Use xcodebuild (Xcode 8) and automatic signing in CI (Travis/Jenkins) environments

I basically run into the same issue using Jenkins CI and the Xcode Plugin.I ended up doing the build and codesigning stuff myself using xcodebuild.

0. Prerequisites

In order to get the following steps done successfully, you need to have installed the necessary provisioning profiles and certificates. That means your code signing should already be working in general.

1. Building an .xcarchive

xcodebuild -project <path/to/project.xcproj> -scheme <scheme-name> -configuration <config-name> clean archive -archivePath <output-path> DEVELOPMENT_TEAM=<dev-team-id>

• DEVELOPMENT_TEAM: your 10 digit developer team id (something like A1B2C3D4E5)

2. Exporting to .ipa

xcodebuild -exportArchive -archivePath <path/to/your.xcarchive> -exportOptionsPlist <path/to/exportOptions.plist> -exportPath <output-path>

Example of an exportOptions.plist:

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict>    <key>method</key>    <string>development</string>    <key>teamID</key>    <string> A1B2C3D4E5 </string></dict></plist>

• method: is one of development, app-store, ad-hoc, enterprise
• teamID: your 10 digit developer team id (something like A1B2C3D4E5)

This process is anyway closer to what you would do with Xcode manually, than what for example the Jenkins Xcode Plugin does.

Note: The .xcarchive file will always be develpment signed, but selecting "app-store" as method in the 2nd step will do the correct distribution signing and also include the distribution profile as "embedded.mobileprovision".

Hope this helps.

After trying a few options, these are the solutions that I was able to use on my CI server:

• Include the Developer certificate and private key as well as the auto generated provisioning profiles in the CI environment:

Using Automatic signing forces you to use a Developer certificate and auto-generated provisioning profiles. One option is to export your development certificate and private key (Application -> Utilities -> Keychain Access) and the auto-generated provisioning profiles to the CI machine. A way to locate the auto-generated provisioning profiles is to navigate to ~/Library/MobileDevice/Provisioning\ Profiles/, move all files to a backup folder, open Xcode and archive the project. Xcode will create auto-generated development provisioning profiles and will copy them to the Provisioning Profiles folder.

xcodebuild archive ... will create a .xcarchive signed for Development. xcodebuild -exportArchive ... can then resign the build for Distribution

• Replace 'Automatic' with 'Manual' when building on a CI environment

Before calling xcodebuild a workaround is to replace all instances of ProvisioningStyle = Automatic with ProvisioningStyle = Manual in the project file. sed can be used for a simple find an replace in the pbxproj file:

sed -i '' 's/ProvisioningStyle = Automatic;/ProvisioningStyle = Manual;/' <ProjectName>.xcodeproj/project.pbxproj

@thelvis also created a Ruby script to do this using the xcodeproj gem. The script gives you a better control over what is changed.

xcodebuild will then use the code signing identity (CODE_SIGN_IDENTITY) set in the project, as well as the provisioning profiles (PROVISIONING_PROFILE_SPECIFIER). Those settings can also be provided as parameters to xcodebuild and they will override the code signing identity and/or provisioning profile set in the project.

EDIT: with Xcode 9, xcodebuild has a new build settings parameter CODE_SIGN_STYLE to select between Automatic and Manual so there's no need to find and replace instances of automatic with manual in the project file, more info in WWDC 2017 Session 403 What's New in Signing for Xcode and Xcode Server

• Switch to manual signing

Manual signing will provide total control over the code signing identities and provisioning profiles being used. It's probably the cleanest solution, but with the downside of losing all the benefits of Automatic signing.

To learn more about code signing with Xcode 8 I really recommend this article as well as the WWDC2016 session 401 - What's new in Xcode app signing

I'm considering another option I've not seen mentioned here yet. Setup two identical targets, that only differ in their signing settings.

• Development Target uses automatic signing to get all of those benefits when new devices / developers are added
• CI Target uses manual signing

Downside is that you would have to manage two identical targets. Upside is that get the benefits of automatic signing for development, and don't have to maintain potentially brittle scripts that modify your project just before build time.