|
I’m happy to announce the supply of Fastlane in your AWS CodeBuild for macOS environments. AWS CodeBuild is a totally managed steady integration service that compiles supply code, runs exams, and produces ready-to-deploy software program packages.
Fastlane is an open supply instrument suite designed to automate numerous points of cell utility growth. It gives cell utility builders with a centralized set of instruments to handle duties corresponding to code signing, screenshot technology, beta distribution, and app retailer submissions. It integrates with fashionable steady integration and steady deployment (CI/CD) platforms and helps each iOS and Android growth workflows. Though Fastlane provides vital automation capabilities, builders might encounter challenges throughout its setup and upkeep. Configuring Fastlane will be complicated, significantly for groups unfamiliar with the syntax and bundle administration system of Ruby. Preserving Fastlane and its dependencies updated requires ongoing effort, as a result of updates to cell platforms or third-party providers might necessitate changes to current workflows.
When we launched CodeBuild for macOS in August 2024, we knew that one in every of your challenges was to put in and preserve Fastlane in your construct surroundings. Though it was attainable to manually set up Fastlane in a customized construct surroundings, at AWS, we take away the undifferentiated heaving lifting out of your infrastructure so you may spend extra time on the points that matter for your enterprise. Beginning in the present day, Fastlane is put in by default, and you should use the acquainted command fastlane constructin your buildspec.yaml file.
Fastlane and code signing
To distribute an utility on the App Retailer, builders should signal their binary with a non-public key generated on the Apple Developer portal. This non-public key, together with the certificates that validates it, should be accessible in the course of the construct course of. This generally is a problem for growth groups as a result of they should share the event non-public key (which permits deployment on chosen check gadgets) amongst staff members. Moreover, the distribution non-public key (which allows publishing on the App Retailer) should be out there in the course of the signing course of earlier than importing the binary to the App Retailer.
Fastlane is a flexible construct system in that it additionally helps builders with the administration of growth and distribution keys and certificates. Builders can use fastlane match to share signing supplies in a staff and make them securely and simply accessible on particular person builders’ machines and on the CI surroundings. match permits the storage of personal keys, the certificates, and the cell provisioning profiles on a secured share storage. It makes positive that the native construct surroundings, whether or not it’s a developer laptop computer or a server machine within the cloud, stays in sync with the shared storage. At construct time, it securely downloads the required certificates to signal your app and configures the construct machine to permit the codesign utility to choose them up.
match permits the sharing of signing secrets and techniques via GitHub, GitLab, Google Cloud Storage, Azure DevOps, and Amazon Easy Storage Service (Amazon S3).
If you happen to already use one in every of these and also you’re migrating your initiatives to CodeBuild, you don’t have a lot to do. You solely want to verify your CodeBuild construct surroundings has entry to the shared storage (see step 3 within the demo).
Let’s see the way it works
If you happen to’re new to Fastlane or CodeBuild, let’s see the way it works.
For this demo, I begin with an current iOS venture. The venture is already configured to be constructed on CodeBuild. You may discuss with my earlier weblog put up, Add macOS to your steady integration pipelines with AWS CodeBuild, to study extra particulars.
I’ll present you the way to get began in three steps:
- Import your current signing supplies to a shared non-public GitHub repository
- Configure
fastlaneto construct and signal your venture - Use
fastlanewith CodeBuild
Step 1: Import your signing supplies
Many of the fastlane documentation I learn explains the way to create a brand new key pair and a brand new certificates to get began. Though that is actually true for brand new initiatives, in actual life, you in all probability have already got your venture and your signing keys. So, step one is to import these current signing supplies.
Apple App Retailer makes use of completely different keys and certificates for growth and distribution (there are additionally advert hoc and enterprise certificates, however these are outdoors the scope of this put up). You could have three information for every utilization (that’s a complete of six information):
- A
.mobileprovisionfile that you could create and obtain from the Apple developer console. The provisioning profile hyperlinks your id, the app id, and the entitlements the app may need. - A
.cerfile, which is the certificates emitted by Apple to validate your non-public key. You may obtain this from the Apple Developer portal. Choose the certificates, then choose Obtain. - A
.p12file, which incorporates your non-public key. You may obtain the important thing whenever you create it within the Apple Developer portal. If you happen to didn’t obtain it however have it in your machine, you may export it from the Apple Keychain app. Notice that the KeyChain.app is hidden in macOS 15.x. You may open it withopen /System/Library/CoreServices/Functions/Keychain Entry.app. Choose the important thing you need to export and proper click on to pick Export.
 |
 |
When you’ve these information, create a fastlane/Matchfile file with the next content material:
git_url("https://github.com/sebsto/secret.git")
storage_mode("git")
sort("growth")
# or use appstore to make use of the distribution signing key and certificates
# sort("appstore")Make sure you change the URL of your GitHub repository and be sure this repository is non-public. It’ll function a storage on your signing key and certificates.
