fastlane match installs an expired WWDRC certificate

[thehale]

New Issue Checklist

• Updated fastlane to the latest version
• I read the Contribution Guidelines
• I read docs.fastlane.tools
• I searched for existing GitHub issues

Issue Description

When running fastlane match to install certs/profiles from a private repo OR create new ones after nuking, an expired WWDRC cert is added to my local keychain, causing issues as cited in https://stackoverflow.com/questions/45050902/no-signing-certificate-ios-distribution-found

This occurs for match development and match appstore, whether or not the private git repo storing the encrypted certs/profiles has anything in it.

I would expect match to only install valid WWDRC certificates...

Screenshot from BEFORE running fastlane match appstore

Screenshot from IMMEDIATELY AFTER running fastlane match appstore

Command executed

fastlane match appstore

Complete output when running fastlane, including the stack trace and command used

 Command Output 

% fastlane match appstore                 

[✔] 🚀 
[18:29:51]: fastlane detected a Gemfile in the current directory
[18:29:51]: However, it seems like you didn't use `bundle exec`
[18:29:51]: To launch fastlane faster, please use
[18:29:51]: 
[18:29:51]: $ bundle exec fastlane match appstore
[18:29:51]: 
[18:29:51]: Get started using a Gemfile for fastlane https://docs.fastlane.tools/getting-started/ios/setup/#use-a-gemfile
[18:29:52]: Successfully loaded '/Users/jhale/git/BinaryClock/fastlane/Matchfile' 📄

+-------------------+--------------------------------------+
|       Detected Values from './fastlane/Matchfile'        |
+-------------------+--------------------------------------+
| git_url           | REDACTED                             |
| storage_mode      | git                                  |
| type              | development                          |
| app_identifier    | dev.jhale.BinaryClock                |
| keychain_password | REDACTED                             |
+-------------------+--------------------------------------+


+--------------------------------------+--------------------------------------+
|                          Summary for match 2.212.2                          |
+--------------------------------------+--------------------------------------+
| type                                 | appstore                             |
| readonly                             | false                                |
| generate_apple_certs                 | true                                 |
| skip_provisioning_profiles           | false                                |
| app_identifier                       | ["dev.jhale.BinaryClock"]            |
| username                             | REDACTED                             |
| team_id                              | REDACTED                             |
| storage_mode                         | git                                  |
| git_url                              | REDACTED                             |
| git_branch                           | master                               |
| shallow_clone                        | false                                |
| clone_branch_directly                | false                                |
| skip_google_cloud_account_confirmat  | false                                |
| ion                                  |                                      |
| keychain_name                        | login.keychain                       |
| keychain_password                    | ********                             |
| force                                | false                                |
| force_for_new_devices                | false                                |
| include_mac_in_profiles              | false                                |
| include_all_certificates             | false                                |
| force_for_new_certificates           | false                                |
| skip_confirmation                    | false                                |
| safe_remove_certs                    | false                                |
| skip_docs                            | false                                |
| platform                             | ios                                  |
| derive_catalyst_app_identifier       | false                                |
| fail_on_name_taken                   | false                                |
| skip_certificate_matching            | false                                |
| skip_set_partition_list              | false                                |
| verbose                              | false                                |
+--------------------------------------+--------------------------------------+

[18:29:52]: Cloning remote git repo...
[18:29:52]: If cloning the repo takes too long, you can use the `clone_branch_directly` option in match.
[18:29:53]: Checking out branch master...
[18:29:53]: 🔓  Successfully decrypted certificates repo
[18:29:53]: Verifying that the certificate and profile are still valid on the Dev Portal...
Available session is not valid any more. Continuing with normal login.
[18:29:56]: Installing certificate...
[18:29:56]: $ security find-certificate -a -c 'Apple Worldwide Developer Relations' -p /Users/jhale/Library/Keychains/login.keychain-db
[18:29:56]: ▸ -----BEGIN CERTIFICATE-----
[18:29:56]: ▸ REDACTED
[18:29:56]: ▸ -----END CERTIFICATE-----
[18:29:56]: ▸ -----BEGIN CERTIFICATE-----
[18:29:56]: ▸ REDACTED
[18:29:56]: ▸ -----END CERTIFICATE-----
[18:29:56]: ▸ -----BEGIN CERTIFICATE-----
[18:29:56]: ▸ REDACTED
[18:29:56]: ▸ -----END CERTIFICATE-----
[18:29:56]: ▸ -----BEGIN CERTIFICATE-----
[18:29:56]: ▸ REDACTED
[18:29:56]: ▸ -----END CERTIFICATE-----
[18:29:56]: ▸ -----BEGIN CERTIFICATE-----
[18:29:56]: ▸ REDACTED
[18:29:56]: ▸ -----END CERTIFICATE-----

