ios: produce signed build

- points to `sign-ios-release` branch in status-jenkins-lib which provides iOS provisioning profile and appstore certs.
- builds signed iOS app and pushes to testflight.
- updates testflight metadata with PR link and commit sha it was built from
- adds `scripts/testflight-changelog.mjs` script used by CI to update PR metadata.
- set `ITSAppUsesNonExemptEncryption` to `false`

Author: siddarthkay

.gitignore

@@ -113,3 +113,4 @@ ui/StatusQ/src/StatusQ/Core/TestConfig.qml
 mobile/bin/
 mobile/lib/
 mobile/build/
+scripts/node_modules/

ci/Jenkinsfile.ios

@@ -1,9 +1,8 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.29'
+library 'status-jenkins-lib@sign-ios-release'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
-def isNightlyBuild = utils.isNightlyBuild()
 
 pipeline {
 
@@ -20,6 +19,16 @@ pipeline {
       description: 'Level of verbosity based on nimbus-build-system setup.',
       choices: ['0','1','2','3']
     )
+    string(
+      name: 'TESTFLIGHT_POLL_TIMEOUT',
+      description: 'TestFlight build polling timeout in minutes.',
+      defaultValue: '30'
+    )
+    string(
+      name: 'TESTFLIGHT_POLL_INTERVAL',
+      description: 'TestFlight build polling interval in seconds.',
+      defaultValue: '30'
+    )
   }
 
   options {
@@ -65,8 +74,11 @@ pipeline {
     IPHONE_SDK = "iphoneos"
     ARCH = "x86_64"
     /* iOS app paths */
-    STATUS_IOS_APP_ARTIFACT = "pkg/${utils.pkgFilename(ext: 'app.zip', arch: getArch(), version: env.VERSION, type: env.APP_TYPE)}"
+    STATUS_IOS_APP_ARTIFACT = "pkg/${utils.pkgFilename(ext: 'ipa', arch: getArch(), version: env.VERSION, type: env.APP_TYPE)}"
     STATUS_IOS_APP = "${WORKSPACE}/mobile/bin/ios/qt6/Status.app"
+    STATUS_IOS_IPA = "${WORKSPACE}/mobile/bin/ios/qt6/Status.ipa"
+    TESTFLIGHT_POLL_TIMEOUT = "${params.TESTFLIGHT_POLL_TIMEOUT}"
+    TESTFLIGHT_POLL_INTERVAL = "${params.TESTFLIGHT_POLL_INTERVAL}"
   }
 
   stages {
@@ -91,25 +103,42 @@ pipeline {
 
     stage('Build iOS App') {
       steps {
-        sh 'make mobile-build'
+        script {
+          app.buildSignedIOS(target='mobile-build', verbose='3')
+        }
       }
     }
 
     stage('Package iOS App') {
       steps {
         sh 'mkdir -p pkg'
-        sh "cd mobile/bin/ios/qt6 && zip -r ${env.WORKSPACE}/${env.STATUS_IOS_APP_ARTIFACT} Status.app"
-        sh "ls -la ${env.STATUS_IOS_APP_ARTIFACT}"
+        sh "cp ${env.STATUS_IOS_IPA} ${env.STATUS_IOS_APP_ARTIFACT}"
+        sh "ls -lh ${env.STATUS_IOS_APP_ARTIFACT}"
+      }
+    }
+
+    stage('Upload to TestFlight') {
+      steps {
+        script {
+          def changelog = sh(script: './scripts/generate-changelog.sh', returnStdout: true).trim()
+
+          app.uploadToTestFlight(
+            ipaPath: env.STATUS_IOS_APP_ARTIFACT,
+            changelog: changelog,
+            pollTimeout: env.TESTFLIGHT_POLL_TIMEOUT,
+            pollInterval: env.TESTFLIGHT_POLL_INTERVAL
+          )
+        }
       }
     }
 
     stage('Parallel Upload') {
       parallel {
-        stage('Upload') {
+        stage('Upload to S3') {
           steps {
             script {
               env.PKG_URL = s5cmd.upload(env.STATUS_IOS_APP_ARTIFACT)
-              jenkins.setBuildDesc(APP: env.PKG_URL)
+              jenkins.setBuildDesc(IPA: env.PKG_URL)
             }
           }
         }

