[MacOS] Renewing Code Signing Assets

Each year your iOS code signing certificates will need renewing and when building locally this generally only takes one or two clicks - but how do you renew code signing certificates in your CI workflow?

How do I know when certificates need renewing?

In general, code signing certificates expire exactly a year after they are created. There are a couple of easy ways to double-check when the certificate is due to expire.

Firstly, on your local development Mac that has access to the same certificates, you can open the Keychain Access app and search for apple development or ios development which will reveal your private key and certificate (with expiration date). For example:

Secondly, you can check in your job on CircleCI as Fastlane Match prints the details of each certificate it installs to the keychain as part of the job. For example:

+-------------------+----------------------------------------------+
|                       Installed Certificate                      |
+-------------------+----------------------------------------------+
| User ID           | XXXXXXXXXX                                   |
| Common Name       | iPhone Distribution: Joe Bloggs (XXXXXXXXXX) |
| Organisation Unit | XXXXXXXXXX                                   |
| Organisation      | Joe Bloggs                                   |
| Country           | US                                           |
| Start Datetime    | 2021-02-18 23:53:17 UTC                      |
| End Datetime      | 2022-02-18 23:53:17 UTC                      |
+-------------------+----------------------------------------------+

If you attempt to use an expired certificate in a job, Fastlane will fail with the following error:

Your certificate '<NAME>.cer' is not valid, please check end date and renew it if necessary

Fastlane Match makes it easy to renew

With Match, all we need to do is remove all the old code signing assets and replace them with newly generated ones. This is nice and simple as it means we start from a clean slate each time certificates need renewing!

To do this, simply run the below commands on your local machine (ensuring you are running these from the directory in which your project is located):

fastlane match nuke development
fastlane match nuke distribution

This will delete all previous code signing assets from your match repo so we can start fresh.

Next, create new certs and profiles! This depends on which signing methods you wish to use, but for this example we will choose adhoc. So, run the following:

fastlane match adhoc

New certificates and profiles will be generated and pushed to your match repo.

The next important task is to make sure your Xcode project is configured to use these new certs and profiles. So, head over to the code signing settings of your target in Xcode and choose the correct profile from the list for the type of signing you are doing. The certificate will then be chosen automatically. It should look something like this:

Once these changes have been made, simply commit and push them to your repo. Easy!

The build should now pull the new, valid, assets from the match repo and use them to sign your app.

If you have any issues, please reach out to CircleCI Support Center or post below!

1 Like

I wouldn’t recommend fastlane match nuke as the “go to solution” for renewing certificates tbh.
Unless you really know what you’re doing, this might be more harmful than expected, because it invalidates ALL your certificates for that team for the specified type, i.e. development, distribution.

I like the quote from that article

Like a nuclear bomb, it is pretty destructive.

So in my opinion, it’s better go with the other solution of really only removing the certs from your dedicated certs repo that you want to renew and then simply run fastlane match again.