+-------------------+----------------------------------------------+
|                      Installed Certificate                       |
+-------------------+----------------------------------------------+
| User ID           | REDACTED                                     |
| Common Name       | Apple Distribution: Joseph Hale (REDACTED)   |
| Organisation Unit | REDACTED                                     |
| Organisation      | Joseph Hale                                  |
| Country           | US                                           |
| Start Datetime    | 2023-05-12 01:08:15 UTC                      |
| End Datetime      | 2024-05-11 01:08:14 UTC                      |
+-------------------+----------------------------------------------+

[18:29:56]: Installing provisioning profile...

+---------------------+------------------------+------------------------+
|                    Installed Provisioning Profile                     |
+---------------------+------------------------+------------------------+
| Parameter           | Environment Variable   | Value                  |
+---------------------+------------------------+------------------------+
| App Identifier      |                        | dev.jhale.BinaryClock  |
| Type                |                        | appstore               |
| Platform            |                        | ios                    |
| Profile UUID        | sigh_dev.jhale.Binary  | REDACTED               |
|                     | Clock_appstore         |                        |
| Profile Name        | sigh_dev.jhale.Binary  | match AppStore         |
|                     | Clock_appstore_profil  | dev.jhale.BinaryClock  |
|                     | e-name                 |                        |
| Profile Path        | sigh_dev.jhale.Binary  | /Users/jhale/Library/  |
|                     | Clock_appstore_profil  | MobileDevice/Provisio  |
|                     | e-path                 | ning                   |
|                     |                        | Profiles/REDACTED      |
|                     |                        | .mobileprovision       |
| Development Team ID | sigh_dev.jhale.Binary  | REDACTED               |
|                     | Clock_appstore_team-i  |                        |
|                     | d                      |                        |
| Certificate Name    | sigh_dev.jhale.Binary  | Apple Distribution:    |
|                     | Clock_appstore_certif  | Joseph Hale            |
|                     | icate-name             | (REDACTED)             |
+---------------------+------------------------+------------------------+

[18:29:57]: All required keys, certificates and provisioning profiles are installed 🙌

Environment

✅ fastlane environment ✅

Stack

Key	Value
OS	13.3.1
Ruby	3.1.4
Bundler?	false
Git	git version 2.39.2 (Apple Git-143)
Installation Source	/usr/local/Cellar/fastlane/2.212.2/libexec/bin/fastlane
Host	macOS 13.3.1 ((a))
Ruby Lib Dir	/usr/local/Cellar/ruby@3.1/3.1.4/lib
OpenSSL Version	OpenSSL 3.1.0 14 Mar 2023
Is contained	false
Is homebrew	true
Is installed via Fabric.app	false
Xcode Path	/Applications/Xcode.app/Contents/Developer/
Xcode Version	14.3
Swift Version	5.8

System Locale

Variable	Value
LANG	en_US.UTF-8	✅
LC_ALL
LANGUAGE

fastlane files:

`./fastlane/Fastfile`

# This file contains the fastlane.tools configuration
# You can find the documentation at https://docs.fastlane.tools
#
# For a list of all available actions, check out
#
#     https://docs.fastlane.tools/actions
#
# For a list of all available plugins, check out
#
#     https://docs.fastlane.tools/plugins/available-plugins
#

