[match] select cert with the most furthest expiration date in the future#21809
[match] select cert with the most furthest expiration date in the future#21809nekrich wants to merge 16 commits into
Conversation
|
@rogerluan, I would appreciate feedback on this. At some point, it slightly changes the renewal certs behavior introduced in #21691. |
|
Well if that removes the just freshly added |
|
I'm good with both options ) |
|
I can create a small PR that removes the option, but the logic stays the same. Give me a couple of mins |
|
And new PR: #21812 |
|
Hi, @rogerluan and @lacostej. We are experiencing some issues with encryption. I don't know at this moment if it's this PR, or #21691. It's a double encryption or no encryption at all, idk. I think it's better to revert to #21691, and I'll be able to return back to this PR in 2 weeks. I'll try to make it faster, but no promises. Sorry for the bother 😥. |
|
@nekrich what encryption issues are you running into? Could it be related to the encryption changes I made since the last release? |
|
@nekrich so to summarize.
and you would like #21812 to be merged while you fix this one. The plan sounds OK, but I would really like to know more about the encryption failures you are having, and make sure they are not related to other changes. |
|
@lacostej I'll be able to look only after Feb 20. I'll definitely describe what's wrong. |
|
Stumbled upon this and just want to let you know we've passed Feb 20 now :) |
|
@nekrich looking forward to this feature 😄 🙏 |
|
Any news here? |
|
any plans to merge this one? we need it to be able to automatically renew expired certs. thanks |
|
Any updates on this ? Can we have the steps that have to be done to renew them manually ? |
|
Any updates on this feature? We really need it |
|
@nekrich @lacostej do you have any visibility on when you might have time to merge this one? I completely understand if you don't have availability at the moment, I'm just trying to understand if it's worth investigating and creating a temporary script to automate the certificates renewal (we've hundreds of apps in the match repo, I can't do it manually). |
|
@hugo-advizr It Seems like you and I are facing exactly the same problem with the certificate's auto-renewal. I would love to brainstorm a solution with you. Do you use twitter or another social network I can use to DM you? |
Until fastlane#21809 is merged, it doesn't.
|
Any updates on this? This feature would be extremely helpful @nekrich, especially considering functionality was removed in favor of this PR |
|
Any update on auto-renewal of expired certificates? |
|
Bump- this would be very helpful to have! |
Checklist
bundle exec rspecfrom the root directory to see all new and existing tests passbundle exec rubocop -ato ensure the code style is validci/circlecibuilds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
In most cases, there is only one cert/key pair in the match storage.
But when dealing with developer_id certificates, there could be two or even three. The reason for this is that developer ID certs have a 5-year lifespan. And it looks like an app signed with developer_id cert stops working when the developer id cert used to sign it is expired. Every couple of years, we issue a new developer id cert and use it to sign new app versions. In this case, we are sure that the latest release will work for a couple more years, and users will have plenty of time to update the app.
Since the developer id cert is not expired we use manual import. After that, we have two cert/key pairs in the match storage.
The problem I want to address is that the match uses a cert with the biggest id (filename). And this is wrong. We need a match to select a cert with the furthest expiration date in the future.
Description
Cert renewal updates
Other improvements
keysvariable. We need only certs with corresponding p12 keys.PS. Looks like failing tests on Ubuntu is not related to my changes.
Testing Steps
Run the match with storage having 2 or more certs of the same type.
Run the match with storage having 2 or more certs that are expired.