Skip to content

Use ASC API key env vars#3401

Open
mokagio wants to merge 2 commits into
trunkfrom
ainfra-226-use-env-var-instead-of-encrypted-json-for-asc-api-key-in-simplenote-electron
Open

Use ASC API key env vars#3401
mokagio wants to merge 2 commits into
trunkfrom
ainfra-226-use-env-var-instead-of-encrypted-json-for-asc-api-key-in-simplenote-electron

Conversation

@mokagio

@mokagio mokagio commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Use App Store Connect API key values from environment variables for macOS signing/notarization instead of the encrypted .configure private key file.

See https://linear.app/a8c/issue/AINFRA-226

AI-generated details.

Test

  1. ruby -c fastlane/Fastfile
  2. node --check after_sign_hook.js
  3. BUNDLE_PATH=vendor/bundle mise exec ruby@3.2.2 -- ruby -S bundle exec fastlane lanes
  4. BUNDLE_PATH=vendor/bundle mise exec ruby@3.2.2 -- ruby -S bundle exec rubocop --only Lint fastlane/Fastfile
  5. mise exec node@20.10.0 -- npm ci --legacy-peer-deps
  6. mise exec node@20.10.0 -- npx prettier --check after_sign_hook.js .buildkite/pipeline.yml
  7. mise exec node@20.10.0 -- npx eslint after_sign_hook.js
  8. mise exec node@20.10.0 -- npm run lint
  9. mise exec node@20.10.0 -- npm test
  10. Verified fastlane mac configure_code_signing no longer requires ASC env vars in readonly mode.
  11. Verified after_sign_hook.js writes a temporary .p8 file from APP_STORE_CONNECT_API_KEY_KEY and passes it to notarization.

Release

These changes do not require release notes.

Remove the encrypted `.configure` API key material and source the
App Store Connect private key from `.mobile-secrets` instead.

Keep readonly certificate sync independent from App Store Connect
credentials so normal packaging can fetch existing signing assets without
requiring API key access.

---

Generated with the help of Codex, https://chatgpt.com/codex

Co-Authored-By: Codex <noreply@openai.com>
@mokagio mokagio self-assigned this Jun 25, 2026
Comment thread fastlane/Fastfile Outdated
Comment thread fastlane/Fastfile Outdated
Co-authored-by: Gio Lodi <giovanni.lodi42@gmail.com>
@mokagio mokagio marked this pull request as ready for review June 26, 2026 00:57
Copilot AI review requested due to automatic review settings June 26, 2026 00:57

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 2 comments.

Comment thread after_sign_hook.js
Comment on lines 1 to +16
const fs = require('fs');
const os = require('os');
const path = require('path');
const dotenv = require('dotenv');

function writeAppStoreConnectApiKey() {
const key = process.env.APP_STORE_CONNECT_API_KEY_KEY;
const keyPath = path.join(
os.tmpdir(),
'simplenote-app-store-connect-api-key.p8'
);

fs.writeFileSync(keyPath, key.replace(/\\n/g, '\n'), { mode: 0o600 });

return keyPath;
}
Comment thread after_sign_hook.js
Comment on lines +62 to +63
const appStoreConnectKeyPath = writeAppStoreConnectApiKey();

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants