ci: build and sign xcframework (#5271)

itaybre · web-flow · commit 6220a6892b49 · 2025-05-26T10:41:22.000-03:00
* ci: build and sign xcframework

* Setup ruby

* Use fastlane lane

* Ignore bump version

* Upload permissions for sign_and_zip.sh

* Add comments to `sign_and_zip.sh`

* Add comment to the test workflow

* Use same script for zipping xcframeworks and optionally sign them

* Update make comand name

* Cleanup bash script

* Use `build-signed-xcframework` in framework release

* Add fastlane step to release workflow

* Remove temporary test workflow

* Add comment to explain why using ditto

* Rename `prepare_sign_xcframework` to `prepare_signed_xcframework`

* Update changelog
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,14 +21,30 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+
+      - name: "Download Fastlane Certificate"
+        run: bundle exec fastlane prepare_signed_xcframework
+        env:
+          APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
+          APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
+          APP_STORE_CONNECT_KEY: ${{ secrets.APP_STORE_CONNECT_KEY }}
+          FASTLANE_KEYCHAIN_PASSWORD: ${{ secrets.FASTLANE_KEYCHAIN_PASSWORD }}
+          MATCH_GIT_PRIVATE_KEY: ${{ secrets.MATCH_GIT_PRIVATE_KEY }}
+          MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
+          MATCH_USERNAME: ${{ secrets.MATCH_USERNAME }}
+        shell: sh
+
       - name: "Generate XCFramework"
         run: |
           ./scripts/ci-select-xcode.sh 15.2
           make bump-version TO=${{ github.event.inputs.version }}
           # We need to build the framework during release to get it's SHA value
           # the framework will be saved as an artefact and we will use the same
           # binary for the entire release process to avoid the SHA to change
-          make build-xcframework
+          make build-signed-xcframework
 
       - uses: actions/upload-artifact@v4
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,11 @@
 # Changelog
 
+## Unreleased
+
+### Features
+
+- XCFrameworks are now signed (#5271)
+
 ## 8.51.1
 
 ### Fixes
diff --git a/Makefile b/Makefile
@@ -104,11 +104,12 @@ analyze:
 build-xcframework:
 	@echo "--> Carthage: creating Sentry xcframework"
 	./scripts/build-xcframework.sh | tee build-xcframework.log
-# use ditto here to avoid clobbering symlinks which exist in macOS frameworks
-	ditto -c -k -X --rsrc --keepParent Carthage/Sentry.xcframework Carthage/Sentry.xcframework.zip
-	ditto -c -k -X --rsrc --keepParent Carthage/Sentry-Dynamic.xcframework Carthage/Sentry-Dynamic.xcframework.zip
-	ditto -c -k -X --rsrc --keepParent Carthage/SentrySwiftUI.xcframework Carthage/SentrySwiftUI.xcframework.zip
-	ditto -c -k -X --rsrc --keepParent Carthage/Sentry-WithoutUIKitOrAppKit.xcframework Carthage/Sentry-WithoutUIKitOrAppKit.zip
+	./scripts/zip_built_sdks.sh
+
+build-signed-xcframework:
+	@echo "--> Carthage: creating Signed Sentry xcframework"
+	./scripts/build-xcframework.sh | tee build-xcframework.log
+	./scripts/zip_built_sdks.sh --sign
 
 build-xcframework-sample:
 	./scripts/create-carthage-json.sh
diff --git a/fastlane/Fastfile b/fastlane/Fastfile
@@ -9,6 +9,16 @@ platform :ios do
   ios_swift_clip_infoplist_path = "./Samples/iOS-Swift/iOS-SwiftClip/Info.plist"
   configuration = if is_ci then 'TestCI' else 'Test' end
 
+  lane :prepare_signed_xcframework do
+    setup_ci
+
+    match(
+      type: "appstore",
+      readonly: true,
+      app_identifier: ["io.sentry.sample.iOS-Swift"], # Any app identifier will do
+    )
+  end
+
   lane :bump_build_number do
     increment_build_number(
       build_number: ENV["FASTLANE_BUILD_NUMBER"],
diff --git a/scripts/zip_built_sdks.sh b/scripts/zip_built_sdks.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -eou pipefail
+
+args="${1:-}"
+
+frameworks=( Sentry Sentry-Dynamic SentrySwiftUI Sentry-WithoutUIKitOrAppKit )
+
+should_sign=false
+[[ "$args" == "--sign" ]] && should_sign=true
+
+sentry_certificate="Apple Distribution: GetSentry LLC (97JCY7859U)"
+
+for framework in "${frameworks[@]}"; do
+    framework_path="Carthage/$framework.xcframework"
+
+    if [[ "$should_sign" == true ]]; then
+        echo "Signing $framework"
+        # This is Sentry's certificate name, and should not change
+        codesign --sign "$sentry_certificate" --timestamp --options runtime --deep --force "$framework_path"
+    fi
+
+    echo "Zipping $framework"
+    # use ditto here to avoid clobbering symlinks which exist in macOS frameworks
+    ditto -c -k -X --rsrc --keepParent "$framework_path" "$framework_path.zip"
+done
