Skip to main content

CI/CD Pipelines and Signing Tools

This guide explains how to configure your CI/CD pipeline or signing tools to work with AppInChina's managed iOS distribution system.

The core constraint

No Apple Developer account access

Your CI/CD pipeline or signing tools must not rely on direct access to the Apple Developer account.

Since certificates, provisioning profiles, identifiers, and APNs credentials are centrally managed by AppInChina, your build/signing process must use the files we provide—without requiring Apple Developer account credentials or API access.

This means you cannot use tools or workflows that dynamically fetch, create, or modify signing resources from Apple's systems.

What won't work

The following tools and approaches will not work in this setup:

❌ Fastlane automatic provisioning tools

  • fastlane match - requires read/write access to the Apple Developer Portal
  • fastlane sigh - attempts to download or create provisioning profiles from Apple
  • fastlane cert - tries to create or download certificates from Apple
  • fastlane pem - generates APNs certificates (we provide these)

❌ Xcode automatic signing

  • "Automatically manage signing" in Xcode - requires Apple Developer account access
  • Xcode cloud builds with automatic signing

❌ Scripts or tools that modify Apple resources

  • Scripts that register devices via Apple's APIs
  • Tools that create App IDs, capabilities, or App Groups programmatically
  • Automated APNs certificate generation
  • Any tool that requires App Store Connect API keys for signing/provisioning operations

❌ Third-party services with Apple portal integration

  • CI/CD services configured to auto-fetch provisioning profiles from Apple
  • Build services that require Apple Developer Portal credentials

What will work: manual signing with provided assets

Your build process should use manual signing with the certificates and provisioning profiles we provide.

✅ Supported approaches

  • Manual signing in Xcode with our provisioning profiles
  • xcodebuild with signing options pointing to our files
  • fastlane gym (build only, not provisioning management)
  • CI/CD pipelines that reference stored signing assets
  • Local builds with manually configured signing

Your build and signing process should use manual signing with the certificates and provisioning profiles we provide via 1Password.

General principles:

  1. Receive signing assets - We'll deliver certificates (.p12, .cer) and provisioning profiles (.mobileprovision) via 1Password
  2. Install locally - Import certificates into your keychain and install provisioning profiles for local development
  3. Configure manual signing - In Xcode, disable "Automatically manage signing" and select our provisioning profiles
  4. Store securely in CI/CD - Add signing assets as encrypted secrets in your CI/CD platform (often base64-encoded)
  5. Reference in builds - Configure your build commands to use the provided signing assets
Need detailed setup instructions?

We can provide specific guidance for your CI/CD platform and build tools. Contact your AppInChina Engineering team member with details about your setup (GitHub Actions, GitLab CI, Fastlane, etc.) and we'll help you configure it correctly.

Best practices

  1. Store signing assets securely:

    • Use your CI/CD platform's encrypted secrets
    • Never commit .p12 or .mobileprovision files to version control
    • Use base64 encoding for storing binary files as secrets

  2. Use temporary keychains in CI/CD:

    • Create a new keychain for each build
    • Clean up after the build completes
    • Don't use the default keychain

  3. Verify signing before archiving:

    # Check which certificate will be used
    security find-identity -v -p codesigning

  4. Keep ExportOptions.plist in version control:

    • This file contains export configuration
    • Safe to commit (no secrets)
    • Update when provisioning profiles change

  5. Document your signing configuration:

    • Team ID
    • Bundle IDs
    • Provisioning profile names
    • Certificate common name

Troubleshooting

"No valid code signing certificates found"

  • Certificate not installed in keychain
  • Certificate password incorrect
  • Keychain locked or not accessible

Solution: Verify certificate import and keychain unlock steps.

"No provisioning profile matches"

  • Bundle ID mismatch
  • Provisioning profile not installed
  • Wrong profile selected in Xcode

Solution: Ensure Bundle ID exactly matches provisioning profile, verify profile is installed.

"User interaction is not allowed" (in CI/CD)

  • Keychain requires user interaction
  • security command needs partition list access

Solution: Use security set-key-partition-list command shown above.

Build succeeds but IPA export fails

  • ExportOptions.plist misconfigured
  • Wrong export method
  • Provisioning profile doesn't support export method

Solution: Verify ExportOptions.plist matches your provisioning profile type.

When assets are renewed

Certificates and provisioning profiles have expiration dates. When we renew them:

  1. You'll receive new files via 1Password
  2. Update the files in your CI/CD secrets (re-encode to base64)
  3. Update local installations
  4. No code changes needed—just replace the files

We'll notify you before expiration and provide updated assets with sufficient lead time.

Summary

Do:

  • Use manual signing with provided certificates and provisioning profiles
  • Store signing assets securely in CI/CD secrets
  • Reference local signing files in your build process
  • Use fastlane for building (not provisioning management)

Don't:

  • Use automatic signing in Xcode or CI/CD
  • Use tools that fetch/create provisioning profiles from Apple
  • Require Apple Developer account credentials in your pipeline
  • Attempt to modify Apple resources programmatically