ios: produce signed build

Author: siddarthkay

ci/Jenkinsfile.ios

@@ -1,9 +1,10 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.29'
+library 'status-jenkins-lib@sign-ios-release'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
 def isNightlyBuild = utils.isNightlyBuild()
+def isReleaseBranch = (env.CHANGE_BRANCH ?: env.BRANCH_NAME)?.startsWith('release')
 
 pipeline {
 
@@ -65,8 +66,9 @@ pipeline {
     IPHONE_SDK = "iphoneos"
     ARCH = "x86_64"
     /* iOS app paths */
-    STATUS_IOS_APP_ARTIFACT = "pkg/${utils.pkgFilename(ext: 'app.zip', arch: getArch(), version: env.VERSION, type: env.APP_TYPE)}"
+    STATUS_IOS_APP_ARTIFACT = "pkg/${utils.pkgFilename(ext: 'ipa', arch: getArch(), version: env.VERSION, type: env.APP_TYPE)}"
     STATUS_IOS_APP = "${WORKSPACE}/mobile/bin/ios/qt6/Status.app"
+    STATUS_IOS_IPA = "${WORKSPACE}/mobile/bin/ios/qt6/Status.ipa"
   }
 
   stages {
@@ -91,15 +93,28 @@ pipeline {
 
     stage('Build iOS App') {
       steps {
-        sh 'make mobile-build'
+        script {
+          app.buildSignedIOS(target='mobile-build', verbose='3')
+        }
       }
     }
 
     stage('Package iOS App') {
       steps {
         sh 'mkdir -p pkg'
-        sh "cd mobile/bin/ios/qt6 && zip -r ${env.WORKSPACE}/${env.STATUS_IOS_APP_ARTIFACT} Status.app"
-        sh "ls -la ${env.STATUS_IOS_APP_ARTIFACT}"
+        sh "cp ${env.STATUS_IOS_IPA} ${env.STATUS_IOS_APP_ARTIFACT}"
+        sh "ls -lh ${env.STATUS_IOS_APP_ARTIFACT}"
+      }
+    }
+
+    stage('Upload to TestFlight') {
+      when {
+        expression { return isReleaseBranch }
+      }
+      steps {
+        script {
+          app.uploadToTestFlight(ipaPath: env.STATUS_IOS_APP_ARTIFACT)
+        }
       }
     }
 
@@ -109,7 +124,7 @@ pipeline {
           steps {
             script {
               env.PKG_URL = s5cmd.upload(env.STATUS_IOS_APP_ARTIFACT)
-              jenkins.setBuildDesc(APP: env.PKG_URL)
+              jenkins.setBuildDesc(IPA: env.PKG_URL)
             }
           }
         }

mobile/ios/Info.plist

@@ -64,5 +64,7 @@
     <string>Status uses Media Library to save and send Images. The Media Library module internally requires permissions to Apple Music</string>
     <key>NSFaceIDUsageDescription</key>
     <string>Log in securely to your account.</string>
+    <key>ITSAppUsesNonExemptEncryption</key>
+    <false/>
 </dict>
 </plist>

mobile/scripts/buildApp.sh

@@ -10,6 +10,7 @@ BIN_DIR=${BIN_DIR:-"$CWD/../bin/ios"}
 BUILD_DIR=${BUILD_DIR:-"$CWD/../build"}
 ANDROID_ABI=${ANDROID_ABI:-"arm64-v8a"}
 BUILD_TYPE=${BUILD_TYPE:-"apk"}
+SIGN_IOS=${SIGN_IOS:-"false"}
 
 echo "Building wrapperApp for ${OS}, ${ANDROID_ABI}"
 
@@ -109,17 +110,161 @@ if [[ "${OS}" == "android" ]]; then
     fi
   fi
 else
+  # Generate timestamp-based build version (seconds * 1000 / 60000 = seconds / 60)
+  # This gives us minutes since epoch, similar to Android's milliseconds / 60000
+  BUILD_VERSION=$(($(date +%s) * 1000 / 60000))
+
+  # Include PR number in build version if available (for TestFlight visibility)
+  if [[ -n "${CHANGE_ID:-}" ]]; then
+    # Format: PR{number}.{timestamp} -> e.g., 18993.29353586
+    VERSION_STRING="${CHANGE_ID}.${BUILD_VERSION}"
+  else
+    # For non-PR builds, just use timestamp
+    VERSION_STRING="${BUILD_VERSION}"
+  fi
+
+  echo "Using version: $VERSION_STRING"
+
   QMAKE_BIN="${QMAKE:-qmake}"
-  "$QMAKE_BIN" "$CWD/../wrapperApp/Status.pro" -spec macx-ios-clang CONFIG+=release CONFIG+="$SDK" CONFIG+=device -after
+  "$QMAKE_BIN" "$CWD/../wrapperApp/Status.pro" -spec macx-ios-clang CONFIG+=release CONFIG+="$SDK" CONFIG+=device VERSION="$VERSION_STRING" -after
+
   # Compile resources
   xcodebuild -configuration Release -target "Qt Preprocess" -sdk "$SDK" -arch "$ARCH" CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO | xcbeautify
   # Compile the app
   xcodebuild -configuration Release -target Status install -sdk "$SDK" -arch "$ARCH" DSTROOT="$BIN_DIR" INSTALL_PATH="/" TARGET_BUILD_DIR="$BIN_DIR" CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO | xcbeautify
 
