Skip to main content

How do I manage iOS signing keys and provisioning profiles with GitLab runners?

Managing iOS signing keys and provisioning profiles with GitLab runners can be achieved through various approaches, depending on your specific requirements and security considerations. Here's a general guide to help you get started:

Securely Store Signing Keys and Profiles

It's crucial to securely store your iOS signing keys and provisioning profiles to prevent unauthorized access. Avoid committing them to your Git repository. Instead, use GitLab's CI/CD variables or CI/CD environment variables to securely store sensitive information.

Create CI/CD Variables

In your GitLab project, navigate to Settings > CI/CD > Variables. Add the following variables:

  • FASTLANE_USER: Your Apple ID used for code signing.
  • FASTLANE_PASSWORD: An App-Specific Password generated from your Apple ID account.
  • MATCH_PASSWORD: The password used to encrypt your signing certificates and profiles (if using fastlane match).

Note: Make sure to enable "Mask variable" for each of these variables to hide their values in the pipeline logs.

Use Fastlane

Fastlane is a popular tool for automating iOS app deployments. It simplifies managing code signing, certificates, and provisioning profiles. You can define Fastlane lanes in your .gitlab-ci.yml file to handle iOS signing tasks.

Install Dependencies

In your .gitlab-ci.yml, include a before_script section to install necessary dependencies, including Fastlane.

- gem install fastlane

Define Fastlane Lanes

In your .gitlab-ci.yml, define custom Fastlane lanes for different stages of your pipeline. For example:

- build
- test
- deploy

stage: build
- fastlane build

stage: test
- fastlane test

stage: deploy
- fastlane deploy
- master

Fastlane Configuration

In your Fastfile, set up code signing actions using the GitLab CI/CD variables.

lane :build do
# ... Other build steps ...
export_method: "development",
output_directory: "build",
export_options: {
provisioningProfiles: {

lane :test do
# ... Other test steps ...
skip_build: true,
destination: "platform=iOS Simulator,OS=15.0,name=iPhone 13"

lane :deploy do
# ... Other deployment steps ...
match(type: "appstore")
# ... Other deployment steps ...

Use fastlane match (Optional)

If you have multiple GitLab runners or need to share signing certificates and profiles among team members, you can use fastlane's match to manage code signing identities in a secure repository.

Remember, the security of your iOS signing keys and profiles is critical. Take appropriate measures to protect them and follow best practices for managing sensitive information in your CI/CD pipelines. Additionally, consider automating the provisioning profile generation process using services like fastlane match to simplify the workflow and ensure consistency across your projects.