Mobile teams face some unique challenges when it comes to establishing DevOps practices. Build tools are different, release and approval cycles with app stores can be slower and introduce more risk, and some applications require specialized runners. At GitLab, we are focused on finding solutions to these challenges to make it easier for everyone to contribute! Starting with mobile code signing.
This post is the first in a series on mobile DevOps and it shows how GitLab makes code signing easier using a new feature called Project-level Secure Files.
A brief introduction to mobile code signing
Android and iOS projects require special configuration files for secure application code signing to ensure an application on a user's device hasn't been tampered with. These configuration files can be challenging to manage in a CI environment. Keystores, signing certificates, and provisioning profiles shouldn't be stored in version control because they contain sensitive information. These files are also binary (not text), so they can't easily be stored as CI variables.
To make this process easier, we've introduced a feature in GitLab 15.0 called Project-level Secure Files. This feature allows these files to be stored securely as part of a GitLab project but outside version control. Secure Files can then easily be loaded into a CI job when it's time to execute the code signing process.
Get started by adding a secure file to a project:
- On the top bar, select Menu > Projects and find your project.
- On the left sidebar, select Settings > CI/CD.
- In the Secure Files section, select Expand.
- Select Upload File.
- Find the file to upload, select Open, and the file upload begins immediately. The file shows up in the list when the upload is complete.
With the files securely stored with the project, the next step is to load them into a CI/CD job. To use your secure files in a CI/CD job, you must use the download-secure-files tool to download the files in the job. After downloading them, these files can be used in any CI job.
Add a command in the script section of your job to download the download-secure-files tool and execute it. It's also important to specify the download location for the secure files by setting the desired path in the
SECURE_FILES_DOWNLOAD_PATH CI/CD variable.
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
Now, when the CI job runs, all of the secure files will be available in the location specified. They can then be passed into a build script or loaded into the Apple keychain.
That's it! Give it a try, and let us know what you think in the feedback issue.
Next time we will walk through how to set up code signing for an Android app.