I’m happy to announce the supply of Fastlano in your AWS Codebuild For macOS environments. AWS Codebuild is a completely managed steady integration service that compiles the supply code, executes assessments and produces software program packages able to rely.
Fastlane is a set of open supply instruments designed to automate varied elements of cell functions improvement. It offers cell utility builders a centralized set of instruments to handle duties reminiscent of code signature, era of seize, beta distribution and APP Retailer shipments. It’s built-in with the favored steady integration and steady implementation platforms (CI/CD) and admits the event workflows of iOS and Android. Though Fastlane provides important automation capabilities, builders can discover challenges throughout configuration and upkeep. Fastlane configuration will be advanced, notably for tools that’s not conversant in the syntax and Ruby’s package deal administration system. Maintaining Fastlane and its up to date dependencies requires steady effort, as a result of cell platform updates or third -party providers might require changes to present workflows.
When We current Codebuild for macOS in August 2024We knew that certainly one of his challenges was to put in and maintain Fastlane in his compilation atmosphere. Though it was doable to manually set up Fastlane in a personalised compilation atmosphere, in AWS, We get rid of the undifferentiated agitation lifting of its infrastructure Due to this fact, you may spend extra time within the elements that matter for your enterprise. As of immediately, Fastlane is put in by default and may use the household command fastlane constructin your buildspec.yaml archive.
Fastlane and code agency
To distribute an utility within the App Retailer, builders should signal their binary with a non-public key generated within the Apple developer portal. This personal key, along with the certificates that validates it, have to be accessible through the compilation course of. This is usually a problem for improvement groups as a result of they should share the personal improvement key (which permits implementation in chosen check gadgets) amongst crew members. As well as, the personal distribution key (which permits publication within the App Retailer) have to be out there through the signature course of earlier than loading the binary within the App Retailer.
Fastlane is a flexible development system within the sense that it additionally helps builders with the administration of the keys and certificates of improvement and distribution. Builders can use fastlane match To share signature supplies in a tools and do them safely and simply accessible in particular person developer machines and within the CI atmosphere. match It permits the storage of personal keys, certificates and cell provisioning profiles in a storage of protected shares. It ensures that the native compilation atmosphere, whether or not a conveyable developer pc or a cloud server machine, stays synchronized with shared storage. On the time of compilation, safely discharging the certificates required to signal its utility and configure the compilation machine to permit the codesign utility to choose them up.
match It permits you to share secrets and techniques of signature by means of Github, Gitlab, Google Cloud Storage, Azure Devops and Amazon Simo Storage Service (Amazon S3).
Should you already use certainly one of these and are migrating your initiatives to Codebuild, you do not have a lot to do. You solely want to make sure that your Codebuild compilation atmosphere has entry to shared storage (see step 3 within the demonstration).
Let’s examine the way it works
In case you are new in Fastlane or Codebuild, let’s examine the way it works.
For this demonstration, I begin with An present iOS undertaking. The undertaking is already configured to construct in Codebuild. You may verify my earlier weblog publish, Add macOS to your steady integration pipes with AWS CodebuildFor extra particulars.
I’ll present you find out how to begin in three steps:
- Import your present signature supplies to a non-public github repository
- Arrange
fastlaneTo construct and signal your undertaking - Put on
fastlaneWith Codebuild
Step 1: Quantity your signature supplies
Many of the fastlane documentation I learn explains find out how to create a brand new pair of keys and a brand new certificates to start out. Though that is actually true for brand new initiatives, in actual life, it in all probability already has its undertaking and its signing keys. So, step one is to import these present signature supplies.
Apple App Retailer makes use of totally different keys and certificates for improvement and distribution (there are additionally advert hoc and Enterprise certificates, however are past the attain of this publication). You should have three recordsdata for every use (that could be a complete of six recordsdata):
- TO
.mobileprovisionArchive that may create and obtain from the Apple developer console. The provisioning profile hyperlinks its id, the id of the appliance and the rights that the appliance might have. - TO
.cerArchive, which is the certificates issued by Apple to validate your personal key. You may obtain this from the Apple developer portal. Choose the certificates, then choose Discharge. - TO
.p12Archive, which comprises its personal key. You may obtain the important thing once you imagine it within the Apple developer portal. Should you didn’t obtain it however you’ve it in your machine, you may export it from the Apple Keychain utility. Needless to say the keychain.app is hidden in macos 15.x. You may open it withopen /System/Library/CoreServices/Purposes/Keychain Entry.app. Choose the important thing you need to export and proper click on to pick Export.
 |
 |
When you’ve these recordsdata, create a fastlane/Matchfile Archive with the next content material:
git_url("https://github.com/sebsto/secret.git")
storage_mode("git")
kind("improvement")
# or use appstore to make use of the distribution signing key and certificates
# kind("appstore")You should definitely exchange the URL of your Github repository and Be certain this repository is personal. It is going to function storage for its signature and certificates key.