Then, I import my current information with the fastlane match import --type appstore command. I repeat the command for every surroundings: appstore and growth.
The very first time, fastlane prompts me for my Apple Id username and password. It connects to App Retailer Connect with confirm the validity of the certificates or to create new ones when crucial. The session cookie is saved in ~/.fastlane/spaceship/<your apple person id>/cookie.
fastlane match additionally asks for a password. It makes use of this password to generate a key to crypt the signing supplies on the storage. Don’t overlook this password as a result of will probably be used at construct time to import the signing supplies on the construct machine.
Right here is the command and its output in full:
fastlane match import --type appstore
[✔] 🚀
[16:43:54]: Efficiently loaded '~/amplify-ios-getting-started/code/fastlane/Matchfile' 📄
+-----------------------------------------------------+
| Detected Values from './fastlane/Matchfile' |
+--------------+--------------------------------------+
| git_url. | https://github.com/sebsto/secret.git |
| storage_mode | git |
| sort | growth |
+--------------+--------------------------------------+
[16:43:54]: Certificates (.cer) path:
./secrets and techniques/sebsto-apple-dist.cer
[16:44:07]: Non-public key (.p12) path:
./secrets and techniques/sebsto-apple-dist.p12
[16:44:12]: Provisioning profile (.mobileprovision or .provisionprofile) path or go away empty to skip
this file:
./secrets and techniques/amplifyiosgettingstarteddist.mobileprovision
[16:44:25]: Cloning distant git repo...
[16:44:25]: If cloning the repo takes too lengthy, you should use the `clone_branch_directly` possibility in match.
[16:44:27]: Trying out department grasp...
[16:44:27]: Enter the passphrase that needs to be used to encrypt/decrypt your certificates
[16:44:27]: This passphrase is particular per repository and might be saved in your native keychain
[16:44:27]: Be certain to recollect the password, as you may want it whenever you run match on a unique machine
[16:44:27]: Passphrase for Match storage: ********
[16:44:30]: Kind passphrase once more: ********
safety: SecKeychainAddInternetPassword <NULL>: The required merchandise already exists within the keychain.
[16:44:31]: 🔓 Efficiently decrypted certificates repo
[16:44:31]: Repo is at: '/var/folders/14/nwpsn4b504gfp02_mrbyd2jr0000gr/T/d20250131-41830-z7b4ic'
[16:44:31]: Login to App Retailer Join (sebsto@mac.com)
[16:44:33]: Enter the passphrase that needs to be used to encrypt/decrypt your certificates
[16:44:33]: This passphrase is particular per repository and might be saved in your native keychain
[16:44:33]: Be certain to recollect the password, as you may want it whenever you run match on a unique machine
[16:44:33]: Passphrase for Match storage: ********
[16:44:37]: Kind passphrase once more: ********
safety: SecKeychainAddInternetPassword <NULL>: The required merchandise already exists within the keychain.
[16:44:39]: 🔒 Efficiently encrypted certificates repo
[16:44:39]: Pushing adjustments to distant git repo...
[16:44:40]: Completed importing information to Git Repo [https://github.com/sebsto/secret.git]
I confirm that Fastlane imported my signing materials to my Git repository.
I may configure my native machine to make use of these signing supplies in the course of the subsequent construct:
» fastlane match appstore
[✔] 🚀
[17:39:08]: Efficiently loaded '~/amplify-ios-getting-started/code/fastlane/Matchfile' 📄
+-----------------------------------------------------+
| Detected Values from './fastlane/Matchfile' |
+--------------+--------------------------------------+
| git_url | https://github.com/sebsto/secret.git |
| storage_mode | git |
| sort | growth |
+--------------+--------------------------------------+
+-------------------------------------------------------------------------------------------+
| Abstract for match 2.226.0 |
+----------------------------------------+--------------------------------------------------+
| sort | appstore |
| readonly | false |
| generate_apple_certs | true |
| skip_provisioning_profiles | false |
| app_identifier | ["com.amazonaws.amplify.mobile.getting-started"] |
| username | xxxx@xxxxxxxxx |
| team_id | XXXXXXXXXX |
| storage_mode | git |
| git_url | https://github.com/sebsto/secret.git |
| git_branch | grasp |
| shallow_clone | false |
| clone_branch_directly | false |
| skip_google_cloud_account_confirmation | false |
| s3_skip_encryption | false |
| gitlab_host | https://gitlab.com |
| keychain_name | login.keychain |
| pressure | false |
| force_for_new_devices | false |
| include_mac_in_profiles | false |
| include_all_certificates | false |
| force_for_new_certificates | false |
| skip_confirmation | false |
| safe_remove_certs | false |
| skip_docs | false |
| platform | ios |
| derive_catalyst_app_identifier | false |
| fail_on_name_taken | false |
| skip_certificate_matching | false |
| skip_set_partition_list | false |
| force_legacy_encryption | false |
| verbose | false |
+----------------------------------------+--------------------------------------------------+
[17:39:08]: Cloning distant git repo...
