ci: create and sign separate bundle ID for PRs

ci/Jenkinsfile.combined

@@ -1,6 +1,6 @@
 #!/usr/bin/env groovy
 
-library 'status-jenkins-lib@v1.9.31'
+library 'status-jenkins-lib@fix-ios-signing-with-fastlane'
 
 /* Object to store public URLs for description. */
 urls = [:]
@@ -113,6 +113,11 @@ pipeline {
             'MacOS/aarch64', jenkins.Build('status-app/systems/macos/aarch64/package')
           )
         } } }
+        stage('iOS/aarch64') { steps { script {
+          ios_aarch64 = getArtifacts(
+            'iOS/aarch64', jenkins.Build('status-app/systems/ios/aarch64/package')
+          )
+        } } }
       }
     }
     stage('Publish') {

ci/Jenkinsfile.ios

@@ -1,5 +1,5 @@
 #!/usr/bin/env groovy
-library 'status-jenkins-lib@v1.9.31'
+library 'status-jenkins-lib@fix-ios-signing-with-fastlane'
 
 /* Options section can't access functions in objects. */
 def isPRBuild = utils.isPRBuild()
@@ -73,10 +73,11 @@ pipeline {
     /* iOS build configuration */
     IPHONE_SDK = "iphoneos"
     ARCH = "x86_64"
-    /* iOS app paths */
+    /* iOS app paths - PR builds use StatusPR, release builds use Status */
+    STATUS_IOS_APP_NAME = "${utils.isReleaseBuild() ? 'Status' : 'StatusPR'}"
     STATUS_IOS_APP_ARTIFACT = "pkg/${utils.pkgFilename(ext: 'ipa', arch: getArch(), version: env.VERSION, type: env.APP_TYPE)}"
-    STATUS_IOS_APP = "${WORKSPACE}/mobile/bin/ios/qt6/Status.app"
-    STATUS_IOS_IPA = "${WORKSPACE}/mobile/bin/ios/qt6/Status.ipa"
+    STATUS_IOS_APP = "${WORKSPACE}/mobile/bin/ios/qt6/${env.STATUS_IOS_APP_NAME}.app"
+    STATUS_IOS_IPA = "${WORKSPACE}/mobile/bin/ios/qt6/${env.STATUS_IOS_APP_NAME}.ipa"
     TESTFLIGHT_POLL_TIMEOUT = "${params.TESTFLIGHT_POLL_TIMEOUT}"
     TESTFLIGHT_POLL_INTERVAL = "${params.TESTFLIGHT_POLL_INTERVAL}"
     /* nwaku source directory */
@@ -124,6 +125,7 @@ pipeline {
     stage('Parallel Upload') {
       parallel {
         stage('Upload to TestFlight') {
+          when { expression { utils.isReleaseBuild() } }
           steps {
             script {
               def changelog = sh(script: './scripts/generate-changelog.sh', returnStdout: true).trim()
@@ -137,11 +139,20 @@ pipeline {
             }
           }
         }
+        stage('Upload to Diawi') {
+          when { expression { !utils.isReleaseBuild() } }
+          steps {
+            script {
+              def comment = "status-desktop PR build ${env.VERSION} (${env.GIT_COMMIT?.take(8) ?: 'unknown'})"
+              env.DIAWI_URL = app.uploadToDiawi(env.STATUS_IOS_APP_ARTIFACT, comment)
+              jenkins.setBuildDesc(IPA: env.DIAWI_URL)
+            }
+          }
+        }
         stage('Upload to S3') {
           steps {
             script {
               env.PKG_URL = s5cmd.upload(env.STATUS_IOS_APP_ARTIFACT)
-              jenkins.setBuildDesc(IPA: env.PKG_URL)
             }
           }
         }

ci/README.md

@@ -26,3 +26,66 @@ It also expects the presence of the following credentials:
 * `macos-keychain-file` - Keychain file with the MacOS signing certificate.
 
 You can read about how to create such a keychain [here](https://github.com/status-im/infra-docs/blob/master/articles/macos_signing_keychain.md).
+
+## iOS
+
+iOS builds use **fastlane** with **match** for code signing management. This provides:
+- Automatic certificate and profile management
+- Separate signing for PR vs release builds
+
+### Bundle Identifiers
+
+| Build Type | Bundle ID | Fastlane Lane |
+|------------|-----------|---------------|
+| PR builds | `app.status.mobile.pr` | `pr` |
+| Release | `app.status.mobile` | `release` |
+
+### Certificate Types
+
+| Build Type | Certificate Type | Match Type | Purpose |
+|------------|------------------|------------|---------|
+| PR builds | Apple Development | `development` | Testing on registered devices |
+| Release | Apple Distribution | `appstore` | App Store / TestFlight |
+
+### Fastlane Files
+
+The `fastlane` configuration is located in `mobile/fastlane/`:
+
+| File | Purpose |
+|------|---------|
+| `Fastfile` | Defines build lanes (pr, nightly, release) |
+| `Matchfile` | Configures match for certificate management |
+| `Appfile` | App identifiers and team configuration |
+| `Gemfile` | Ruby dependencies |
+
+
+### Local Development
+
+To run `fastlane` locally for testing:
+
+```bash
+cd mobile/fastlane
+nix --extra-experimental-features 'nix-command flakes' develop
+bundle install
+
+# Run a specific lane
+bundle exec fastlane ios pr
+bundle exec fastlane ios release
+```
+
+### Revoking/Rotating Certificates
+
+If a certificate is compromised or revoked:
+
+```bash
+cd mobile/fastlane
+
+# Nuke existing certificates (warning!! watch what you nuke)
+bundle exec fastlane match nuke development
+bundle exec fastlane match nuke distribution
+
+# Regenerate
+bundle exec fastlane match development --app_identifier "app.status.mobile.pr"
+bundle exec fastlane match appstore --app_identifier "app.status.mobile"
+```
+

mobile/fastlane/.env.default

@@ -0,0 +1,11 @@
+# Default environment variables for fastlane
+# These can be overridden by CI environment
+
+# Disable fastlane colors in CI
+FASTLANE_DISABLE_COLORS=1
+
+# Skip session verification
+FASTLANE_SESSION=""
+
+# Team ID
+FASTLANE_TEAM_ID=8B5X2M6H2Y

mobile/fastlane/.gitignore

@@ -0,0 +1,15 @@
+# Gems installed locally
+.gems/
+vendor/bundle/
+
+# Bundler
+.bundle/
+
+# Fastlane
+fastlane/report.xml
+fastlane/Preview.html
+fastlane/screenshots/
+fastlane/test_output/
+
+# Nix
+result

mobile/fastlane/.ruby-version

@@ -0,0 +1 @@
+3.2.2

mobile/fastlane/Appfile

@@ -0,0 +1,9 @@
+# App identifiers for Status App iOS builds
+app_identifier("app.status.mobile")
+apple_id(ENV["FASTLANE_APPLE_ID"])
+team_id("8B5X2M6H2Y")
+itc_team_id(ENV["FASTLANE_ITC_TEAM_ID"])
+
+for_lane :pr do
+  app_identifier("app.status.mobile.pr")
+end