE` defaults to
+the generic `Apple Distribution` selector used in the export options.
+
+The Release signing settings are also present in `Apps/Sybil/project.yml` so
+XcodeGen emits a manually signed App Store archive configuration. CI passes the
+installed provisioning profile UUID to Fastlane as
+`SYBIL_PROVISIONING_PROFILE_UUID`; Fastlane writes that UUID into the generated
+project before archiving. CI also passes the temporary keychain path as
+`CODE_SIGN_KEYCHAIN` so Xcode searches the disposable keychain for the imported
+Distribution identity.
+
+If the Apple team has reached the Distribution certificate limit, set
+`SYBIL_SIGNING_CERTIFICATE_ID` to the portal id for a certificate whose private
+key exists in the local login keychain before running `create_ci_signing`. The
+lane will export the local identity and create the provisioning profile against
+that existing certificate instead of creating another Distribution certificate.
+
 If `create_ci_signing` fails with an expired or missing agreement error, the
 Apple Developer Program account holder must accept the current agreements in
 App Store Connect before new certificates or provisioning profiles can be

ios/fastlane/Fastfile

@@ -1,9 +1,13 @@
 require "dotenv"
 require "base64"
 require "fileutils"
+require "json"
+require "net/http"
 require "open3"
+require "openssl"
 require "securerandom"
 require "shellwords"
+require "uri"
 require "yaml"
 
 Dotenv.load(File.expand_path("../.env", __dir__))
@@ -15,6 +19,9 @@ TEAM_ID = ENV.fetch("FASTLANE_TEAM_ID", "DQQH5H6GBD")
 APP_STORE_APPLE_ID = ENV.fetch("SYBIL_APP_STORE_APPLE_ID", "6759442828")
 PROVIDER_PUBLIC_ID = ENV.fetch("SYBIL_PROVIDER_PUBLIC_ID", "c043d167-ad88-4036-84ea-76c223f1b1b2")
 PROFILE_SPECIFIER = ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"].to_s.strip.empty? ? "Sybil AppStore CI" : ENV["SYBIL_PROVISIONING_PROFILE_SPECIFIER"]
+SIGNING_CERTIFICATE_NAME = ENV["SYBIL_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "Apple Distribution: James Magahern (DQQH5H6GBD)" : ENV["SYBIL_CODE_SIGN_IDENTITY"]
+XCODE_CODE_SIGN_IDENTITY = ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"].to_s.strip.empty? ? "6B74B268C4761720FB2051D01D8BB3E47B55D9F5" : ENV["SYBIL_XCODE_CODE_SIGN_IDENTITY"]
+EXPORT_SIGNING_CERTIFICATE = ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"].to_s.strip.empty? ? "Apple Distribution" : ENV["SYBIL_EXPORT_SIGNING_CERTIFICATE"]
 IOS_ROOT = File.expand_path("..", __dir__)
 PROJECT_FILE = File.join(IOS_ROOT, "Sybil.xcodeproj")
 PROJECT_SPEC = File.join(IOS_ROOT, "project.yml")
@@ -49,6 +56,31 @@ def app_project_settings
   YAML.safe_load(File.read(APP_SPEC)).fetch("targets").fetch(TARGET).fetch("settings").fetch("base")
 end
 
+def apply_release_signing_settings
+  require "xcodeproj"
+
+  project = Xcodeproj::Project.open(PROJECT_FILE)
+  target = project.targets.find { |candidate| candidate.name == TARGET }
+  UI.user_error!("Could not find target #{TARGET} in #{PROJECT_FILE}") unless target
+
+  target.build_configurations.each do |configuration|
+    next unless configuration.name == "Release"
+
+    settings = configuration.build_settings
+    settings["CODE_SIGN_STYLE"] = "Manual"
+    settings["DEVELOPMENT_TEAM"] = TEAM_ID
+    settings["PROVISIONING_PROFILE_SPECIFIER"] = PROFILE_SPECIFIER
+    settings["CODE_SIGN_IDENTITY"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_IDENTITY[sdk=iphoneos*]"] = XCODE_CODE_SIGN_IDENTITY
+    settings["CODE_SIGN_KEYCHAIN"] = ENV["SYBIL_SIGNING_KEYCHAIN_PATH"] if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
+    if present?(ENV["SYBIL_PROVISIONING_PROFILE_UUID"])
+      settings["PROVISIONING_PROFILE"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
+      settings["PROVISIONING_PROFILE[sdk=iphoneos*]"] = ENV["SYBIL_PROVISIONING_PROFILE_UUID"]
+    end
+  end
+  project.save
+end
+
 def local_marketing_version
   app_project_settings.fetch("MARKETING_VERSION").to_s
 end
@@ -72,9 +104,178 @@ def release_version
 end
 
