[match] Restore renew expired certs (opt in)#30096
Conversation
Re-enables automatic renewal of expired certificates that was disabled by the hotfix in fastlane#21812. Keeps the readonly guard and certificate_id changes that landed afterwards.
Brings back the 'renews an outdated certificate' test and the renew_expired_certs option in related specs. Adds a regression test ensuring an outdated certificate is not renewed in readonly mode even when renew_expired_certs is true.
Even when renew_expired_certs is true, match must not delete/regenerate a stored certificate when: - running in readonly mode - the cert is a developer_id type authenticated with an App Store Connect API token (account holder login is required for renewal via API)
…ificate Document that the old certificate is only removed from match storage, not revoked on the Apple Developer Portal, and point to `match nuke` for freeing up certificate slots.
…ption Co-Authored-By: Claude Sonnet 4.6 (1M context) <[email protected]>
|
Trying to make sense of the history here & thanks for booting this back up. I for sure hate having to manually surgically remove an expired cert every year or so from my own match storage. So roughy:
I think if this is coming back - it has to be opt-in till we figure out what caused its removal. Probably deletion is such a scary aspect, but knowing we don't touch the Apple side is probably safer, but adapting match to not selecting an expired cert does seem preferred. |
|
Thanks @iBotPeaches for taking an attention
From my understanding, the original (#21691) implementation was waiting to be included in the next release. Unfortunately, it happened that the new version never been completed and fastlane users didn't get an option to renew certificate in any release |
|
Timeline: December, 2023
January, 2024
February, 2024
And this is where the story ends |
|
FYI: I've confirmed a new default behaviour in two scenarios:
|
|
thanks. I'm thinking we roll with it off then. I'd rather get a release or two of people opting into it and testing out this code that has been dormant for weeks vs defaulting it on especially with deletion involved. |
|
Fair enough Im going to renew distribution certificates on my job 11th of July. So I'm gonna test automation with production data. @iBotPeaches is there anything else to proceed with review? |
|
Are you saying its already hardened to have greater care on those cert types? I only build React Native & Flutter so don't have experience signing XC's or the renewal process for that. Generally only do pass keys, push notification keys and the regular ole profiles & certs for mobile apps. |
|
Yes. The great thing about this feature is that never tries to revoke certificate on the Apple portal which could cause a lot of damage to SDK developers. So we could try a safer approach with |
iBotPeaches
left a comment
There was a problem hiding this comment.
I'm open to trying this as an opt-in, because like you. Every year I have to manually delete some certs out of my repo so match can continue.
At some point we may learn this is not preferred over match just selecting a cert with a date further out, but that day is not today.
|
Ok, so what is the following process? I don't have permissions to merge this pull request. Could you merge it or there is still smth missing? |
There was a problem hiding this comment.
Hey @OdNairy 👋
Thank you for your contribution to fastlane and congrats on getting this pull request merged 🎉
The code change now lives in the master branch, however it wasn't released to RubyGems yet.
We usually ship about once a month, and your PR will be included in the next one.
Please let us know if this change requires an immediate release by adding a comment here 👍
We'll notify you once we shipped a new release with your changes 🚀"
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Closes security findings for `faraday` (CVE-2026-54297) and `excon` (CVE-2026-54171) in `projects/maps-ios/mapbox-maps-ios/Gemfile`. | CVE | Package | Fix | |-----|---------|-----| | CVE-2026-54297 | faraday | `~> 1.10.6` | | CVE-2026-54171 | excon | `>= 1.5.0` | ## Changes - Bump `faraday` from `1.10.5` → `1.10.6` (patched NestedParamsEncoder depth limit). - Pin `excon` to `>= 1.5.0` (patched redirect header redaction). - Source `fastlane` from git ref [`20f68fd`](fastlane/fastlane@20f68fd) until a RubyGems release ships the required dependency updates. This commit includes: - Relaxed `excon` upper bound (`< 2.0.0`) for CVE-2026-54171 — [fastlane#30085](fastlane/fastlane#30085) - Match expired certificate renewal (opt-in) — [fastlane#30096](fastlane/fastlane#30096) ## Note on `debug-env/Gemfile` The security scanner also reports `debug-env/Gemfile`, but that directory was removed in #5159. Only `mapbox-maps-ios/Gemfile` exists in the tree today. ## Follow-up Once fastlane releases a version that includes both fixes, revert the git pin back to `gem "fastlane", ">= 2.232.1"` from RubyGems and refresh the lockfile. ## Testing - `bundle install` succeeds with the updated lockfile. - Resolved versions: `faraday 1.10.6`, `excon 1.5.0`, `fastlane 2.236.1` (from git @ `20f68fd`). <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-3316d43f-2079-48e1-9ae7-4cb4417b58e5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-3316d43f-2079-48e1-9ae7-4cb4417b58e5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> cc @mapbox/maps-ios --------- Co-authored-by: Cursor Agent <[email protected]> GitOrigin-RevId: 13fefda61fa901212bf218f5f408a2e1c28d7f96
There was a problem hiding this comment.
Congratulations! 🎉 This was released as part of fastlane 2.237.0 🚀
Checklist
bundle exec rspecfrom the root directory to see all new and existing tests passbundle exec rubocop -ato ensure the code style is validci/circlecibuilds in the "All checks have passed" section of my PR (connect CircleCI to GitHub if not)Motivation and Context
Re-enable expired certificate renewal in
fastlane matchcommands.It was originally implemented in #21691 but turned off soon in #21812 in favor of #21809. The idea of #21809 was to implement a more intelligent and broad support for automatic renewal. It was January, 2024 and the PR stalling since February, 2024.
According to #21848 this issue has quite a demand and it is better to bring it back even without ideal implementation.
Resolves #21848
Description
Re-introduce
renew_expired_certsoption (default:false) to renew certificates during thefastlane match [development|distribution|etc]. Current implementation finds the first certificate matching requested type, checks the expiration date.The expired cert is removed from match storage and a new one is generated, but the old certificate is not revoked on the Apple Developer Portal.
Testing Steps
bundle exec rspec match/spec/runner_spec.rbNew regression specs: