To address the code signing issue and the code signing certificate being revoked, I've reimported the latest "Created by API" cert from the Dev Portal into S3.
This means that the binary is now signed with a correct and up-to-date certificate, and we'll need to make a new version and deploy it to our hosts ASAP.
Testing
Run make build
Run .build/artifacts/release/hostmgr -h and validate it runs and prints the help—as opposed to be killed at launch and macOS showing the alert.
Fix Details
Most of the changes done to solve this are not visible in the diff of this PR but were commands run in the terminal to fix our certs in S3, detailed below
Validating the incorrect setup
I confirmed that running make build then trying to launch .build/artifacts/release/hostmgr made it killed at start, with macOS showing the " ⚠️ will damage your computer" alert
I had to update fastlane to 2.220.0 first, so that it would not fail decrypting our S3 bucket (see this fastlane issue)
I confirmed that running fastlane setup_code_signing added the revoked certificate in my keychain
Import the newer certificate in S3
I downloaded the latest "Created by API" .cer from the Developer Portal, added it to my keychain, validating this one was green and not invalid
I then exported that certificate and its private key (which luckily was the same as the one from previous "Created by API" certs, so this one I already had in my keychain) as a .p12 file
I ran bundle exec fastlane match import --verbose --type development --team_id PZYM8XX95Q --storage_mode s3 --readonly true --skip_provisioning_profiles --s3_region us-east-2 --s3_bucket a8c-fastlane-match and provided the path to the .cer and the .p12 file from above at the prompts
Finally, I went to S3 to check the bucket content, and deleted the previous and revoked .cer and .p12 files from there to avoid confusion, only keeping the ones that had just been uploaded by fastlane match import
Validating the new setup
I deleted all the Apple Development: Created by API (886NX39KP6) certificates from my keychain
Ran bundle exec fastlane setup_code_signing, and validated that the Apple Development: Created by API (886NX39KP6) certificate that was added to my keychain was not the revoked one anymore but was instead green and valid
Ran make build and validated I could then launch .build/artifacts/release/hostmgr -h without issue
See pdnsEh-1BJ-p2
What
To address the code signing issue and the code signing certificate being revoked, I've reimported the latest "Created by API" cert from the Dev Portal into S3.
This means that the binary is now signed with a correct and up-to-date certificate, and we'll need to make a new version and deploy it to our hosts ASAP.
Testing
make build.build/artifacts/release/hostmgr -hand validate it runs and prints the help—as opposed to be killed at launch and macOS showing the alert.Fix Details
Most of the changes done to solve this are not visible in the diff of this PR but were commands run in the terminal to fix our certs in S3, detailed below
Validating the incorrect setup
make buildthen trying to launch.build/artifacts/release/hostmgrmade it killed at start, with macOS showing the " ⚠️ will damage your computer" alertfastlaneto2.220.0first, so that it would not fail decrypting our S3 bucket (see thisfastlaneissue)fastlane setup_code_signingadded the revoked certificate in my keychainImport the newer certificate in S3
.cerfrom the Developer Portal, added it to my keychain, validating this one was green and not invalid.p12filebundle exec fastlane match import --verbose --type development --team_id PZYM8XX95Q --storage_mode s3 --readonly true --skip_provisioning_profiles --s3_region us-east-2 --s3_bucket a8c-fastlane-matchand provided the path to the.cerand the.p12file from above at the prompts.cerand.p12files from there to avoid confusion, only keeping the ones that had just been uploaded byfastlane match importValidating the new setup
Apple Development: Created by API (886NX39KP6)certificates from my keychainbundle exec fastlane setup_code_signing, and validated that theApple Development: Created by API (886NX39KP6)certificate that was added to my keychain was not the revoked one anymore but was instead green and validmake buildand validated I could then launch.build/artifacts/release/hostmgr -hwithout issue