iOS, fastlane match & dynamic provisioning

Hi all, I wasn’t able to make bitrise work with fastlane match without preloaded provisions, so I’m interesting if such workflow possible at all, e.g. provide no provisions and cert beforehand and download them during workflow phase via match?

1 Like

Hi @elfenlaid,

Thanks for asking this question here! :wink:

If you use match (or any other non bitrise code signing management tool) and you get an error like:

Check dependencies 
No profiles for 'com.company.app' were found: Xcode couldn't find a provisioning profile matching 'com.company.app'. 
Code signing is required for product type 'Application' in SDK 'iOS 10.0'

The easiest solution is:

  1. follow this guide http://devcenter.bitrise.io/ios/code-signing/
  2. make sure that our Cerficiate and profile installer step is in the workflow
  3. run our codesigndoc tool (as advised in the guide) to collect the code signing files
  4. and upload to bitrise.io (as advised in the guide)

Other solutions and more explanation:

This error comes from Xcode, not from bitrise, and it simply means that Xcode can’t find the required code signing files.

You might ask “But I use match / tool X to manage the signing files, it should be there! It works on my Mac!”

The answer is: it works on your Mac because you have other code signing files available on your Mac, not just the ones in your match repo. match in itself does not guarantee that all required code signing files are available! It guarantees that the signing files you manage with match are available, but Xcode might require other signing files!

This is especially true if you use Xcode 8 auto code signing. That requires a special, Wildcard, Team provisioning profile for an initial signing, regardless of what the final signing is.

When you sign into Xcode.app on your Mac, it does download this wildcard team prov profile, so of course it will be available and it will work on your Mac. But when you try to build on a completely clean Mac, where you don’t sign into Xcode (e.g. in a continuous integration environment), you have to provide this/these signing files.

Fortunately our codesigndoc tool was designed exactly for this! Just run it on your Mac, as advised in the guide, and it will collect all the required code signing files for your project (codesigndoc analyzes the Xcode archive log which includes every code signing identity/profile used by Xcode during the archive - more information in codesigndoc’s readme). It will not upload those files anywhere, you’re free to do anything with those files.

Probably the easiest way is to upload them to bitrise.io as described in the guide, but if you want to rather store them in a repository, you’re free to do so. The only thing is, those file are required by Xcode to sign your project. If these files are missing from your match repo / tool, Xcode will not be able to sign the project, unless you have it from another source (e.g. by signing into Xcode.app).


More in-depth iOS code signing guide, with lots of technical details: http://devcenter.bitrise.io/ios/code-signing-technical-details/

If you have any questions, just let us know!

Happy Building! :slight_smile:

1 Like

Thanks for answer, now I’ve got the full picture.
Also I’ve used codesigndoc and it seems to provide the same certs and provisions as match.
Anyway, basically I’m interesting in if it possible to provide certs and provision profiles directly during workflow phase.
How about that, if I’ll preserve codesigndoc generated certificates and would provide provisions in runtime via match have such setup chances to work?

Sure, you’re free to use any tool you like to download and register the code signing files. You just have to make sure that all the required files are available.

As a best practice I’d suggest you to start with a simple setup, e.g. use bitrise.io and the Certificate and profile installer step, and when that works just iterate on the config (e.g. remove the signing files from bitrise.io and move them into your match repo, or similar).

One more note for codesigndoc: you should do a full clean git clone of the repository, into a new / temporary directory, and run codesigndoc after that / on that clean checkout. This can ensure that codesigndoc runs on the same state of the code what bitrise.io will get when it git clones the repo; in your regular work checkout/directory you might have uncommitted files, gitignored files etc.

Cool, thanks :slight_smile:

1 Like

Quick update here, currently with manual signing match is able to provide sign credentials during workflow :relieved:
Also, automatic signing additionally generates iOS Team Provision Profile or something like that and seems like without it one can’t sign build. This type of generated provisioning isn’t supported by match.

1 Like

Correct, this generated iOS Team Prov. Profile is required by Xcode if you use automatic code signing.

More info: http://devcenter.bitrise.io/ios/code-signing-technical-details/

And: iOS, fastlane match & dynamic provisioning