A Step-by-Step Guide to Automated iOS Certificate Renewal
It’s of great importance at Halodoc to maintain our applications’ smooth operations, where efficiency and reliability are key to delivering quality healthcare solutions. One common problem we have experienced is the updating of Apple certificates manually. In this blog post, we’ll explore how automating the iOS certificate renewal using Jenkins and Fastlane has transformed our build process, saving time, reducing errors and enhancing security. We’ll dive into the inefficiencies of manual methods, the capabilities of Fastlane Match and the tangible benefits of implementing automation.
Understanding Apple Certificates
Apple certificates are a must in iOS app development and distribution processes. They are used for authentication purposes, verifying that iOS apps originate from authorized developers, have not been compromised and users can trust them.
There are two primary types of Apple certificates:
Development Certificates: These are used for testing apps on physical devices during the development phase.
Distribution Certificates: These are used for signing apps for production release, such as App Store submission.
The Problem with Manual Renewal
Apple certificates must be renewed annually to maintain app development and distribution capabilities. The manual certificate creation process is labor-intensive, requiring multiple complex steps to be performed accurately. It requires a thorough understanding of the entire process, from generating new certificates to updating provisioning profiles. Mistakes in any step, such as incorrect profiles or certificates, can lead to app build failures. Hence the manual renewal process requires significant time and effort.
Introducing Fastlane Match
Fastlane is an open-source platform designed to simplify and automate the process of building and releasing mobile applications. It is highly configurable and integrates well with continuous integration (CI) systems, making it a powerful tool for mobile developers.
To streamline and automate the certificate renewal process, we used the Fastlane Match tool. Match is one of the tools provided by Fastlane and allows you to securely and efficiently manage and share iOS code signing credentials with your team. Additionally, Match centralizes certificate management, reducing the risk of mismatched credentials and ensuring consistency across the team.
Benefits of Fastlane Match
- Automation: Automatically handles certificate and profile generation, significantly reducing manual effort and the potential for human error.
- Consistency: Ensures that all team members are using the same, up-to-date profiles and certificates, avoiding mismatches that can lead to build issues.
- Security: Credentials are encrypted before being stored in Git, making them accessible only to authorized users with decryption keys. This setup keeps credentials secure and traceable while allowing controlled access for the team.
Configuring Fastlane Match
Install Fastlane
Begin by installing Fastlane on your machine or in your CI environment:
Initialize Fastlane in Your Project
Navigate to your iOS project directory and run:
This will initialise Fastlane within the project and creates the necessary files like Fastfile
and Appfile
.
- Fastfile: Defines the lanes (automated workflows) for tasks like building, testing and distributing your app. Each lane in the
Fastfile
specifies a sequence of steps that Fastlane can run on demand.
- Appfile: Stores essential app metadata, such as your Apple ID, app identifier and team information, which Fastlane uses across different lanes for consistency.
Configure Fastlane Match
To configure Fastlane Match, run the following command:
You'll be asked if you want to store your certificates and profiles inside a Git repo, Google Cloud or Amazon S3. Use Git Storage to store all certificates and profiles in a private git repo, owned and operated by you. Fastlane will securely store your certificates and provisioning profiles in the Git repository. Be sure to:
- Create a private Git repository (e.g., on GitHub or GitLab) to store encrypted certificates and profiles.
- Set up a passphrase to encrypt and decrypt the certificates.
This will create a Matchfile
in your current directory, it is a configuration file used by fastlane match tool to manage certificates and provisioning profiles.
Automating Renewal by Integrating Fastlane with Jenkins
To fully automate the iOS certificate renewal process using Jenkins and Fastlane, we have created a Jenkins job which handles all necessary steps of generating certificates and syncing profiles automatically. Here's how the job automates the creation and syncing of certificates for both development and distribution:
Development certificates:
When renewing development certificates, we utilize the development_renew_certificates lane in our Fastfile, which includes the match
command with the generate_apple_certs
parameter set to true
. This configuration enables the automatic generation of a new development certificate.
Steps involved in the Process:
- Generate New Certificate: A new development certificate is generated.