mobile/ios/Info.plist

@@ -64,5 +64,7 @@
     <string>Status uses Media Library to save and send Images. The Media Library module internally requires permissions to Apple Music</string>
     <key>NSFaceIDUsageDescription</key>
     <string>Log in securely to your account.</string>
+    <key>ITSAppUsesNonExemptEncryption</key>
+    <false/>
 </dict>
 </plist>

mobile/scripts/android/sign.sh

@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <aab-file-path>"
+  exit 1
+fi
+
+AAB_FILE="$1"
+
+if [[ ! -f "$AAB_FILE" ]]; then
+  echo "Error: AAB file not found at $AAB_FILE"
+  exit 1
+fi
+
+if [[ -z "$KEYSTORE_PATH" || -z "$KEYSTORE_PASSWORD" || -z "$KEY_ALIAS" || -z "$KEY_PASSWORD" ]]; then
+  echo "Error: Missing signing credentials"
+  echo "Required: KEYSTORE_PATH, KEYSTORE_PASSWORD, KEY_ALIAS, KEY_PASSWORD"
+  exit 1
+fi
+
+if [[ ! -f "$KEYSTORE_PATH" ]]; then
+  echo "Error: Keystore file not found at $KEYSTORE_PATH"
+  exit 1
+fi
+
+echo "Signing AAB with jarsigner..."
+jarsigner -sigalg SHA256withRSA -digestalg SHA-256 \
+  -keystore "$KEYSTORE_PATH" \
+  -storepass "$KEYSTORE_PASSWORD" \
+  -keypass "$KEY_PASSWORD" \
+  "$AAB_FILE" "$KEY_ALIAS"
+
+if [[ $? -ne 0 ]]; then
+  echo "Error: AAB signing failed"
+  exit 1
+fi
+
+echo "Verifying AAB signature..."
+VERIFY_OUTPUT=$(jarsigner -verify "$AAB_FILE" 2>&1)
+if echo "$VERIFY_OUTPUT" | grep -q "jar verified"; then
+  echo "AAB signature verification: PASSED"
+else
+  echo "Error: AAB signature verification failed"
+  echo "Verify output: $VERIFY_OUTPUT"
+  exit 1
+fi
+
+echo "AAB signed successfully: $AAB_FILE"

mobile/scripts/buildApp.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-set -ef pipefail
+set -eo pipefail
 
 CWD=$(realpath "$(dirname "$0")")
 
@@ -10,6 +10,7 @@ BIN_DIR=${BIN_DIR:-"$CWD/../bin/ios"}
 BUILD_DIR=${BUILD_DIR:-"$CWD/../build"}
 ANDROID_ABI=${ANDROID_ABI:-"arm64-v8a"}
 BUILD_TYPE=${BUILD_TYPE:-"apk"}
+SIGN_IOS=${SIGN_IOS:-"false"}
 
 echo "Building wrapperApp for ${OS}, ${ANDROID_ABI}"
 
@@ -60,27 +61,8 @@ if [[ "${OS}" == "android" ]]; then
       exit 1
     fi
 
-    # Note: androiddeployqt --sign does not work for AAB files, so we sign with jarsigner
-    echo "Signing AAB with jarsigner..."
-    jarsigner -sigalg SHA256withRSA -digestalg SHA-256 \
-      -keystore "$KEYSTORE_PATH" \
-      -storepass "$KEYSTORE_PASSWORD" \
-      -keypass "$KEY_PASSWORD" \
-      "$OUTPUT_FILE" "$KEY_ALIAS"
-
-    if [[ $? -ne 0 ]]; then
-      echo "Error: AAB signing failed"
-      exit 1
-    fi
-
-    VERIFY_OUTPUT=$(jarsigner -verify "$OUTPUT_FILE" 2>&1)
-    if echo "$VERIFY_OUTPUT" | grep -q "jar verified"; then
-      echo "AAB signature verification: PASSED"
-    else
-      echo "Error: AAB signature verification failed"
-      echo "Verify output: $VERIFY_OUTPUT"
-      exit 1
-    fi
+    # Sign the AAB file (androiddeployqt --sign does not work for AAB files)
+    "$CWD/android/sign.sh" "$OUTPUT_FILE"
 
