From 53e3f1e4e665d52799636ca50dc74342d3db8581 Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Sat, 13 Jun 2026 21:52:50 +0000 Subject: [PATCH] fix(ci/release): iOS manual App Store signing (App-Manager key can't cloud-sign) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit macOS Developer ID + notarize + DMG now works with the clean login-keychain workflow. iOS export failed with 'Cloud signing permission error' — with -allowProvisioningUpdates Xcode forces cloud-managed signing, which the App-Manager-role ASC key can't authorize. Switch iOS to MANUAL signing with the local (valid) Apple Distribution identity + the 'Punktfunk App Store Distribution' provisioning profile; ASC key stays only for the upload. Profile must be installed via Xcode -> Accounts -> Download Manual Profiles. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/release.yml | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index ed436da..b4d95ea 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -152,19 +152,21 @@ jobs: # Best-effort until the App Store Connect app record for io.unom.punktfunk exists. continue-on-error: true run: | - # Standard App Store flow: automatic signing now works because the runner is in the - # logged-in session with the login keychain (Apple Distribution valid) and Xcode is - # signed into the team — so -allowProvisioningUpdates manages the cert + App Store - # profile, exactly like a local Archive. + # MANUAL App Store signing: the local (valid) Apple Distribution identity + the App + # Store provisioning profile. NOT -allowProvisioningUpdates — with an App-Manager-role + # ASC key that forces Xcode's CLOUD-managed signing, which the role can't do ("Cloud + # signing permission error"). The profile must be installed on the runner: Xcode -> + # Settings -> Accounts -> Download Manual Profiles. + PROFILE="Punktfunk App Store Distribution" DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ -project "$PROJECT" -scheme Punktfunk-iOS \ -destination 'generic/platform=iOS' \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ - -allowProvisioningUpdates \ - -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ - -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ - -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" + CODE_SIGN_STYLE=Manual \ + CODE_SIGN_IDENTITY="Apple Distribution" \ + DEVELOPMENT_TEAM="$TEAM_ID" \ + PROVISIONING_PROFILE_SPECIFIER="$PROFILE" cat > "$RUNNER_TEMP/export-appstore.plist" < @@ -173,6 +175,10 @@ jobs: methodapp-store-connect destinationupload teamID$TEAM_ID + signingStylemanual + signingCertificateApple Distribution + provisioningProfiles + io.unom.punktfunk$PROFILE EOF @@ -180,7 +186,6 @@ jobs: -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ -exportOptionsPlist "$RUNNER_TEMP/export-appstore.plist" \ -exportPath "$RUNNER_TEMP/export-appstore" \ - -allowProvisioningUpdates \ -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}"