A straightforward tool that enables the creation of Provisioning Profiles and Certificates for deploying Apple based software. This tool allows users to automate the creation of certificates and provisioning profiles in a simple to use API.
- Bazel (Tested with Bazel 6.0)
- OpenSSL (tested with LibreSSL 3.3.6)
sign-here cannot be used to generate certificates for Enterprise based accounts. This is a known limitation of the iTunes Connect API.
To start using sign-here immediately, simply clone down the repo and run the tool:
git clone https://github.com/Tinder/sign-here.git
cd sign-here
bazel run //Sources/SignHereTool:sign-here
Actions such as create-keychain and delete-keychain do not require iTunes Connect API access thus
they do not require authentication information. For commands such as create-provisioning-profile and
delete-provisioning-profile iTunes Connect API access will be needed, you will need to follow the guides
for generating tokens and
generating API keys
for the necessary credentials.
sign-here create-keychain --help
OVERVIEW: Use this command to create a keychain to populate with signing information in the `create-provisioning-profile` command
This command sets up a keychain that is ready to use for signing actions. This command is not required and you may setup your own keychain
for usage in the `create-provisioning-profile` command.
USAGE: sign-here create-keychain --keychain-name <keychain-name> --keychain-password <keychain-password>
OPTIONS:
--keychain-name <keychain-name>
Name of the keychain to be created
--keychain-password <keychain-password>
Password for the keychain to be created
-h, --help Show help information.
sign-here delete-keychain --help
OVERVIEW: Use this command to delete a keychain from the system
This command can be used to delete a keychain from the system and restore sensible defaults for the keychain search list post deletion (i.e. setting login.keychain in the default search list)
USAGE: sign-here delete-keychain --keychain-name <keychain-name>
OPTIONS:
--keychain-name <keychain-name>
Name of the keychain to be deleted
-h, --help Show help information.
OVERVIEW: Use this command to create a ready to use provisioning profile.
Use this command to create and save a mobile provisioning profile to a
specified location. This command
takes care of all necessary signing work and iTunes Connect API calls to get a
ready to use
mobile provisioning profile.
The output of this command is the iTunes Connect API ID of the created
provisioning profile. This can
be used with the `delete-provisioning-profile` command to delete it if desired.
USAGE: sign-here create-provisioning-profile <options>
OPTIONS:
--key-identifier <key-identifier>
The key identifier of the private key
(https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests)
--issuer-id <issuer-id> The issuer id of the private key
(https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests)
--private-key-path <private-key-path>
The path to a private key to use for generating PEM
and P12 files. This key will be attached to any
generated certificates or profiles
Use `openssl genrsa -out key.pem 2048` to generate it
--itunes-connect-key-path <itunes-connect-key-path>
The path to the private key
(https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests)
--keychain-name <keychain-name>
The name of the keychain to use to store fetched
identities
--keychain-password <keychain-password>
The password of the keychain specified by
--keychain-name
--bundle-identifier <bundle-identifier>
The bundle identifier of the app for which you want
to generate a provisioning profile for
--bundle-identifier-name <bundle-identifier-name>
The bundle identifier name for the desired bundle
identifier, this is optional but if it is not set the
logic will select the first bundle id it finds that
matches `--bundle-identifier`
--platform <platform> The intended operating system for the target
(https://developer.apple.com/documentation/appstoreconnectapi/bundleidplatform)
--profile-type <profile-type>
The profile type which you wish to create
(https://developer.apple.com/documentation/appstoreconnectapi/profilecreaterequest/data/attributes)
--certificate-type <certificate-type>
The certificate type which you wish to create
(https://developer.apple.com/documentation/appstoreconnectapi/certificatetype)
--output-path <output-path>
Where to save the created provisioning profile
--openssl-path <openssl-path>
Path to the openssl executable, this is used to
generate CSR signing artifacts that are required when
creating certificates
--intermediary-apple-certificates <intermediary-apple-certificates>
Intermediary Apple Certificates that should also be
added to the keychain
(https://www.apple.com/certificateauthority/)
--profile-name <profile-name>
The name that you would like to assign to the created
provisioning profile (optional)
--certificate-signing-request-subject <certificate-signing-request-subject>
Subject for the Certificate Signing Request when
creating certificates.
OpenSSL documentation for this flag
(https://www.openssl.org/docs/manmaster/man1/openssl-req.html):
Sets subject name for new request or supersedes the
subject name when processing a certificate request.
The arg must be formatted as
'/type0=value0/type1=value1/type2=....'. Special
characters may be escaped by '\' (backslash),
whitespace is retained. Empty values are permitted,
but the corresponding type will not be included in
the request. Giving a single '/' will lead to an
empty sequence of RDNs (a NULL-DN). Multi-valued RDNs
can be formed by placing a '+' character instead of a
'/' between the AttributeValueAssertions (AVAs) that
specify the members of the set. Example:
/DC=org/DC=OpenSSL/DC=users/UID=123456+CN=JohnDoe
--auto-regenerate
Defines if the profile should be regenerated in case
it already exists (optional)
-h, --help Show help information.
sign-here delete-provisioning-profile --help
OVERVIEW: Use this command to delete a provisioning profile using its iTunes Connect API ID
This command can be used in conjunction with the `create-provisioning-profile` command to create and delete provisioning profiles.
USAGE: sign-here delete-provisioning-profile --provisioning-profile-id <provisioning-profile-id> --key-identifier <key-identifier> --issuer-id <issuer-id> --itunes-connect-key-path <itunes-connect-key-path>
OPTIONS:
--provisioning-profile-id <provisioning-profile-id>
The iTunes Connect API ID of the provisioning profile to delete (https://developer.apple.com/documentation/appstoreconnectapi/profile)
--key-identifier <key-identifier>
The key identifier of the private key (https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests)
--issuer-id <issuer-id> The issuer id of the private key (https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests)
--itunes-connect-key-path <itunes-connect-key-path>
The path to the private key (https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests)
-h, --help Show help information.
curl -L https://github.com/Tinder/sign-here/releases/download/2.2.0/sign-here -o sign-here
chmod +x sign-here
./sign-here
WORKSPACE
load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
com_github_tinder_sign_here_version = "2.2.0"
http_archive(
name = "com_github_tinder_sign_here",
url = "https://github.com/Tinder/sign-here/archive/refs/tags/%s.tar.gz" % com_github_tinder_sign_here_version,
type = "tar.gz",
strip_prefix = "sign-here-%s" % com_github_tinder_sign_here_version,
)
load(
"@com_github_tinder_sign_here//:repositories.bzl",
"sign_here_dependencies",
)
sign_here_dependencies()bazel test //Tests/...
Copyright (c) 2023, Match Group, LLC
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
* Neither the name of Match Group, LLC nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL MATCH GROUP, LLC BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.