-  if [[ -e "$BIN_DIR/Status.app/Info.plist" ]]; then
-    echo "Build succeeded"
-  else
+  if [[ ! -e "$BIN_DIR/Status.app/Info.plist" ]]; then
     echo "Build failed"
     exit 1
   fi
+
+  if [[ "$SIGN_IOS" == "true" ]]; then
+    echo "Signing iOS app..."
+
+    if [[ -z "$IOS_CERT_PATH" || -z "$IOS_CERT_PASSWORD" || -z "$IOS_PROVISIONING_PROFILE" ]]; then
+      echo "Error: Missing iOS signing credentials"
+      exit 1
+    fi
+
+    # Import certificate to keychain
+    KEYCHAIN_NAME="build.keychain"
+    KEYCHAIN_PASSWORD=$(openssl rand -base64 16)
+
+    # Cleanup function to delete keychain
+    cleanup_keychain() {
+      echo "Cleaning up keychain..."
+      security default-keychain -s login.keychain 2>/dev/null || true
+      security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
+    }
+
+    # Set trap to cleanup keychain on script exit (success or failure)
+    trap cleanup_keychain EXIT
+
+    # Delete any existing keychain from previous failed builds
+    security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
+
+    security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+    security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+    security set-keychain-settings -t 3600 -u "$KEYCHAIN_NAME"
+    security list-keychains -s "$KEYCHAIN_NAME" login.keychain
+    security default-keychain -s "$KEYCHAIN_NAME"
+
+    # Import Apple WWDR G3 intermediate certificate to establish trust chain
+    echo "Importing Apple WWDR G3 certificate..."
+    WWDR_TEMP_DIR=$(mktemp -d)
+    curl -sS -o "$WWDR_TEMP_DIR/AppleWWDRCAG3.cer" https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
+    security import "$WWDR_TEMP_DIR/AppleWWDRCAG3.cer" -k "$KEYCHAIN_NAME" -T /usr/bin/codesign
+    rm -rf "$WWDR_TEMP_DIR"
+    echo "Apple WWDR G3 certificate imported"
+
+    # Import user's certificate with private key
+    security import "$IOS_CERT_PATH" -k "$KEYCHAIN_NAME" -P "$IOS_CERT_PASSWORD" -T /usr/bin/codesign
+    security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+
+    # Install provisioning profile
+    PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+    mkdir -p "$PROFILE_DIR"
+
+    # Extract UUID from provisioning profile and copy with UUID as filename
+    PROFILE_UUID=$(security cms -D -i "$IOS_PROVISIONING_PROFILE" 2>/dev/null | grep -A1 "<key>UUID</key>" | grep "<string>" | sed 's/.*<string>\(.*\)<\/string>.*/\1/')
+
+    # Remove existing profile if it exists (may have read-only permissions)
+    rm -f "$PROFILE_DIR/$PROFILE_UUID.mobileprovision"
+
+    cp "$IOS_PROVISIONING_PROFILE" "$PROFILE_DIR/$PROFILE_UUID.mobileprovision"
+
+    echo "Installed provisioning profile: $PROFILE_UUID"
+
+    # Embed provisioning profile into the app bundle
+    echo "Embedding provisioning profile into app..."
+    cp "$IOS_PROVISIONING_PROFILE" "$BIN_DIR/Status.app/embedded.mobileprovision"
+
+    # Get signing identity (support both old "iPhone Distribution" and new "Apple Distribution")
+    echo "Searching for signing identity in keychain..."
+    security find-identity -v -p codesigning "$KEYCHAIN_NAME"
+
+    SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_NAME" | grep -E "iPhone Distribution|Apple Distribution" | head -1 | awk '{print $2}')
+
+    if [[ -z "$SIGNING_IDENTITY" ]]; then
+      echo "ERROR: No Distribution certificate found in keychain!"
+      echo "Available identities:"
+      security find-identity -v -p codesigning "$KEYCHAIN_NAME"
+      exit 1
+    fi
+
+    echo "Signing with identity: $SIGNING_IDENTITY"
+
+    # Extract entitlements from provisioning profile
+    echo "Extracting entitlements from provisioning profile..."
+    ENTITLEMENTS_PLIST=$(mktemp -t entitlements).plist
+
+    # Decode provisioning profile and extract entitlements in one step
+    security cms -D -i "$IOS_PROVISIONING_PROFILE" | \
+      plutil -extract Entitlements xml1 - -o "$ENTITLEMENTS_PLIST"
+
+    echo "Entitlements extracted to: $ENTITLEMENTS_PLIST"
+    cat "$ENTITLEMENTS_PLIST"
+
+    # Sign all embedded frameworks first (required for App Store submission)
+    echo "Signing embedded frameworks..."
+    if [ -d "$BIN_DIR/Status.app/Frameworks" ]; then
+      find "$BIN_DIR/Status.app/Frameworks" -name "*.framework" -type d | while read framework; do
+        echo "Signing framework: $(basename "$framework")"
+        codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$framework"
+      done
+    fi
+
+    # Sign the main app bundle with entitlements from provisioning profile
+    echo "Signing main app bundle..."
+    codesign --force --sign "$SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS_PLIST" --timestamp "$BIN_DIR/Status.app"
+
+    # Clean up temporary entitlements file
+    rm -f "$ENTITLEMENTS_PLIST"
+
+    # Verify signature
+    echo "Verifying signature..."
+    codesign --verify --verbose=4 "$BIN_DIR/Status.app"
+
+    # Display signing details for debugging
+    echo "Signature details:"
+    codesign -d --entitlements :- "$BIN_DIR/Status.app"
+
+    echo "iOS app signed successfully"
+
+    # Create IPA file
+    echo "Creating IPA file..."
+    IPA_DIR=$(mktemp -d)
+    mkdir -p "$IPA_DIR/Payload"
+    cp -R "$BIN_DIR/Status.app" "$IPA_DIR/Payload/"
+
+    # Create IPA (which is just a zip with .ipa extension)
+    cd "$IPA_DIR"
+    zip -r "$BIN_DIR/Status.ipa" Payload
+    cd -
+
+    rm -rf "$IPA_DIR"
+    echo "IPA created at $BIN_DIR/Status.ipa"
+  fi
+
+  echo "Build succeeded"
 fi

mobile/wrapperApp/Status.pro

@@ -44,8 +44,8 @@ ios {
 
     QMAKE_INFO_PLIST = $$PWD/../ios/Info.plist
     QMAKE_IOS_DEPLOYMENT_TARGET=16.0
-    QMAKE_TARGET_BUNDLE_PREFIX = im.status
-    QMAKE_BUNDLE = app
+    QMAKE_TARGET_BUNDLE_PREFIX = app.status
+    QMAKE_BUNDLE = mobile
     QMAKE_ASSET_CATALOGS += $$PWD/../ios/Images.xcassets
     QMAKE_IOS_LAUNCH_SCREEN = $$PWD/../ios/launch-image-universal.storyboard