preface

Fastlane match command fastlane match command fastlane match command fastlane match command This is a summary of a closer look at the match command.

After I learned about match last time, I found that match has many limitations. The main problem is that the certificate and configuration file must be generated again. The original certificate and configuration file cannot be used. I found a way to manually upload the configuration file and certificate by searching the information.

Automatically generates certificates and configuration files

Let’s review the auto-generated scenarios:

  1. Prepare a new remote repository to store the generated certificates and configuration files

  2. Create an App ID on the developer site that requires the certificate and configuration file to be generated. (This step is not sure if you have to do it, using the high-privilege developer account Match may create the App ID automatically.)

  3. In the main project’s project directory, initialize to a Matchfile, of course, with Fastlane installed first

    fastlane match init
Copy the code

  4. Write the following configuration to Matchfile

    git_url("https://gitee.com/xxxx/xxxxxxx.git"// Create a new project and copy the address heretype("development") # default match to synchronize type
app_identifier("bundle Id")  #bundleId = ["bundleId1","bundleId2"]
username("[email protected]")  # Apple Developer account
Copy the code

  5. After the configuration is complete, execute it in the main project project directory:

    fastlane match development --verbose
Copy the code

    Running this command will cause you to enter a passphrase password, which you will remember to use when synchronizing certificates and configuration files on other machines. The operation process will also encounter a lot of problems, more than Baidu can be basically fixed.

  6. After successfully generating the certificate and configuration file, install the certificate on another device using the following command:

    fastlane match development -- readonly --verbose
Copy the code

  7. If you need to update the certificate, use the following command to delete all the Development certificates under the developer account, as well as the certificates in the repository, and then rebuild the certificate and configuration file from step 2.

    fastlane match nuke development --verbose
Copy the code

Manually upload the certificate and configuration file

After consulting the reference document [1][2], it is found that match command combines cert command and Sigh command to generate certificate and configuration file. During the generation process, it will judge whether there are appropriate certificates and configuration files in the warehouse, so we can use this mechanism to manually construct a file structure similar to match warehouse. And manually generate a good suitable certificate and with the file, put in the corresponding directory, and then push to the warehouse.

  1. Construct the directory structure for the certificate store

    The certificate store directory structure of match is as follows:

    ! [/Users/ GZX /Desktop/ screenshot 2018-11-28 PM 4.10.24.png]! [Config file directory structure](/Users/ GZX /Desktop/ screen snapshot 2018-11-28 PM 4.10.38.png)

  2. Find the CERT ID of the existing certificate

    Use the Ruby script to read all certificates in the developer account and find the Cert ID of the corresponding certificate. The Ruby script is:

    require 'spaceship'

Spaceship.login('[email protected]') # Enter the corresponding Apple account
Spaceship.select_team

Spaceship.certificate.all.each do |cert| 
  cert_type = Spaceship::Portal::Certificate::CERTIFICATE_TYPE_IDS[cert.type_display_id].to_s.split("... "")[-1]
  puts "Cert id: #{cert.id}, name: #{cert.name}, expires: #{cert.expires.strftime("%Y-%m-%d")}, type: #{cert_type}"
end	
Copy the code

    The printed cert object is a certificate object. An inHouse certificate object has the following structure:

    <Spaceship::Portal::Certificate::InHouse 
id="GF0ZY66W6D", 
name="iOS Distribution", 
status="Issued", 
created=2017-12-19 02:52:11 UTC, 
expires=2020-12-18 02:42:11 UTC, 
owner_type="team", 
owner_name="Communications Corporation Limited", 
owner_id="12GF5VQGBX", 
type_display_id="9RQEK7MSXA", 
can_download=true>
Copy the code

    There are too many certificates in the developer account. I didn’t think about the method carefully. I just looked for the date and owner_id.

