[match][sigh] add option to automatically renew expired certificates (defaults to enabled) #21691
Conversation
nekrich
force-pushed
the
feat/match-renew-expired-cert
branch
from
0388ecb
to
e4fc47e
Compare
nekrich
changed the title
nekrich
changed the title
| end | ||
| end | ||
| ensure # Always clear working_directory after save |
| @@ -484,7 +484,14 @@ def certificate_valid? | |||
| # @return (Bool) Is the current provisioning profile valid? | |||
| # To also verify the certificate call certificate_valid? | |||
| def valid? | |||
| return status == 'Active' | |||
| # Provisioning profiles are not invalidated automatically on the dev portal when the certificate expires. | |||
There was a problem hiding this comment.
Does this mean that this PR also fixes the fact that we were not detecting expired certificates properly before?
There was a problem hiding this comment.
Yes 😅. I don't know why Apple does not revoke profiles or make them invalid.
But even in this case, we cannot sign an app since the certificate has expired.
The date is Dec 4, and the expiration date is Dec 1.
The only Expired cert is that I opened it to see why it's not expired, and it expired immediately after opening it.
There was a problem hiding this comment.
They didn't bother setting up like a cron job that goes and expire everything like once a day 😂
match/lib/match/runner.rb
Outdated
| @@ -277,6 +311,10 @@ def fetch_provisioning_profile(params: nil, certificate_id: nil, app_identifier: | |||
| return nil | |||
| end | |||
|
|
|||
| if Helper.mac? | |||
There was a problem hiding this comment.
does the fact that we move this after the previous block means that we stop installing expired profiles into the keychain?
There was a problem hiding this comment.
Yes, I see no point in installing an expired profile, generating a new one, and installing a new one after.
There was a problem hiding this comment.
jfy, I did the same in my other PR: https://github.com/fastlane/fastlane/pull/21694/files#diff-8cd09d7ab3f4398e3160f603839ac2891e3cdf60e7f09930a1288ce33ab8fc1fL279
match/lib/match/runner.rb
Outdated
| @@ -133,13 +136,48 @@ def update_optional_values_depending_on_storage_type(params) | |||
| end | |||
| end | |||
|
|
|||
| def fetch_certificate(params: nil, working_directory: nil, specific_cert_type: nil) | |||
| RENEWABLE_CERT_TYPES = [:mac_installer_distribution, :development, :distribution, :enterprise] | |||
There was a problem hiding this comment.
maybe we should rename this to RENEWABLE_CERT_TYPES_VIA_API?
There was a problem hiding this comment.
Yeah, it's for sure will improve readability. Done in eb0db7b.
nekrich
force-pushed
the
feat/match-renew-expired-cert
branch
from
5758fa2
to
3b859ad
Compare
|
Rebased, fixed conflicts and updated the test to include new parameters for the |
nekrich
force-pushed
the
feat/match-renew-expired-cert
branch
from
3b859ad
to
3d8a2d8
Compare
| @@ -484,7 +484,14 @@ def certificate_valid? | |||
| # @return (Bool) Is the current provisioning profile valid? | |||
| # To also verify the certificate call certificate_valid? | |||
| def valid? | |||
| return status == 'Active' | |||
| # Provisioning profiles are not invalidated automatically on the dev portal when the certificate expires. | |||
There was a problem hiding this comment.
They didn't bother setting up like a cron job that goes and expire everything like once a day 😂
|
It seems this PR developed conflicts @nekrich, if you could resolve those and my comments above, this PR should be good to go then 💪 |
nekrich
force-pushed
the
feat/match-renew-expired-cert
branch
from
3d8a2d8
to
37bc483
Compare
Co-authored-by: Roger Oba <rogerluan.oba@gmail.com>
|
Thanks for addressing those changes @nekrich 🙏 I see CI is failing now, could you take a look? 🙇 |
|
Yeah, I'm looking into it. It looks like default renew certs affect all the tests. |
|
LGTM |
rogerluan
changed the title
Checklist
bundle exec rspecfrom the root directory to see all new and existing tests passbundle exec rubocop -ato ensure the code style is validci/circlecibuilds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Motivation: Automation 😅, and we had one of our certs expired.
Current flow on expired certificate:
New flow: do nothing, match/sync_code_signing will do all the things for you 🎉.
Description
Check the certificate expiration date for renewable certificates. Remove expired certs from storage.
This behavior is optional, and there is a new parameter
renew_expired_certsto turn it on.Extra profile validation
Provisioning profiles are not invalidated automatically on the dev portal when the certificate expires. They become Invalid only when opened directly in the portal 🤷. We need to do an extra check on the expiration date to ensure the profile is valid.
Git commit of removed files
Commit deletion of only listed deleted files. Encryption modifies all files in git.
Profile installation
I moved the profile installation logic a little bit lower. Now, only valid profiles are installed 🧹.
The
working_directoryparameter was not used in thefetch_certificate, so I removed it.Testing Steps
Tests provided: run match with an expired certificate and active provisioning profiles.