     ANDROID_OUTPUT_DIR="bin/android/qt6"
     BIN_DIR_ANDROID=${BIN_DIR:-"$CWD/$ANDROID_OUTPUT_DIR"}
@@ -128,17 +110,32 @@ if [[ "${OS}" == "android" ]]; then
     fi
   fi
 else
+  BUILD_VERSION=$(($(date +%s) * 1000 / 60000))
+
+  if [[ -n "${CHANGE_ID:-}" ]]; then
+    VERSION_STRING="${CHANGE_ID}.${BUILD_VERSION}"
+  else
+    VERSION_STRING="${BUILD_VERSION}"
+  fi
+
+  echo "Using version: $VERSION_STRING"
+
   QMAKE_BIN="${QMAKE:-qmake}"
-  "$QMAKE_BIN" "$CWD/../wrapperApp/Status.pro" -spec macx-ios-clang CONFIG+=release CONFIG+="$SDK" CONFIG+=device -after
+  "$QMAKE_BIN" "$CWD/../wrapperApp/Status.pro" -spec macx-ios-clang CONFIG+=release CONFIG+="$SDK" CONFIG+=device VERSION="$VERSION_STRING" -after
+
   # Compile resources
   xcodebuild -configuration Release -target "Qt Preprocess" -sdk "$SDK" -arch "$ARCH" CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO | xcbeautify
   # Compile the app
   xcodebuild -configuration Release -target Status install -sdk "$SDK" -arch "$ARCH" DSTROOT="$BIN_DIR" INSTALL_PATH="/" TARGET_BUILD_DIR="$BIN_DIR" CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO CODE_SIGNING_ALLOWED=NO | xcbeautify
 
-  if [[ -e "$BIN_DIR/Status.app/Info.plist" ]]; then
-    echo "Build succeeded"
-  else
+  if [[ ! -e "$BIN_DIR/Status.app/Info.plist" ]]; then
     echo "Build failed"
     exit 1
   fi
+
+  if [[ "$SIGN_IOS" == "true" ]]; then
+    "$CWD/ios/sign.sh"
+  fi
+
+  echo "Build succeeded"
 fi