  3. Encrypt certificates and configuration files

    Download the existing certificate and mobileprovision file from Apple Developer, import the certificate to the key, and generate a P12 file. The obtained certificate and configuration file cannot be identified by match. The obtained certificate and configuration file must be encrypted using the following commands to meet match verification requirements:

    • Encryption certificate

      • performOpenssl pkcs12 -nocerts -nodes -out key.pem -in {certificate}.p12Pem file generated
      • performOpenssl AES-256-cbc -k {password} -in key.pem -out {cert_id}.p12 -aGenerate an encrypted P12
      • performOpenssl AES-256-cbc -k {password} -in {certificate}.cer -out {cert_id}.cer -aGenerate an encrypted certificate, where cert_id is the certificate ID found earlier by executing the Ruby script

    • Encryption profile

      • The name of the configuration file must comply with the rules{Development/ADHoc/AppStore/InHouse}_bundleId.mobileprovision
      • Encryption commandOpenssl AES-256-cbc -k {password} -in xxxx.mobileprovision -out development_YYYy. mobileprovision -a

    The password of the encryption certificate must be the same as that of the configuration file. This password must be entered when the certificate and configuration file are synchronized on other devices

  4. Save the encrypted certificate and configuration file to the corresponding directory and submit the certificate to the repository

    The cer and P12 files are encrypted in the certs directory and the mobileprovision files are encrypted in the Profiles directory. Commit the certificate to the remote certificate repository

  5. Use commands to verify the validity of certificates

    Execute in the corresponding project directory:

    fastlane match development --verbose
Copy the code

    If yes, the created certificate is ok.

  6. Use certificates on other devices

    Synchronize certificates and configuration files using commands on other devices:

    fastlane match development --readonly --verbose
Copy the code

    You need to enter the encrypted password, and the synchronization succeeds.

Other limitations

Fix manual certificate synchronization with Match, but realize other limitations of match:

  • What is the point of manually synchronizing certificates with match?

    Manual sync operation is more troublesome, this has the advantage of management certificate and their difference is not big, actually basically not reduce workload management certificate, main advantage is that others use more convenient, need not cloning warehouse don’t have to manually install the certificate and configuration files, using a command can achieve the goal of automatically install the certificate.

    I think the original intention of match is to use match to automatically create certificates, but I really don’t understand the design intention of nuke command, and certificate update is also a big problem, which will be discussed later. Perhaps match is better for situations where certificates change less frequently.

  • The nuke command is dangerous

    Nuke command will cancel all certificates and configuration files of the bundleId account ==. Nuke command will cancel all certificates and configuration files of the bundleId account. If you can still play with your own developer account, forget it for your corporate developer account (no attempt to run this command). ! [nuke command prompt](/Users/ GZX /Desktop/ 2018-11-28 PM 2.42.46.png)

  • Updating certificates and configuration files is cumbersome

    The nuke command is used to update the certificate. The nuke command is used to reset the certificate. With existing certificates and developer management, Distribution’s certificates and configuration files are stable. Because everyone shares a certificate, there is little room to change the configuration file, except for the risk of expiration. Once a device is added or unregistered, the certificate and configuration file need to be updated. If the device is automatically generated using the match command, the certificate and configuration file need to be nuke first and then re-created, or manually re-uploaded.

    A better solution we can think of is not to use the mode of inviting developers. The certificates and configuration files of development and distribution are generated and allocated by the same account, and devices are added by the account manager. Nuke or manual update of certificates and configuration files can be used depending on the size of the change. This solution is mainly for development, and of course distribution certificates and configuration files can also be updated using this solution.

conclusion

In my opinion, match is not a perfect solution for certificate management. We need to analyze whether it is suitable for use and how to use it according to the actual situation. In addition, there is anything wrong in the article, please also point out the reader, we make progress together, thank you!

Reference documentation

  1. Fastlane Certificate Management (1) : Cert and Sigh
  2. Fastlane Certificate Management (2) : match
  3. IOS uses Fastlane for team certificate management
  4. Fastlane Match applies to the existing certificate environment