New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[match][sigh] add option to automatically renew expired certificates (defaults to enabled) #21691
[match][sigh] add option to automatically renew expired certificates (defaults to enabled) #21691
Conversation
0388ecb
to
e4fc47e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that's a nice feature. Seems to fix a few corner cases issues as well.
end | ||
end | ||
ensure # Always clear working_directory after save |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@@ -484,7 +484,14 @@ def certificate_valid? | |||
# @return (Bool) Is the current provisioning profile valid? | |||
# To also verify the certificate call certificate_valid? | |||
def valid? | |||
return status == 'Active' | |||
# Provisioning profiles are not invalidated automatically on the dev portal when the certificate expires. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this mean that this PR also fixes the fact that we were not detecting expired certificates properly before?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes 😅. I don't know why Apple does not revoke profiles or make them invalid.
But even in this case, we cannot sign an app since the certificate has expired.
The date is Dec 4, and the expiration date is Dec 1.
The only Expired cert is that I opened it to see why it's not expired, and it expired immediately after opening it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They didn't bother setting up like a cron job that goes and expire everything like once a day 😂
match/lib/match/runner.rb
Outdated
@@ -277,6 +311,10 @@ def fetch_provisioning_profile(params: nil, certificate_id: nil, app_identifier: | |||
return nil | |||
end | |||
|
|||
if Helper.mac? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does the fact that we move this after the previous block means that we stop installing expired profiles into the keychain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I see no point in installing an expired profile, generating a new one, and installing a new one after.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
jfy, I did the same in my other PR: https://github.com/fastlane/fastlane/pull/21694/files#diff-8cd09d7ab3f4398e3160f603839ac2891e3cdf60e7f09930a1288ce33ab8fc1fL279
match/lib/match/runner.rb
Outdated
@@ -133,13 +136,48 @@ def update_optional_values_depending_on_storage_type(params) | |||
end | |||
end | |||
|
|||
def fetch_certificate(params: nil, working_directory: nil, specific_cert_type: nil) | |||
RENEWABLE_CERT_TYPES = [:mac_installer_distribution, :development, :distribution, :enterprise] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we should rename this to RENEWABLE_CERT_TYPES_VIA_API
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, it's for sure will improve readability. Done in eb0db7b.
5758fa2
to
3b859ad
Compare
Rebased, fixed conflicts and updated the test to include new parameters for the |
3b859ad
to
3d8a2d8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a great DX improvement over what we have currently 🎉 thanks for the hard work on this PR @nekrich ! 🙌
Just left some suggestions and comments, nothing blocking 😊
@@ -484,7 +484,14 @@ def certificate_valid? | |||
# @return (Bool) Is the current provisioning profile valid? | |||
# To also verify the certificate call certificate_valid? | |||
def valid? | |||
return status == 'Active' | |||
# Provisioning profiles are not invalidated automatically on the dev portal when the certificate expires. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They didn't bother setting up like a cron job that goes and expire everything like once a day 😂
It seems this PR developed conflicts @nekrich, if you could resolve those and my comments above, this PR should be good to go then 💪 |
3d8a2d8
to
37bc483
Compare
Co-authored-by: Roger Oba <rogerluan.oba@gmail.com>
Thanks for addressing those changes @nekrich 🙏 I see CI is failing now, could you take a look? 🙇 |
Yeah, I'm looking into it. It looks like default renew certs affect all the tests. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM |
Checklist
bundle exec rspec
from the root directory to see all new and existing tests passbundle exec rubocop -a
to ensure the code style is validci/circleci
builds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Motivation: Automation 😅, and we had one of our certs expired.
Current flow on expired certificate:
New flow: do nothing, match/sync_code_signing will do all the things for you 🎉.
Description
Check the certificate expiration date for renewable certificates. Remove expired certs from storage.
This behavior is optional, and there is a new parameter
renew_expired_certs
to turn it on.Extra profile validation
Provisioning profiles are not invalidated automatically on the dev portal when the certificate expires. They become Invalid only when opened directly in the portal 🤷. We need to do an extra check on the expiration date to ensure the profile is valid.
Git commit of removed files
Commit deletion of only listed deleted files. Encryption modifies all files in git.
Profile installation
I moved the profile installation logic a little bit lower. Now, only valid profiles are installed 🧹.
The
working_directory
parameter was not used in thefetch_certificate
, so I removed it.Testing Steps
Tests provided: run match with an expired certificate and active provisioning profiles.