[17:39:08]: If cloning the repo takes too lengthy, you should use the `clone_branch_directly` possibility in match.
[17:39:10]: Trying out department grasp...
[17:39:10]: Enter the passphrase that needs to be used to encrypt/decrypt your certificates
[17:39:10]: This passphrase is particular per repository and might be saved in your native keychain
[17:39:10]: Be certain to recollect the password, as you may want it whenever you run match on a unique machine
[17:39:10]: Passphrase for Match storage: ********
[17:39:13]: Kind passphrase once more: ********
safety: SecKeychainAddInternetPassword <NULL>: The required merchandise already exists within the keychain.
[17:39:15]: 🔓 Efficiently decrypted certificates repo
[17:39:15]: Verifying that the certificates and profile are nonetheless legitimate on the Dev Portal...
[17:39:17]: Putting in certificates...
+-------------------------------------------------------------------------+
| Put in Certificates |
+-------------------+-----------------------------------------------------+
| Person ID | XXXXXXXXXX |
| Widespread Title | Apple Distribution: Sebastien Stormacq (XXXXXXXXXX) |
| Organisation Unit | XXXXXXXXXX |
| Organisation | Sebastien Stormacq |
| Nation | US |
| Begin Datetime | 2024-10-29 09:55:43 UTC |
| Finish Datetime | 2025-10-29 09:55:42 UTC |
+-------------------+-----------------------------------------------------+
[17:39:18]: Putting in provisioning profile...
+-------------------------------------------------------------------------------------------------------------------+
| Put in Provisioning Profile |
+---------------------+----------------------------------------------+----------------------------------------------+
| Parameter | Atmosphere Variable | Worth |
+---------------------+----------------------------------------------+----------------------------------------------+
| App Identifier | | com.amazonaws.amplify.cell.getting-starte |
| | | d |
| Kind | | appstore |
| Platform | | ios |
| Profile UUID | sigh_com.amazonaws.amplify.cell.getting-s | 4e497882-d80f-4684-945a-8bfec1b310b9 |
| | tarted_appstore | |
| Profile Title | sigh_com.amazonaws.amplify.cell.getting-s | amplify-ios-getting-started-dist |
| | tarted_appstore_profile-name | |
| Profile Path | sigh_com.amazonaws.amplify.cell.getting-s | /Customers/stormacq/Library/MobileDevice/Provis |
| | tarted_appstore_profile-path | ioning |
| | | Profiles/4e497882-d80f-4684-945a-8bfec1b310 |
| | | b9.mobileprovision |
| Improvement Group ID | sigh_com.amazonaws.amplify.cell.getting-s | XXXXXXXXXX |
| | tarted_appstore_team-id | |
| Certificates Title | sigh_com.amazonaws.amplify.cell.getting-s | Apple Distribution: Sebastien Stormacq |
| | tarted_appstore_certificate-name | (XXXXXXXXXX) |
+---------------------+----------------------------------------------+----------------------------------------------+
[17:39:18]: All required keys, certificates and provisioning profiles are put in 🙌Step 2: Configure Fastlane to signal your venture
I create a Fastlane construct configuration file in fastlane/Fastfile (you should use fastlane init command to get began):
default_platform(:ios)
platform :ios do
before_all do
setup_ci
finish
desc "Construct and Signal the binary"
lane :construct do
match(sort: "appstore", readonly: true)
fitness center(
scheme: "getting began",
export_method: "app-store"
)
finish
finish
Guarantee that the setup_ci motion is added to the before_all part of Fastfile for the match motion to perform accurately. This motion creates a brief Fastlane keychain with right permissions. With out this step, it’s possible you’ll encounter construct failures or inconsistent outcomes.
And I check an area construct with the command fastlane construct. I enter the password I used when importing my keys and certificates, then I let the system construct and signal my venture. When every thing is accurately configured, it produces an identical output.
...
[17:58:33]: Efficiently exported and compressed dSYM file
[17:58:33]: Efficiently exported and signed the ipa file:
[17:58:33]: ~/amplify-ios-getting-started/code/getting began.ipa
+---------------------------------------+
| fastlane abstract |
+------+------------------+-------------+
| Step | Motion | Time (in s) |
+------+------------------+-------------+
| 1 | default_platform | 0 |
| 2 | setup_ci | 0 |
| 3 | match | 36 |
| 4 | fitness center | 151 |
+------+------------------+-------------+
[17:58:33]: fastlane.instruments completed efficiently 🎉Step 3: Configure CodeBuild to make use of Fastlane
Subsequent, I create a venture on CodeBuild. I’m not going into the step-by-step information that will help you to take action. You may discuss with my earlier put up or to the CodeBuild documentation.