- Sync Existing Profiles: All existing provisioning profiles are automatically synced with the newly generated certificate, ensuring that no manual intervention is required to update profiles.
This ensures that a new certificate is created and provisioning profiles are synced with the certificate, guaranteeing the use of the correct certificate for code signing and app installation on authorised devices.
Distribution certificates:
Renewing distribution certificates involves a slightly more complex process due to limitations within Fastlane’s default behaviour. While we can generate a new distribution certificate within a lane, Fastlane typically picks the old distribution certificate ID when syncing the profiles, preventing automatic association with the newly generated certificate.
To overcome this limitation, we follow a multi-step approach for generating the certificate and syncing provisioning profiles separately. This ensures that the newly generated certificate is correctly associated with the profiles, avoiding any issues during app distribution.
Generate New Certificate:
The distribution_cert_creation lane generates a new distribution certificate, but it does not automatically update the provisioning profiles.
Set Certificate ID in Environment:
After generating the certificate, we export the SIGH_CERTIFICATE_ID
environment variable with the newly generated certificate's ID. This step is crucial as Fastlane requires the new certificateId
to sync distribution provisioning profiles.
Sync Distribution Profiles:
Once the certificate ID is set, distribution_profile_update lane is triggered to sync the new certificate with the distribution provisioning profiles. Fastlane uses the SIGH_CERTIFICATE_ID
that was exported to associate the profiles with the new certificate.
Real-World Benefits
Implementing an automated solution for Fastlane and Match using Jenkins has brought significant improvements to our workflow, including:
- Time Savings: With the automated pipeline, the entire process which used to take up to 3 hours is currently completed within 5 minutes, resulting in a savings of 97% of the build time. This drastic reduction in time allows developers to focus more on coding and less on administrative tasks, thereby increasing overall productivity.
- Reduced Errors: Automation minimizes the risk of human error by ensuring that each step is performed consistently and correctly every time. This helps eliminate common mistakes, such as failing to update a provisioning profile with a new certificate. With automation in place, these errors are prevented, leading to a more reliable and predictable workflow, reducing downtime and the need for manual intervention
- Enhanced Security: Previously, certificates and provisioning profiles were stored in a Git repository without encryption, which not only exposed sensitive data to unauthorized access but also violated best practices. With the implementation of Fastlane and Match in Jenkins, certificates and profiles are now securely stored and encrypted in a centralized Git repository. This encryption ensures that only authorized users with the proper credentials can access sensitive information, significantly reducing the risk of data breaches.
Conclusion
By automating the Fastlane and Match processes using Jenkins, we have been able to save a great deal of time, prevent errors and improve security. This solution makes our work more efficient and reliable, allowing our team to focus on what they do best—developing great software.
References
- https://docs.fastlane.tools/
- https://docs.fastlane.tools/actions/match/
- https://www.jenkins.io/doc/book/pipeline/jenkinsfile/
Join us
Scalability, reliability and maintainability are the three pillars that govern what we build at Halodoc Tech. We are actively looking for engineers at all levels and if solving hard problems with challenging requirements is your forte, please reach out to us with your resume at careers.india@halodoc.com.
About Halodoc
Halodoc is the number one all-around healthcare application in Indonesia. Our mission is to simplify and bring quality healthcare across Indonesia, from Sabang to Merauke. We connect 20,000+ doctors with patients in need through our Tele-consultation service. We partner with 3500+ pharmacies in 100+ cities to bring medicine to your doorstep. We've also partnered with Indonesia's largest lab provider to provide lab home services and to top it off, we have recently launched a premium appointment service that partners with 500+ hospitals that allow patients to book a doctor appointment inside our application. We are extremely fortunate to be trusted by our investors, such as the Bill & Melinda Gates Foundation, Singtel, UOB Ventures, Allianz, GoJek, Astra, Temasek and many more. We recently closed our Series D round and in total have raised around USD 100+ million for our mission. Our team works tirelessly to make sure that we create the best healthcare solution personalised for all of our patient's needs and are continuously on a path to simplify healthcare for Indonesia.