# Uncomment the line if you want fastlane to automatically update itself
# update_fastlane

default_platform(:ios)

desc "Make sure to copy the `.env.dist` to `.env` and fill all values before running any lanes"

platform :ios do
  
  desc 'Fetch certificates and provisioning profiles'
  lane :certificates do
    match(type: 'development', keychain_password: ENV['MATCH_PASSWORD'])
    match(type: 'appstore', keychain_password: ENV['MATCH_PASSWORD'])
  end

  desc 'Build the iOS application.'
  lane :build do
    # certificates
    increment_build_number(xcodeproj: "ios/BinaryClock.xcodeproj")
    gym
  end

  desc "Publish a beta release to the App Store"
  lane :beta do
    build
    app_store_connect_api_key(
      key_id: ENV["IOS_APP_STORE_CONNECT_KEY_ID"],
      issuer_id: ENV["IOS_APP_STORE_CONNECT_ISSUER_ID"],
      key_filepath: ENV["IOS_APP_STORE_CONNECT_KEY_FILE_PATH"],
    )
    pilot
  end

end

platform :android do

  desc "Build the Android application."
  lane :build do
    gradle(task: 'clean', project_dir: 'android/')
    gradle(task: 'bundle', build_type: 'Release', project_dir: 'android/')
  end

  desc "Publish an internal release to the Play Store"
  lane :internal do
    build
    supply(track: 'internal', track_promote_to: 'internal')
  end

  desc "Publish a alpha release to the Play Store"
  lane :alpha do
    build
    supply(track: 'alpha', track_promote_to: 'alpha')
  end

  desc "Publish a beta release to the Play Store"
  lane :beta do
    build
    supply(track: 'beta', track_promote_to: 'beta')
  end

  desc "Publish a production release to the Play Store"
  lane :production do
    build
    supply(track: 'production', track_promote_to: 'production')
  end

end

`./fastlane/Appfile`

# iOS
app_identifier("dev.jhale.BinaryClock") # The bundle identifier of your app
apple_id(ENV["IOS_APPLE_ID"]) # Your Apple Developer Portal username

itc_team_id(ENV["IOS_ITC_TEAM_ID"]) # App Store Connect Team ID
team_id(ENV["IOS_TEAM_ID"]) # Developer Portal Team ID

# Android
json_key_file(ENV["ANDROID_GOOGLE_PLAY_JSON_KEY_FILE_PATH"]) # Google Play Console Credentials
package_name("dev.jhale.binaryclock") # Google Play App Identifier

# For more information about the Appfile, see:
#     https://docs.fastlane.tools/advanced/#appfile

fastlane gems

Gem	Version	Update-Status
fastlane	2.212.2	✅ Up-To-Date

Loaded fastlane plugins:

No plugins Loaded

Loaded gems

Gem	Version
error_highlight	0.3.0
did_you_mean	1.6.1
atomos	0.1.3
rexml	3.2.5
CFPropertyList	3.0.6
claide	1.1.0
colored2	3.1.2
nanaimo	0.3.0
xcodeproj	1.22.0
rouge	2.0.7
xcpretty	0.3.0
terminal-notifier	2.0.0
unicode-display_width	1.8.0
terminal-table	1.8.0
plist	3.7.0
public_suffix	5.0.1
addressable	2.8.4
multipart-post	2.0.0
word_wrap	1.0.0
optparse	0.1.1
tty-screen	0.8.1
tty-cursor	0.7.1
tty-spinner	0.9.3
artifactory	3.0.15
babosa	1.0.4
colored	1.2
highline	2.0.3
commander	4.6.0
excon	0.99.0
faraday-em_http	1.0.0
faraday-em_synchrony	1.0.0
faraday-excon	1.1.0
faraday-httpclient	1.0.1
faraday-multipart	1.0.4
faraday-net_http	1.0.1
faraday-net_http_persistent	1.2.0
faraday-patron	1.0.0
faraday-rack	1.0.0
faraday-retry	1.0.3
ruby2_keywords	0.0.5
faraday	1.10.3
unf_ext	0.0.8.2
unf	0.1.4
domain_name	0.5.20190701
http-cookie	1.0.5
faraday-cookie_jar	0.0.7
faraday_middleware	1.2.0
fastimage	2.2.6
gh_inspector	1.1.3
mini_magick	4.12.0
naturally	2.2.1
rubyzip	2.3.2
security	0.1.3
xcpretty-travis-formatter	1.0.1
dotenv	2.8.1
bundler	2.4.10
simctl	1.6.10
jwt	2.7.0
uber	0.1.0
declarative	0.0.20
trailblazer-option	0.1.2
representable	3.2.0
retriable	3.1.2
mini_mime	1.1.2
memoist	0.16.2
multi_json	1.15.0
os	1.1.4
signet	0.17.0
googleauth	1.5.2
httpclient	2.8.3
webrick	1.8.1
google-apis-core	0.11.0
google-apis-playcustomapp_v1	0.13.0
google-cloud-env	1.6.0
google-cloud-errors	1.3.1
google-cloud-core	1.6.0
google-apis-iamcredentials_v1	0.17.0
google-apis-storage_v1	0.19.0
rake	13.0.6
digest-crc	0.6.4
google-cloud-storage	1.44.0
emoji_regex	3.2.3
set	1.0.2
json	2.6.3
google-apis-androidpublisher_v3	0.41.0
aws-eventstream	1.2.0
aws-sigv4	1.5.2
aws-partitions	1.760.0
jmespath	1.6.2
aws-sdk-core	3.171.1
aws-sdk-kms	1.64.0
aws-sdk-s3	1.122.0
forwardable	1.3.2
logger	1.5.0
pathname	0.2.0
shellwords	0.1.0
cgi	0.3.6
date	3.2.2
timeout	0.2.0
stringio	3.0.1
securerandom	0.2.0
uri	0.12.1
openssl	3.0.1
digest	3.1.0
io-nonblock	0.1.0
ipaddr	1.2.4
io-wait	0.2.1
zlib	2.1.1
resolv	0.2.1
time	0.2.2
open-uri	0.2.0
mutex_m	0.1.1
net-http	0.3.0
net-protocol	0.1.2
ostruct	0.5.2
english	0.7.1
erb	2.2.3
strscan	3.0.1
abbrev	0.1.0
io-console	0.5.11
tempfile	0.1.2
delegate	0.2.0
fileutils	1.6.0
tmpdir	0.1.2
base64	0.1.1
singleton	0.1.1
open3	0.1.1
nkf	0.1.1
prettyprint	0.1.1
pp	0.3.0
find	0.1.1
yaml	0.2.0
psych	4.0.4

generated on: 2023-05-11

[iOSGeekster]

We're having the same issues. (At least I think so). It seems to me that this certificate is the culprit:
{ alias: 'G1', sha256: 'ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2', url: 'https://developer.apple.com/certificationauthority/AppleWWDRCA.cer' },

Also it is no longer listed on the Apple PKI site

The quick'n'dirty solution would be to remove the G1 from fastlane_core/lib/fastlane_core/cert_checker.rb
The correct and more robust solution would probably be to have the cert_checker check the validity of the certificates before installing?

[triplef]

We’re having the same issue. Looks like the SHA-256 of the expired certificate as shown in Keychain Access matches the one listed here:

fastlane/fastlane_core/lib/fastlane_core/cert_checker.rb

Lines 9 to 13 in b3ae1b0

	{
	alias: 'G1',
	sha256: 'ce057691d730f89ca25e916f7335f4c8a15713dcd273a658c024023f8eb809c2',
	url: 'https://developer.apple.com/certificationauthority/AppleWWDRCA.cer'
	},

[triplef]

I’ve opened a PR #21271 to remove the certificate.

I originally found this issue looking for a solution for our expired App Store certificates not getting updated by Match, and I thought this might somehow be related. Unfortunately removing the G1 certificate did not fix this issue, but we worked around it by just deleting the "appstore" folder from the Match repo and running Match again. I just wanted to leave this here in case someone else is seeing the same.

[iOSGeekster]

Ok, good job.
I'm finishing up an PR that'll have the cert-checker validate the expiry, and only installing the certificate if it passes

[triplef]

Nice, thank you.

[iOSGeekster]

I've added an PR with a check. Any help with re-writing/adding specs is really appreciated.