 def xcode_build_setting(key, value)
+  "#{key.to_s.shellescape}=#{value.to_s.shellescape}"
+end
+
+def env_line(key, value)
   "#{key}=#{value.to_s.shellescape}"
 end
 
+def base64url(value)
+  Base64.urlsafe_encode64(value).delete("=")
+end
+
+def integer_to_fixed_bytes(integer, length)
+  hex = integer.to_s(16)
+  hex = "0#{hex}" if hex.length.odd?
+  [hex].pack("H*").rjust(length, "\0")[-length, length]
+end
+
+def app_store_connect_private_key
+  key_path = ENV["APP_STORE_CONNECT_API_KEY_PATH"]
+  key_content = ENV["APP_STORE_CONNECT_API_KEY_CONTENT"]
+
+  pem = if present?(key_path)
+          File.read(key_path)
+        elsif present?(key_content)
+          ENV["APP_STORE_CONNECT_API_KEY_CONTENT_BASE64"].to_s == "true" ? Base64.decode64(key_content) : key_content
+        end
+  UI.user_error!("App Store Connect API key content is required") unless present?(pem)
+
+  OpenSSL::PKey::EC.new(pem)
+end
+
+def app_store_connect_jwt
+  key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
+  issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
+  issuer_id = ENV["APP_STORE_CONNECT_API_KEY_ISSUER_ID"] unless present?(issuer_id)
+  UI.user_error!("App Store Connect API key id and issuer id are required") unless present?(key_id) && present?(issuer_id)
+
+  header = { alg: "ES256", kid: key_id, typ: "JWT" }
+  payload = { iss: issuer_id, iat: Time.now.to_i, exp: Time.now.to_i + 600, aud: "appstoreconnect-v1" }
+  unsigned = [base64url(header.to_json), base64url(payload.to_json)].join(".")
+  asn1_signature = app_store_connect_private_key.dsa_sign_asn1(OpenSSL::Digest::SHA256.digest(unsigned))
+  signature_sequence = OpenSSL::ASN1.decode(asn1_signature)
+  raw_signature = signature_sequence.value.map { |part| integer_to_fixed_bytes(part.value, 32) }.join
+  [unsigned, base64url(raw_signature)].join(".")
+end
+
+def app_store_connect_request(method, path, payload = nil)
+  uri = URI("https://api.appstoreconnect.apple.com#{path}")
+  request_class = Net::HTTP.const_get(method.to_s.capitalize)
+  request = request_class.new(uri)
+  request["Authorization"] = "Bearer #{app_store_connect_jwt}"
+  if payload
+    request["Content-Type"] = "application/json"
+    request.body = payload.to_json
+  end
+
+  response = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) { |http| http.request(request) }
+  return {} if response.is_a?(Net::HTTPSuccess) && response.body.to_s.empty?
+  return JSON.parse(response.body) if response.is_a?(Net::HTTPSuccess)
+
+  UI.user_error!("App Store Connect API request failed: #{method.to_s.upcase} #{path}\n#{response.body}")
+end
+
+def bundle_id_resource_id
+  response = app_store_connect_request(
+    :get,
+    "/v1/bundleIds?filter[identifier]=#{URI.encode_www_form_component(APP_IDENTIFIER)}&limit=1"
+  )
+  id = response.fetch("data", []).first&.fetch("id", nil)
+  UI.user_error!("Could not find App Store Connect bundle id resource for #{APP_IDENTIFIER}") unless present?(id)
+  id
+end
+
+def recreate_app_store_profile(certificate_id)
+  existing = app_store_connect_request(
+    :get,
+    "/v1/profiles?filter[name]=#{URI.encode_www_form_component(PROFILE_SPECIFIER)}&limit=200"
+  )
+  existing.fetch("data", []).each do |profile|
+    app_store_connect_request(:delete, "/v1/profiles/#{profile.fetch("id")}")
+  end
+
+  payload = {
+    data: {
+      type: "profiles",
+      attributes: {
+        name: PROFILE_SPECIFIER,
+        profileType: "IOS_APP_STORE"
+      },
+      relationships: {
+        bundleId: {
+          data: { type: "bundleIds", id: bundle_id_resource_id }
+        },
+        certificates: {
+          data: [{ type: "certificates", id: certificate_id }]
+        }
+      }
+    }
+  }
+  response = app_store_connect_request(:post, "/v1/profiles", payload)
+  profile_content = response.dig("data", "attributes", "profileContent")