Then, import my present recordsdata with the fastlane match import --type appstore area. I repeat the command for every atmosphere: appstore and improvement.
The primary time, fastlane I’m requested for my username and Apple ID username. It connects to App Retailer Hook up with confirm the validity of certificates or to create new ones when mandatory. The cookie of the session is saved in ~/.fastlane/spaceship/.
fastlane match He additionally asks for a password. Use this password to generate a key to crypt the signature supplies in storage. Don’t forget this password as a result of it will likely be used on the compilation time to import the signature supplies within the compilation machine.
Right here is the command and its exit in its entirety:
fastlane match import --type appstore
(✔) 🚀
(16:43:54): Efficiently loaded '~/amplify-ios-getting-started/code/fastlane/Matchfile' 📄
+-----------------------------------------------------+
| Detected Values from './fastlane/Matchfile' |
+--------------+--------------------------------------+
| git_url. | https://github.com/sebsto/secret.git |
| storage_mode | git |
| kind | improvement |
+--------------+--------------------------------------+
(16:43:54): Certificates (.cer) path:
./secrets and techniques/sebsto-apple-dist.cer
(16:44:07): Personal key (.p12) path:
./secrets and techniques/sebsto-apple-dist.p12
(16:44:12): Provisioning profile (.mobileprovision or .provisionprofile) path or go away empty to skip
this file:
./secrets and techniques/amplifyiosgettingstarteddist.mobileprovision
(16:44:25): Cloning distant git repo...
(16:44:25): If cloning the repo takes too lengthy, you should use the `clone_branch_directly` possibility in match.
(16:44:27): Testing department grasp...
(16:44:27): Enter the passphrase that must be used to encrypt/decrypt your certificates
(16:44:27): This passphrase is restricted per repository and shall be saved in your native keychain
(16:44:27): Be certain to recollect the password, as you may want it once you run match on a unique machine
(16:44:27): Passphrase for Match storage: ********
(16:44:30): Kind passphrase once more: ********
safety: SecKeychainAddInternetPassword : The required merchandise already exists within the keychain.
(16:44:31): 🔓 Efficiently decrypted certificates repo
(16:44:31): Repo is at: '/var/folders/14/nwpsn4b504gfp02_mrbyd2jr0000gr/T/d20250131-41830-z7b4ic'
(16:44:31): Login to App Retailer Join ([email protected])
(16:44:33): Enter the passphrase that must be used to encrypt/decrypt your certificates
(16:44:33): This passphrase is restricted per repository and shall be saved in your native keychain
(16:44:33): Be certain to recollect the password, as you may want it once you run match on a unique machine
(16:44:33): Passphrase for Match storage: ********
(16:44:37): Kind passphrase once more: ********
safety: SecKeychainAddInternetPassword : The required merchandise already exists within the keychain.
(16:44:39): 🔒 Efficiently encrypted certificates repo
(16:44:39): Pushing modifications to distant git repo...
(16:44:40): Completed importing recordsdata to Git Repo (https://github.com/sebsto/secret.git)
I confirm that Fastlane imported my signature materials to my git repository.
I also can configure my native machine to make use of these signature supplies through the subsequent compilation:
» fastlane match appstore
(✔) 🚀
(17:39:08): Efficiently loaded '~/amplify-ios-getting-started/code/fastlane/Matchfile' 📄
+-----------------------------------------------------+
| Detected Values from './fastlane/Matchfile' |
+--------------+--------------------------------------+
| git_url | https://github.com/sebsto/secret.git |
| storage_mode | git |
| kind | improvement |
+--------------+--------------------------------------+
+-------------------------------------------------------------------------------------------+
| Abstract for match 2.226.0 |
+----------------------------------------+--------------------------------------------------+
| kind | appstore |
| readonly | false |
| generate_apple_certs | true |
| skip_provisioning_profiles | false |
| app_identifier | ("com.amazonaws.amplify.cell.getting-started") |
| username | xxxx@xxxxxxxxx |
| team_id | XXXXXXXXXX |
| storage_mode | git |
| git_url | https://github.com/sebsto/secret.git |
| git_branch | grasp |
| shallow_clone | false |
| clone_branch_directly | false |
| skip_google_cloud_account_confirmation | false |
| s3_skip_encryption | false |
| gitlab_host | https://gitlab.com |
| keychain_name | login.keychain |
| pressure | false |
| force_for_new_devices | false |
| include_mac_in_profiles | false |
| include_all_certificates | false |
| force_for_new_certificates | false |
| skip_confirmation | false |
| safe_remove_certs | false |
| skip_docs | false |
| platform | ios |
| derive_catalyst_app_identifier | false |
| fail_on_name_taken | false |
| skip_certificate_matching | false |
| skip_set_partition_list | false |
| force_legacy_encryption | false |
| verbose | false |
+----------------------------------------+--------------------------------------------------+
(17:39:08): Cloning distant git repo...
