MetaMask · jake-perkins · Jul 9, 2025 · Jul 9, 2025 · Jul 9, 2025 · Jul 10, 2025
diff --git a/.github/actions/configure-keystore/action.yml b/.github/actions/configure-keystore/action.yml
@@ -0,0 +1,148 @@
+name: 'Configure Keystore'
+description: 'Assume an AWS role and fetch a secret into environment variables'
+
+inputs:
+  aws-role-to-assume:
+    description: 'The AWS IAM role to assume'
+    required: true
+  aws-region:
+    description: 'The AWS region where the secret is stored'
+    required: true
+  secret-name:
+    description: 'The name of the secret in AWS Secrets Manager'
+    required: true
+  platform:
+    description: 'The platform for which the keystore is being configured (e.g., ios, android)'
+    required: true
+  target:
+    description: 'The target for which the keystore is being configured (e.g., qa, flask, main)'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Determine signing secret name
+      shell: bash
+      run: |
+        case "${{ inputs.target }}" in
+          qa)
+            SECRET_NAME="metamask-mobile-qa-signing-certificates"
+            ;;
+          flask)
+            SECRET_NAME="metamask-mobile-flask-signing-certificates"
+            ;;
+          main)
+            SECRET_NAME="metamask-mobile-main-signing-certificates"
+            ;;
+          *)
+            echo "❌ Unknown target: ${{ inputs.target }}"
+            exit 1
+            ;;
+        esac
+        echo "AWS_SIGNING_CERT_SECRET_NAME=$SECRET_NAME" >> "$GITHUB_ENV"
+
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ inputs.aws-role-to-assume }}
+        aws-region: ${{ inputs.aws-region }}
+
+    - name: Fetch secret and export as environment variables
+      shell: bash
+      run: |
+        echo "🔐 Fetching secret from Secrets Manager..."
+        secret_json=$(aws secretsmanager get-secret-value \
+          --region "${{ inputs.aws-region }}" \
+          --secret-id "${AWS_SIGNING_CERT_SECRET_NAME}" \
+          --query SecretString \
+          --output text)
+
+        keys=$(echo "$secret_json" | jq -r 'keys[]')
+        for key in $keys; do
+          value=$(echo "$secret_json" | jq -r --arg k "$key" '.[$k]')
+          echo "::add-mask::$value"
+          echo "$key=$(printf '%s' "$value")" >> "$GITHUB_ENV"
+          echo "✅ Set secret for key: $key"
+        done
+
+    - name: Configure Android Signing Certificates
+      if: inputs.platform == 'android'
+      shell: bash
+      run: |
+        echo "📦 Configuring Android keystore..."
+        if [[ -z "$ANDROID_KEYSTORE" ]]; then
+          echo "⚠️ ANDROID_KEYSTORE is not set. Skipping keystore decoding."
+          exit 1
+        fi
+
+        # Use provided path if set, fallback to default
+        KEYSTORE_PATH="${ANDROID_KEYSTORE_PATH:-/tmp/android.keystore}"
+        echo "$ANDROID_KEYSTORE" | base64 --decode > "$KEYSTORE_PATH"
+        echo "✅ Android keystore written to $KEYSTORE_PATH"
+
+    - name: Configure iOS Signing Certificates
+      if: inputs.platform == 'ios'
+      shell: bash
+      run: |
+        echo "📦 Configuring iOS code signing..."
+
+        # Create paths
+        CERT_PATH="$RUNNER_TEMP/build_certificate.p12"
+        PROFILE_PATH="$RUNNER_TEMP/build_pp.mobileprovision"
+        KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+        CERT_PW="${IOS_SIGNING_KEYSTORE_PASSWORD}"
+
+        # Decode base64 files
+        echo "$IOS_SIGNING_KEYSTORE" | base64 --decode > "$CERT_PATH"
+        echo "$IOS_SIGNING_PROFILE" | base64 --decode > "$PROFILE_PATH"
+        echo "✅ Decoded .p12 and provisioning profile"
+
+        # Create and unlock keychain
+        security create-keychain -p "$CERT_PW" "$KEYCHAIN_PATH"
+        security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+        security unlock-keychain -p "$CERT_PW" "$KEYCHAIN_PATH"
+
+        # Import cert
+        echo "🔐 Importing certificate..."
+        if ! security import "$CERT_PATH" -P "$CERT_PW" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"; then
+          echo "❌ Failed to import certificate. Check if the password is correct or the .p12 is valid."
+          exit 1
+        fi
+        echo "✅ Certificate imported"
+
+        # Set key partition list
+        echo "🔑 Setting key partition list..."
+        if ! security set-key-partition-list -S apple-tool:,apple: -k "$CERT_PW" "$KEYCHAIN_PATH" 2>/dev/null; then
+          echo "❌ Failed to set key partition list. Codesigning tools may not have access."
+          exit 1
+        fi
+        echo "✅ Key partition list set"
+
+
+        # Verify signing identities
+        echo "🔍 Verifying code signing identities in keychain..."
+        IDENTITIES=$(security find-identity -p codesigning "$KEYCHAIN_PATH")
+
+        if ! echo "$IDENTITIES" | grep -q "Valid identities"; then
+          echo "❌ No valid code signing identities found in keychain."
+          echo "$IDENTITIES"
+          exit 1
+        fi
+
+        # Extract and print alias (first CN string)
+        CERT_ALIAS=$(echo "$IDENTITIES" | awk -F '"' '/"Apple/ {print $2; exit}')
+        if [[ -n "$CERT_ALIAS" ]]; then
+          echo "✅ Code signing identity available: $CERT_ALIAS"
+        else
+          echo "✅ Code signing identity is available (alias not parsed)"
+        fi
+
+        # Install provisioning profile
+        mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+        cp "$PROFILE_PATH" ~/Library/MobileDevice/Provisioning\ Profiles/
+        echo "✅ Installed provisioning profile"
+
+        echo "Configuring default keychain"
+        security default-keychain -s "$KEYCHAIN_PATH"
+        echo "✅ default keychain set"
+