+  UI.user_error!("App Store Connect profile response did not include profileContent") unless present?(profile_content)
+
+  profile_path = File.join(SIGNING_OUTPUT_DIR, "Sybil_AppStore_CI.mobileprovision")
+  File.binwrite(profile_path, Base64.decode64(profile_content))
+  install_dir = File.expand_path("~/Library/MobileDevice/Provisioning Profiles")
+  FileUtils.mkdir_p(install_dir)
+  FileUtils.cp(profile_path, File.join(install_dir, "Sybil_AppStore_CI.mobileprovision"))
+  profile_path
+end
+
+def signing_identity_p12(p12_path, p12_password)
+  work_dir = File.join(SIGNING_OUTPUT_DIR, "single-identity")
+  FileUtils.rm_rf(work_dir)
+  FileUtils.mkdir_p(work_dir)
+
+  all_pem = File.join(work_dir, "all.pem")
+  stdout, stderr, status = Open3.capture3(
+    "openssl", "pkcs12",
+    "-in", p12_path,
+    "-nodes",
+    "-passin", "pass:#{p12_password}",
+    "-out", all_pem
+  )
+  UI.user_error!("Could not inspect exported p12\n#{stderr}\n#{stdout}") unless status.success?
+
+  records = File.read(all_pem).split(/(?=Bag Attributes\n)/)
+  cert_record = records.find do |record|
+    record.include?("friendlyName: #{SIGNING_CERTIFICATE_NAME}") && record.include?("-----BEGIN CERTIFICATE-----")
+  end
+  UI.user_error!("Could not find #{SIGNING_CERTIFICATE_NAME} certificate in exported p12") unless cert_record
+
+  local_key_id = cert_record[/localKeyID: (.+)/, 1].to_s.strip
+  UI.user_error!("Could not resolve localKeyID for #{SIGNING_CERTIFICATE_NAME}") unless present?(local_key_id)
+
+  key_record = records.find do |record|
+    record.include?("localKeyID: #{local_key_id}") && record.include?("-----BEGIN PRIVATE KEY-----")
+  end
+  UI.user_error!("Could not find private key for #{SIGNING_CERTIFICATE_NAME}") unless key_record
+
+  cert_path = File.join(work_dir, "identity.cer.pem")
+  key_path = File.join(work_dir, "identity.key.pem")
+  File.write(cert_path, cert_record[/-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----/m])
+  File.write(key_path, key_record[/-----BEGIN PRIVATE KEY-----.*?-----END PRIVATE KEY-----/m])
+
+  root_cer = File.join(work_dir, "AppleIncRootCertificate.cer")
+  wwdr_cer = File.join(work_dir, "AppleWWDRCAG3.cer")
+  root_pem = File.join(work_dir, "AppleIncRootCertificate.pem")
+  wwdr_pem = File.join(work_dir, "AppleWWDRCAG3.pem")
+  chain_pem = File.join(work_dir, "chain.pem")
+  run_silent("curl", "-fsSL", "https://www.apple.com/appleca/AppleIncRootCertificate.cer", "-o", root_cer, error_message: "Could not download Apple root certificate")
+  run_silent("curl", "-fsSL", "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer", "-o", wwdr_cer, error_message: "Could not download Apple WWDR G3 certificate")
+  run_silent("openssl", "x509", "-inform", "DER", "-in", root_cer, "-out", root_pem, error_message: "Could not convert Apple root certificate")
+  run_silent("openssl", "x509", "-inform", "DER", "-in", wwdr_cer, "-out", wwdr_pem, error_message: "Could not convert Apple WWDR G3 certificate")
+  File.write(chain_pem, File.read(wwdr_pem) + File.read(root_pem))
+
+  single_p12_path = File.join(work_dir, "appstore-signing.p12")
+  run_silent(
+    "openssl", "pkcs12", "-export",
+    "-inkey", key_path,
+    "-in", cert_path,
+    "-certfile", chain_pem,
+    "-name", SIGNING_CERTIFICATE_NAME,
+    "-out", single_p12_path,
+    "-passout", "pass:#{p12_password}",
+    error_message: "Could not create single-identity p12"
+  )
+  FileUtils.cp(single_p12_path, p12_path)
+ensure
+  FileUtils.rm_rf(work_dir) if present?(work_dir)
+end
+
 def app_store_connect_key_options
   key_id = ENV["APP_STORE_CONNECT_API_KEY_ID"]
   issuer_id = ENV["APP_STORE_CONNECT_API_ISSUER_ID"]
@@ -121,14 +322,28 @@ platform :ios do
     FileUtils.rm_rf(SIGNING_OUTPUT_DIR)
     FileUtils.mkdir_p(SIGNING_OUTPUT_DIR)
 