mobile/scripts/ios/sign.sh

@@ -0,0 +1,117 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CWD=$(realpath "$(dirname "$0")")
+BIN_DIR=${BIN_DIR:-"$CWD/../../bin/ios"}
+
+if [[ ! -e "$BIN_DIR/Status.app/Info.plist" ]]; then
+  echo "Error: Status.app not found at $BIN_DIR/Status.app"
+  exit 1
+fi
+
+if [[ -z "$IOS_CERT_PATH" || -z "$IOS_CERT_PASSWORD" || -z "$IOS_PROVISIONING_PROFILE" ]]; then
+  echo "Error: Missing iOS signing credentials"
+  echo "Required: IOS_CERT_PATH, IOS_CERT_PASSWORD, IOS_PROVISIONING_PROFILE"
+  exit 1
+fi
+
+echo "Signing iOS app at $BIN_DIR/Status.app..."
+
+KEYCHAIN_NAME="build-$$.keychain"
+KEYCHAIN_PASSWORD=$(openssl rand -base64 16)
+
+cleanup_keychain() {
+  echo "Cleaning up keychain..."
+  security default-keychain -s login.keychain 2>/dev/null || true
+  security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
+}
+
+trap cleanup_keychain EXIT
+
+security delete-keychain "$KEYCHAIN_NAME" 2>/dev/null || true
+
+security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+security set-keychain-settings -t 3600 -u "$KEYCHAIN_NAME"
+security list-keychains -s "$KEYCHAIN_NAME" login.keychain
+security default-keychain -s "$KEYCHAIN_NAME"
+
+echo "Importing Apple WWDR G3 certificate..."
+WWDR_TEMP_DIR=$(mktemp -d)
+curl -sS -o "$WWDR_TEMP_DIR/AppleWWDRCAG3.cer" https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
+security import "$WWDR_TEMP_DIR/AppleWWDRCAG3.cer" -k "$KEYCHAIN_NAME" -T /usr/bin/codesign
+rm -rf "$WWDR_TEMP_DIR"
+echo "Apple WWDR G3 certificate imported"
+
+security import "$IOS_CERT_PATH" -k "$KEYCHAIN_NAME" -P "$IOS_CERT_PASSWORD" -T /usr/bin/codesign
+security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
+
+PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
+mkdir -p "$PROFILE_DIR"
+
+PROFILE_UUID=$(security cms -D -i "$IOS_PROVISIONING_PROFILE" 2>/dev/null | grep -A1 "<key>UUID</key>" | grep "<string>" | sed 's/.*<string>\(.*\)<\/string>.*/\1/')
+
+rm -f "$PROFILE_DIR/$PROFILE_UUID.mobileprovision"
+
+cp "$IOS_PROVISIONING_PROFILE" "$PROFILE_DIR/$PROFILE_UUID.mobileprovision"
+
+echo "Installed provisioning profile: $PROFILE_UUID"
+
+echo "Embedding provisioning profile into app..."
+cp "$IOS_PROVISIONING_PROFILE" "$BIN_DIR/Status.app/embedded.mobileprovision"
+
+echo "Searching for signing identity in keychain..."
+security find-identity -v -p codesigning "$KEYCHAIN_NAME"
+
+SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_NAME" | grep -E "iPhone Distribution|Apple Distribution" | head -1 | awk '{print $2}')
+
+if [[ -z "$SIGNING_IDENTITY" ]]; then
+  echo "ERROR: No Distribution certificate found in keychain!"
+  echo "Available identities:"
+  security find-identity -v -p codesigning "$KEYCHAIN_NAME"
+  exit 1
+fi
+
+echo "Signing with identity: $SIGNING_IDENTITY"
+
+echo "Extracting entitlements from provisioning profile..."
+ENTITLEMENTS_PLIST=$(mktemp -t entitlements).plist
+
+security cms -D -i "$IOS_PROVISIONING_PROFILE" | \
+  plutil -extract Entitlements xml1 - -o "$ENTITLEMENTS_PLIST"
+
+echo "Entitlements extracted to: $ENTITLEMENTS_PLIST"
+cat "$ENTITLEMENTS_PLIST"
+
+echo "Signing embedded frameworks..."
+if [ -d "$BIN_DIR/Status.app/Frameworks" ]; then
+  find "$BIN_DIR/Status.app/Frameworks" -name "*.framework" -type d | while read framework; do
+    echo "Signing framework: $(basename "$framework")"
+    codesign --force --sign "$SIGNING_IDENTITY" --timestamp "$framework"
+  done
+fi
+
+echo "Signing main app bundle..."
+codesign --force --sign "$SIGNING_IDENTITY" --entitlements "$ENTITLEMENTS_PLIST" --timestamp "$BIN_DIR/Status.app"
+
+rm -f "$ENTITLEMENTS_PLIST"
+
+echo "Verifying signature..."
+codesign --verify --verbose=4 "$BIN_DIR/Status.app"
+
+echo "Signature details:"
+codesign -d --entitlements :- "$BIN_DIR/Status.app"
+
+echo "iOS app signed successfully"
+
+echo "Creating IPA file..."
+IPA_DIR=$(mktemp -d)
+mkdir -p "$IPA_DIR/Payload"
+cp -R "$BIN_DIR/Status.app" "$IPA_DIR/Payload/"
+
+cd "$IPA_DIR"
+zip -r "$BIN_DIR/Status.ipa" Payload
+cd -
+
+rm -rf "$IPA_DIR"
+echo "IPA created at $BIN_DIR/Status.ipa"

mobile/wrapperApp/Status.pro

@@ -44,8 +44,8 @@ ios {
 
     QMAKE_INFO_PLIST = $$PWD/../ios/Info.plist
     QMAKE_IOS_DEPLOYMENT_TARGET=16.0
-    QMAKE_TARGET_BUNDLE_PREFIX = im.status
-    QMAKE_BUNDLE = app
+    QMAKE_TARGET_BUNDLE_PREFIX = app.status
+    QMAKE_BUNDLE = mobile
     QMAKE_ASSET_CATALOGS += $$PWD/../ios/Images.xcassets
     QMAKE_IOS_LAUNCH_SCREEN = $$PWD/../ios/launch-image-universal.storyboard
 

scripts/extract-bundle-version.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: $0 <ipa-file-path>" >&2
+  exit 1
+fi
+
+IPA_PATH="$1"
+
+if [[ ! -f "$IPA_PATH" ]]; then
+  echo "Error: IPA file not found at $IPA_PATH" >&2
+  exit 1
+fi
+
+unzip -p "$IPA_PATH" 'Payload/*.app/Info.plist' | \
+  plutil -extract CFBundleVersion raw -o - -