unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity

fix(ci/release): iOS manual App Store signing (App-Manager key can't cloud-sign)
ci / docs-site (push) Successful in 31s
Details
ci / web (push) Successful in 29s
Details
apple / swift (push) Successful in 1m19s
Details
ci / rust (push) Successful in 2m8s
Details
ci / bench (push) Successful in 1m36s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
Details
deb / build-publish (push) Successful in 2m22s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m56s
Details
docker / deploy-docs (push) Successful in 17s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m23s
Details

Browse Source 
macOS Developer ID + notarize + DMG now works with the clean login-keychain
workflow. iOS export failed with 'Cloud signing permission error' — with
-allowProvisioningUpdates Xcode forces cloud-managed signing, which the
App-Manager-role ASC key can't authorize. Switch iOS to MANUAL signing with the
local (valid) Apple Distribution identity + the 'Punktfunk App Store
Distribution' provisioning profile; ASC key stays only for the upload. Profile
must be installed via Xcode -> Accounts -> Download Manual Profiles.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-13 21:52:50 +00:00
parent 31b04a2ab8
commit 53e3f1e4e6
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/release.yml
+14 -9
View File
@@ -152,19 +152,21 @@ jobs:
# Best-effort until the App Store Connect app record for io.unom.punktfunk exists. # Best-effort until the App Store Connect app record for io.unom.punktfunk exists.
continue-on-error: true continue-on-error: true
run: | run: |
# Standard App Store flow: automatic signing now works because the runner is in the # MANUAL App Store signing: the local (valid) Apple Distribution identity + the App
# logged-in session with the login keychain (Apple Distribution valid) and Xcode is # Store provisioning profile. NOT -allowProvisioningUpdates — with an App-Manager-role
# signed into the team — so -allowProvisioningUpdates manages the cert + App Store # ASC key that forces Xcode's CLOUD-managed signing, which the role can't do ("Cloud
# profile, exactly like a local Archive. # signing permission error"). The profile must be installed on the runner: Xcode ->
# Settings -> Accounts -> Download Manual Profiles.
PROFILE="Punktfunk App Store Distribution"
DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
-project "$PROJECT" -scheme Punktfunk-iOS \ -project "$PROJECT" -scheme Punktfunk-iOS \
-destination 'generic/platform=iOS' \ -destination 'generic/platform=iOS' \
-archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \
MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
-allowProvisioningUpdates \ CODE_SIGN_STYLE=Manual \
-authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ CODE_SIGN_IDENTITY="Apple Distribution" \
-authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ DEVELOPMENT_TEAM="$TEAM_ID" \
-authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" PROVISIONING_PROFILE_SPECIFIER="$PROFILE"
cat > "$RUNNER_TEMP/export-appstore.plist" <<EOF cat > "$RUNNER_TEMP/export-appstore.plist" <<EOF
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
@@ -173,6 +175,10 @@ jobs:
<key>method</key><string>app-store-connect</string> <key>method</key><string>app-store-connect</string>
<key>destination</key><string>upload</string> <key>destination</key><string>upload</string>
<key>teamID</key><string>$TEAM_ID</string> <key>teamID</key><string>$TEAM_ID</string>
<key>signingStyle</key><string>manual</string>
<key>signingCertificate</key><string>Apple Distribution</string>
<key>provisioningProfiles</key>
<dict><key>io.unom.punktfunk</key><string>$PROFILE</string></dict>
</dict> </dict>
</plist> </plist>
EOF EOF
@@ -180,7 +186,6 @@ jobs:
-archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \ -archivePath "$RUNNER_TEMP/Punktfunk-ios.xcarchive" \
-exportOptionsPlist "$RUNNER_TEMP/export-appstore.plist" \ -exportOptionsPlist "$RUNNER_TEMP/export-appstore.plist" \
-exportPath "$RUNNER_TEMP/export-appstore" \ -exportPath "$RUNNER_TEMP/export-appstore" \
-allowProvisioningUpdates \
-authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \
-authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \
-authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}"