(17:39:08): If cloning the repo takes too lengthy, you should use the `clone_branch_directly` possibility in match.
(17:39:10): Testing department grasp...
(17:39:10): Enter the passphrase that must be used to encrypt/decrypt your certificates
(17:39:10): This passphrase is restricted per repository and shall be saved in your native keychain
(17:39:10): Be certain to recollect the password, as you may want it once you run match on a unique machine
(17:39:10): Passphrase for Match storage: ********
(17:39:13): Kind passphrase once more: ********
safety: SecKeychainAddInternetPassword : The required merchandise already exists within the keychain.
(17:39:15): 🔓 Efficiently decrypted certificates repo
(17:39:15): Verifying that the certificates and profile are nonetheless legitimate on the Dev Portal...
(17:39:17): Putting in certificates...
+-------------------------------------------------------------------------+
| Put in Certificates |
+-------------------+-----------------------------------------------------+
| Consumer ID | XXXXXXXXXX |
| Frequent Identify | Apple Distribution: Sebastien Stormacq (XXXXXXXXXX) |
| Organisation Unit | XXXXXXXXXX |
| Organisation | Sebastien Stormacq |
| Nation | US |
| Begin Datetime | 2024-10-29 09:55:43 UTC |
| Finish Datetime | 2025-10-29 09:55:42 UTC |
+-------------------+-----------------------------------------------------+
(17:39:18): Putting in provisioning profile...
+-------------------------------------------------------------------------------------------------------------------+
| Put in Provisioning Profile |
+---------------------+----------------------------------------------+----------------------------------------------+
| Parameter | Surroundings Variable | Worth |
+---------------------+----------------------------------------------+----------------------------------------------+
| App Identifier | | com.amazonaws.amplify.cell.getting-starte |
| | | d |
| Kind | | appstore |
| Platform | | ios |
| Profile UUID | sigh_com.amazonaws.amplify.cell.getting-s | 4e497882-d80f-4684-945a-8bfec1b310b9 |
| | tarted_appstore | |
| Profile Identify | sigh_com.amazonaws.amplify.cell.getting-s | amplify-ios-getting-started-dist |
| | tarted_appstore_profile-name | |
| Profile Path | sigh_com.amazonaws.amplify.cell.getting-s | /Customers/stormacq/Library/MobileDevice/Provis |
| | tarted_appstore_profile-path | ioning |
| | | Profiles/4e497882-d80f-4684-945a-8bfec1b310 |
| | | b9.mobileprovision |
| Growth Staff ID | sigh_com.amazonaws.amplify.cell.getting-s | XXXXXXXXXX |
| | tarted_appstore_team-id | |
| Certificates Identify | sigh_com.amazonaws.amplify.cell.getting-s | Apple Distribution: Sebastien Stormacq |
| | tarted_appstore_certificate-name | (XXXXXXXXXX) |
+---------------------+----------------------------------------------+----------------------------------------------+
(17:39:18): All required keys, certificates and provisioning profiles are put in 🙌 Step 2: Configure Fastlane to signal your undertaking
I create a Fastlane compilation configuration file in fastlane/Fastfile (You should utilize fastlane init command to start out):
default_platform(:ios)
platform :ios do
before_all do
setup_ci
finish
desc "Construct and Signal the binary"
lane :construct do
match(kind: "appstore", readonly: true)
gymnasium(
scheme: "getting began",
export_method: "app-store"
)
finish
finish
Be certain the setup_ci The motion is added to before_all part of Fastfile For him match Motion to operate correctly. This motion creates a brief fastlane keychain with appropriate permits. With out this step, you could find development failures or inconsistent outcomes.
And I attempt a neighborhood compilation with the command fastlane construct. Introgo the password I used when importing my keys and certificates, then I let the system construct and signal my undertaking. When every thing is accurately configured, it produces the same output.
...
(17:58:33): Efficiently exported and compressed dSYM file
(17:58:33): Efficiently exported and signed the ipa file:
(17:58:33): ~/amplify-ios-getting-started/code/getting began.ipa
+---------------------------------------+
| fastlane abstract |
+------+------------------+-------------+
| Step | Motion | Time (in s) |
+------+------------------+-------------+
| 1 | default_platform | 0 |
| 2 | setup_ci | 0 |
| 3 | match | 36 |
| 4 | gymnasium | 151 |
+------+------------------+-------------+
(17:58:33): fastlane.instruments completed efficiently 🎉Step 3: Configure Codebuild to make use of Fastlane
Then I create a undertaking in Codebuild. I can’t enter the step-by-step information that will help you do it. You may seek advice from My earlier publication both Codebuild documentation.
