Why IOS fastlane release fails to find signing certificate when running in CircleCI

Question

Some background information: The distribution certificate is stored in private Git repository. When running locally - fastlane match installs certificate to login Keystore and fastlane release builds application archive (IPA) and signs it using distribution certificate.

However same process when running in CircleCI fails to find distribution certificate: error: No signing certificate "iOS Distribution" found: No "iOS Distribution" signing certificate matching team ID "**********" with a private key was found. (in target 'APPNAME' from project 'APPNAME')

Fastlane config:

version: 2.1

workflows:
  testing:
    jobs: 
      - ios-build

jobs:
  ios-build:
    macos:
      xcode: 14.2
    steps:
      - checkout
      - run: rbenv install 2.7.5
      - run: bundler install
      - run: yarn install
      - run: gem install fastlane 
      - run: gem install cocoapods
      - run: cd ios && pod install
      - run: cd ios && fastlane match && fastlane release

Fastlane match installs certificate successfully and yet build fails to find it and archive fails.

Connected by SSH to running instance and found following strange things - while certifcate is installed in default login keystore when looking for codesigning certs - returns 0:

$ security find-identity -p codesigning 

Policy: Code Signing
  Matching identities
     0 identities found

  Valid identities only
     0 valid identities found

When running same command specifying full path to Keystore - it finds certificate:

$ security find-identity -p codesigning /Users/distiller/Library/Keychains/login.keychain-db 

Policy: Code Signing
  Matching identities
  1) 006F6D751DD7B096DCD94270F0588D1D70BE1DF3 "Apple Distribution: Island Pay Group Ltd (Q2UH3KHT9C)"
     1 identities found

  Valid identities only
  1) 006F6D751DD7B096DCD94270F0588D1D70BE1DF3 "Apple Distribution: Island Pay Group Ltd (Q2UH3KHT9C)"
     1 valid identities found

I next checked that Keystore is a default-ketchain: $ security default-keychain "/Users/distiller/Library/Keychains/login.keychain-db"

I am at a loss what to do next. I found similar issue described for Jenkins/fastlane: Jenkins/fastlane - There are no local code signing identities found

If virtual container running in Jenkins or CircleCI unable to access login keystore - then I don't see how fastlane release would work for IOS apps for anyone.

Trying to get CircleCI support as well. Will report solution when it's finally found because a lot of time by multiple team members were wasted on this problem. It should not be this hard.

https://circleci.com/docs/ios-codesigning/#adding-a-user-key-to-the-circleci-project — Ankush Rishi, Mar 11 '23 at 00:35

score 0 · Answer 1 · answered Mar 15 '23 at 02:35

Ok I found solution to this problem - the root cause was in Fastfile - specifically in setup_circle_ci step. Apparently it was running just before the build, creating tmp fastlane keychain and making it default for the build. Since fastlane match installed certificate and profile in login.keychain and build was using empty fastlane_tmp_keychain - it wasn't finding the certificate. Removing setup_circle_ci job seems have resolved this situation.

Why IOS fastlane release fails to find signing certificate when running in CircleCI

1 Answers1