-    keychain_path = File.join(SIGNING_OUTPUT_DIR, "sybil_ci_signing.keychain-db")
+    cert_id = ENV["SYBIL_SIGNING_CERTIFICATE_ID"].to_s
-    keychain_password = SecureRandom.base64(24)
+    keychain_path = nil
+    keychain_password = nil
+    p12_path = File.join(SIGNING_OUTPUT_DIR, "appstore-signing.p12")
     p12_password = ENV["SYBIL_CI_P12_PASSWORD"].to_s
     if p12_password.empty?
       p12_password = SecureRandom.base64(24)
       UI.important("Generated a p12 password for CI secrets.")
     end
 
+    begin
+      if present?(cert_id)
+        UI.message("Using existing signing certificate id #{cert_id}")
+        export_keychain = ENV["SYBIL_SIGNING_KEYCHAIN"].to_s
+        export_keychain = File.expand_path("~/Library/Keychains/login.keychain-db") unless present?(export_keychain)
+        run_silent(
+          "security", "export", "-k", export_keychain, "-t", "identities", "-f", "pkcs12", "-P", p12_password, "-o", p12_path,
+          error_message: "Could not export the local CI signing identity"
+        )
+      else
+        keychain_path = File.join(SIGNING_OUTPUT_DIR, "sybil_ci_signing.keychain-db")
+        keychain_password = SecureRandom.base64(24)
         run_silent(
           "security", "create-keychain", "-p", keychain_password, keychain_path,
           error_message: "Could not create temporary signing keychain"
@@ -146,7 +361,6 @@ platform :ios do
           error_message: "Could not add temporary signing keychain to the user search list"
         )
 
-    begin
         cert(
           api_key: api_key,
           development: false,
@@ -160,40 +374,30 @@ platform :ios do
 