There is only one Fastlane-specific configuration. To entry the signing supplies, Fastlane requires entry to 3 secret values that I’ll go as surroundings variables:
MATCH_PASSWORD, the password I entered when importing the signing materials. Fastlane makes use of this password to decipher the encrypted information within the GitHub repositoryFASTLANE_SESSION, the worth of the Apple Id session cookie, positioned at~/.fastlane/spaceship/<your apple person id>/cookie. The session is legitimate from a few hours to a number of days. When the session expires, reauthenticate with the commandfastlane spaceauthout of your laptop computer and replace the worth ofFASTLANE_SESSIONwith the brand new worth of the cookie.MATCH_GIT_BASIC_AUTHORIZATION, a base 64 encoding of your GitHub username, adopted by a colon, adopted by a private authentication token (PAT) to entry your non-public GitHub repository. You may generate PAT on the GitHub console in Your Profile > Settings > Builders Settings > Private Entry Token. I take advantage of this command to generate the worth of this surroundings variable:echo -n my_git_username:my_git_pat | base64.
Notice that for every of those three values, I can enter the Amazon Useful resource Title (ARN) of the key on AWS Secrets and techniques Supervisor or the plain textual content worth. We strongly advocate utilizing Secrets and techniques Supervisor to retailer security-sensitive values.
I’m a security-conscious person, so I retailer the three secrets and techniques in Secrets and techniques Supervisor with these instructions:
aws --region $REGION secretsmanager create-secret --name /CodeBuild/MATCH_PASSWORD --secret-string MySuperSecretPassword
aws --region $REGION secretsmanager create-secret --name /CodeBuild/FASTLANE_SESSION --secret-string $(cat ~/.fastlane/spaceship/my_appleid_username/cookie)
aws --region $REGION secretsmanager create-secret --name /CodeBuild/MATCH_GIT_BASIC_AUTHORIZATION --secret-string $(echo -n my_git_username:my_git_pat | base64)
In case your construct venture refers to secrets and techniques saved in Secrets and techniques Supervisor, the construct venture’s service function should enable the secretsmanager:GetSecretValue motion. If you happen to selected New service function whenever you created your venture, CodeBuild contains this motion within the default service function on your construct venture. Nonetheless, in the event you selected Current service function, it’s essential to embody this motion to your service function individually.
For this demo, I take advantage of this AWS Id and Entry Administration (IAM) coverage:
{
"Model": "2012-10-17",
"Assertion": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Useful resource": [
"arn:aws:secretsmanager:us-east-2:012345678912:secret:/CodeBuild/*"
]
}
]
}After I created the venture within the CodeBuild part of the AWS Administration Console, I enter the three surroundings variables. Discover that the worth is the identify of the key in Secrets and techniques Supervisor.
You can even outline the surroundings variables and their Secrets and techniques Supervisor secret identify in your buildpsec.yaml file.
Subsequent, I modify the buildspec.yaml file on the root of my venture to make use of fastlane to construct and signal the binary. My buildspec.yaml file now seems to be like this one:
# buildspec.yml
model: 0.2
phases:
set up:
instructions:
- code/ci_actions/00_install_rosetta.sh
pre_build:
instructions:
- code/ci_actions/02_amplify.sh
construct:
instructions:
- (cd code && fastlane construct)
artifacts:
identify: getting-started-$(date +%Y-%m-%d).ipa
information:
- 'getting began.ipa'
base-directory: 'code'The Rosetta and Amplify scripts are required to obtain the Amplify configuration for the backend. If you happen to don’t use AWS Amplify in your venture, you don’t want these.
Discover that there’s nothing within the construct file that downloads the signing key or prepares the keychain within the construct surroundings; fastlane match will try this for me.
I add the brand new buildspec.yaml file and my ./fastlane listing to Git. I commit and push these information. git commit -m "add fastlane help" && git push
When every thing goes nicely, I can see the construct operating on CodeBuild and the Succeeded message.
Pricing and availability
Fastlane is now pre-installed at no further price on all macOS photographs that CodeBuild makes use of, in all Areas the place CodeBuild for macOS is accessible. On the time of this writing, these are US East (Ohio, N. Virginia), US West (Oregon), Asia Pacific (Sydney), and Europe (Frankfurt).
In my expertise, it takes a little bit of time to configure fastlane match accurately. When it’s configured, having it engaged on CodeBuild is fairly easy. Earlier than making an attempt this on CodeBuild, make certain it really works in your native machine. When one thing goes improper on CodeBuild, triple-check the values of the surroundings variables and ensure CodeBuild has entry to your secrets and techniques on AWS Secrets and techniques Supervisor.
Now go construct (on macOS)!
