Automate Apple Code Signing with Venafi CodeSign Protect and Fastlane

Make sure to have the latest Venafi CodeSign Protect client for MacOS installed and configured. See documentation

The venafi_codesign_auth action will automate authentication/authorization for the CodeSign Protect client.

The venafi_codesign_cert action will automate the issuance of Apple code signing certificates within Venafi CodeSign Protect. This automation leverages API access and therefore you will need an appropriate API Integration with the following minimum scopes:

restricted:manage;configuration;certificate:discover

To fetch an appropriate access_token, you can use the following API call:

POST /vedauth/authorize/oauth HTTP/1.1
Host: tpp.example.com
Content-Type: application/json
Content-Length: 147

{
   "client_id":"apple-cert",
   "password":"SuperSecretPassword!",
   "scope":"restricted:manage;configuration;certificate:discover",
   "username":"local:myaccount"
}

Or using curl:

curl --location 'https://tpp.example.com/vedauth/authorize/oauth' \
--header 'Content-Type: application/json' \
--data '{
   "client_id":"apple-cert",
   "password":"SuperSecretPassword!!",
   "scope":"restricted:manage;configuration;certificate:discover",
   "username":"local:myaccount"
}'

Issue Apple Code Signing Certificate

Here is an example lane:

 lane :venafi_cert do
    app_store_connect_api_key(
      key_id: "<insert key id>",
      issuer_id: "<insert issuer id>",
      key_filepath: "/Users/developer/private_keys/AuthKey_ABC123.p8",
      duration: 1200
    )
    venafi_codesign_cert(
      tpp_url: "https://tpp.example.com",
      tpp_access_token: "lfhTMYQtLK+oHS6cUvOCLh==",
      tpp_policydn: "Code Signing\\Certificates",
      tpp_project: "AppleTestProject",
      tpp_environment: "Development",
      certificate_type: "APPLEDEVELOPMENT"
    )

Sign with CodeSign Protect:

Here is an example lane:

venafi_codesign_auth(tpp_url: "https://tpp.example.com",
                    tpp_username: "sample-cs-user",
                    tpp_password: "MySecret!"
                    )
    build_app(
      project: "SampleIOSApp.xcodeproj",
      scheme: "SampleIOSApp",
      output_name: "SampleIOSApp.ipa",
      export_method: "development",
      export_options: {
         provisioningProfiles: {
         "com.example.SampleIOSApp" => "Venafi Profile"
         }
      }
    )

Contributing to the FastLane actions for Venafi CodeSign Protect

Venafi welcomes contributions from the developer community.

1. Fork it to your account (https://github.com/Venafi/fastlane-action-csp/fork)
2. Clone your fork (git clone git@github.com:youracct/fastlane-action-csp.git)
3. Create a feature branch (git checkout -b your-branch-name)
4. Implement and test your changes
5. Commit your changes (git commit -am 'Added some cool functionality')
6. Push to the branch (git push origin your-branch-name)
7. Create a new Pull Request (https://github.com/youracct/fastlane-action-csp/pull/new/your-branch-name)

License

Copyright © Venafi, Inc. All rights reserved.

fastlane-action-csp is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.

Please direct questions/comments to opensource@venafi.com.