There’s solely a particular Fastlane configuration. To entry the signature supplies, Fastlane requires entry to 3 secret values that I’ll cross as atmosphere variables:
MATCH_PASSWORDThe password that I entered when importing the signature materials. Fastlane makes use of this password to decipher the encrypted recordsdata within the github repositoryFASTLANE_SESSIONThe cookie worth of the Apple ID session, situated in~/.fastlane/spaceship/. The session is legitimate from a few hours to a number of days. When the session expires, re -authenticate with the command/cookie fastlane spaceauthOut of your laptop computer and replace the worth ofFASTLANE_SESSIONWith the brand new worth of the cookie.MATCH_GIT_BASIC_AUTHORIZATIONA coding of base 64 of its consumer title Github, adopted by a colon, adopted by a private authentication token (PAT) to entry its personal github repository. You may generate PAT in The github console In your profile> Configuration> Developer configuration> Private entry token. I take advantage of this command to generate the worth of this atmosphere variable:echo -n my_git_username:my_git_pat | base64.
Word that for every of those three values, I can enter the title of the Amazon attraction (RNA) of the key in AWS Secrets and techniques Supervisor or the flat textual content worth. We strongly Suggest utilizing secrets and techniques supervisor to retailer security delicate values.
I’m a consumer conscious of safety, so I retailer the three secrets and techniques in Secrets and techniques Supervisor with these instructions:
aws --region $REGION secretsmanager create-secret --name /CodeBuild/MATCH_PASSWORD --secret-string MySuperSecretPassword
aws --region $REGION secretsmanager create-secret --name /CodeBuild/FASTLANE_SESSION --secret-string $(cat ~/.fastlane/spaceship/my_appleid_username/cookie)
aws --region $REGION secretsmanager create-secret --name /CodeBuild/MATCH_GIT_BASIC_AUTHORIZATION --secret-string $(echo -n my_git_username:my_git_pat | base64)
In case your compilation undertaking refers to secrets and techniques saved in Secrets and techniques Supervisor, the service position of the compilation undertaking should enable the secretsmanager:GetSecretValue motion. Should you select New service position When he created his undertaking, Codebuild consists of this motion within the predetermined service position for its compilation undertaking. Nevertheless, in the event you select Current service positionYou should embody this motion to your service position individually.
For this demonstration, I take advantage of this AWS Identification and Entry Administration (IAM) coverage:
{
"Model": "2012-10-17",
"Assertion": (
{
"Impact": "Permit",
"Motion": (
"secretsmanager:GetSecretValue"
),
"Useful resource": (
"arn:aws:secretsmanager:us-east-2:012345678912:secret:/CodeBuild/*"
)
}
)
}After creating the undertaking within the Codebuild part of the AWS administration consoleI enter the three atmosphere variables. Word that the worth is the title of the key in Secrets and techniques Supervisor.
It’s also possible to outline the atmosphere variables and their secret title of Secrets and techniques Supervisor in your buildpsec.yaml archive.
Then I modify the buildspec.yaml Archive on the root of my undertaking to make use of fastlane To construct and signal the binary. My buildspec.yaml The file is now seen:
# buildspec.yml
model: 0.2
phases:
set up:
instructions:
- code/ci_actions/00_install_rosetta.sh
pre_build:
instructions:
- code/ci_actions/02_amplify.sh
construct:
instructions:
- (cd code && fastlane construct)
artifacts:
title: getting-started-$(date +%Y-%m-%d).ipa
recordsdata:
- 'getting began.ipa'
base-directory: 'code'Rosetta and amplify scripts are required to obtain amplify configuration for the backend. Should you do not use AWS amplifies In your undertaking, you do not want them.
Word that there’s nothing within the compilation file that downloads the signature key or put together the keychain within the compilation atmosphere; fastlane match I’ll do this for me.
I add the brand new buildspec.yaml Archive and my ./fastlane Git listing. I compromise and press these recordsdata. git commit -m "add fastlane assist" && git push
When every thing goes properly, I can see the compilation that runs in Codebuild and the Succeed message.
Costs and availability
Fastlane is now pre -installed at no extra value in all macOS photos that Codebuild makes use of, in all Areas The place Codebuild for macOS is obtainable. On the time of scripting this writing, these are US East (Ohio, N. Virginia), Us West (Oregon), Asia Pacific (Sydney) and Europe (Frankfurt).
In my expertise, you want somewhat time to configure fastlane match accurately. When configured, having it working in Codebuild is kind of easy. Earlier than making an attempt this in Codebuild, be certain that it really works in your native machine. When one thing goes improper in Codebuild, confirm the values of the atmosphere variables and make it possible for Codebuild has entry to their secrets and techniques in Aws Secrets and techniques Supervisor.
Now go to construct (in macOS)!