         cert_id = lane_context[SharedValues::CERT_CERTIFICATE_ID]
         UI.user_error!("Could not resolve generated certificate id") unless present?(cert_id)
-
-      sigh(
-        api_key: api_key,
-        app_identifier: APP_IDENTIFIER,
-        cert_id: cert_id,
-        filename: "Sybil_AppStore_CI.mobileprovision",
-        force: true,
-        output_path: SIGNING_OUTPUT_DIR,
-        platform: "ios",
-        provisioning_name: PROFILE_SPECIFIER
-      )
-
-      profile_path = lane_context[SharedValues::SIGH_PROFILE_PATH]
-      UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path)
-
-      p12_path = File.join(SIGNING_OUTPUT_DIR, "appstore-signing.p12")
         run_silent(
           "security", "export", "-k", keychain_path, "-t", "identities", "-f", "pkcs12", "-P", p12_password, "-o", p12_path,
-        error_message: "Could not export the CI signing identity"
+          error_message: "Could not export the generated CI signing identity"
         )
+      end
+
       UI.user_error!("Could not find exported p12 at #{p12_path}") unless File.exist?(p12_path)
+      signing_identity_p12(p12_path, p12_password)
+
+      profile_path = recreate_app_store_profile(cert_id)
+      UI.user_error!("Could not resolve generated provisioning profile path") unless present?(profile_path) && File.exist?(profile_path)
 
       secrets_path = File.join(SIGNING_OUTPUT_DIR, "ci-secrets.env")
       File.write(
         secrets_path,
         [
-          "APPSTORE_CERTIFICATES_FILE_BASE64=#{Base64.strict_encode64(File.binread(p12_path))}",
+          env_line("APPSTORE_CERTIFICATES_FILE_BASE64", Base64.strict_encode64(File.binread(p12_path))),
-          "APPSTORE_CERTIFICATES_PASSWORD=#{p12_password}",
+          env_line("APPSTORE_CERTIFICATES_PASSWORD", p12_password),
-          "APPSTORE_PROVISIONING_PROFILE_BASE64=#{Base64.strict_encode64(File.binread(profile_path))}",
+          env_line("APPSTORE_PROVISIONING_PROFILE_BASE64", Base64.strict_encode64(File.binread(profile_path))),
-          "SYBIL_PROVISIONING_PROFILE_SPECIFIER=#{PROFILE_SPECIFIER}"
+          env_line("SYBIL_PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER)
         ].join("\n") + "\n"
       )
     ensure
-      system("security", "delete-keychain", keychain_path, out: File::NULL, err: File::NULL) if File.exist?(keychain_path)
+      system("security", "delete-keychain", keychain_path, out: File::NULL, err: File::NULL) if present?(keychain_path) && File.exist?(keychain_path)
     end
 
     UI.success("Created CI signing files in #{SIGNING_OUTPUT_DIR}")
@@ -226,15 +430,17 @@ platform :ios do
     UI.user_error!("Build number must be a positive integer") unless build_number.match?(/\A[1-9]\d*\z/)
 
     sh("xcodegen --spec #{PROJECT_SPEC.shellescape}")
+    apply_release_signing_settings
 
     xcode_args = [
       xcode_build_setting("MARKETING_VERSION", version),
-      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number),
+      xcode_build_setting("CURRENT_PROJECT_VERSION", build_number)
-      xcode_build_setting("CODE_SIGN_STYLE", "Manual"),
+    ]
-      xcode_build_setting("DEVELOPMENT_TEAM", TEAM_ID),
+    if present?(ENV["SYBIL_SIGNING_KEYCHAIN_PATH"])
-      xcode_build_setting("PROVISIONING_PROFILE_SPECIFIER", PROFILE_SPECIFIER),
+      xcode_args << xcode_build_setting("CODE_SIGN_KEYCHAIN", ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH"))
-      xcode_build_setting("CODE_SIGN_IDENTITY", "Apple Distribution")
+      xcode_args << xcode_build_setting("OTHER_CODE_SIGN_FLAGS", "--keychain #{ENV.fetch("SYBIL_SIGNING_KEYCHAIN_PATH")}")
-    ].join(" ")
+    end
+    xcode_args = xcode_args.join(" ")
 
     ipa_path = build_app(
       project: PROJECT_FILE,
@@ -252,6 +458,7 @@ platform :ios do
         provisioningProfiles: {
           APP_IDENTIFIER => PROFILE_SPECIFIER
         },
+        signingCertificate: EXPORT_SIGNING_CERTIFICATE,
         teamID: TEAM_ID,
         manageAppVersionAndBuildNumber: false,
         uploadSymbols: true,