[release/9.0.1xx] [devops] Use a zip file with all the certificates and provisioning profiles. (#23455)

rolfbjarne · web-flow · commit af20d0b61566 · 2025-08-01T21:50:56.000-04:00
Azure DevOps' UI to add and modify secure files is utterly horrible. * There's no way to modify a secure file, you have to delete it and re-add it. * There's no documented way to add/remove a secure file using the REST API, although there's apparently an un-official REST API (microsoft/azure-pipelines-tasks#9172 (comment)), which was apparently supposed to become documented, which was over 6 years ago and in the meantime the only thing that happened was that the issue got closed. * There's no way to update the security settings for a secure file using the REST API that I could find, and the UI to do so is _sloooooow_ and clunky. So instead of going through the pain of adding/deleting/updating 19 different files, add them all in a single zip file, and feel the pain only once (per year). Backport of #23448.
diff --git a/tools/devops/automation/scripts/install-qa-provisioning-profiles.sh b/tools/devops/automation/scripts/install-qa-provisioning-profiles.sh
@@ -1,4 +1,4 @@
-#!/bin/bash -eux
+#!/bin/bash -eu
 
 WHITE=$(tput setaf 7 2>/dev/null || true)
 BLUE=$(tput setaf 6 2>/dev/null || true)
@@ -40,17 +40,7 @@ done
 
 echo "${BLUE}Installing certificates and provisioning profiles to the keychain '${WHITE}${KEYCHAIN}${BLUE}'${CLEAR}"
 
-IFS="." read -r -a VERSIONS <<< "$(sw_vers -productVersion)"
-majorVersion="${VERSIONS[0]}"
-minorVersion="${VERSIONS[1]}"
-echo "macOS version: ${majorVersion}.${minorVersion}"
-if [[ "$majorVersion" -gt 10 || ("$majorVersion" -eq 10 && "$minorVersion" -gt 11) ]]; then
-	echo "keychain file format: Sierra (10.12) and above"
-	KEYCHAIN_FILE=~/Library/Keychains/$KEYCHAIN.keychain-db
-else
-	echo "keychain file format: El Capitan (10.11) and below"
-	KEYCHAIN_FILE=~/Library/Keychains/$KEYCHAIN.keychain
-fi
+KEYCHAIN_FILE=~/Library/Keychains/$KEYCHAIN.keychain-db
 
 if test -f "$KEYCHAIN_FILE"; then
 	echo "${BLUE}Deleting previous keychain '${WHITE}$KEYCHAIN_FILE${BLUE}'${CLEAR}"
@@ -102,6 +92,8 @@ if test -z "$ONLY_CREATE_KEYCHAIN"; then
 	shopt -s nullglob
 	for p12 in provisioning-profiles/certificates-and-profiles/*.p12; do
 		echo "${BLUE}Installing the certificate '${WHITE}$p12${BLUE}'${CLEAR}"
+		openssl pkcs12 -nodes -in "$p12" -passin pass:1234 2>/dev/null | grep friendlyName | sed 's/^[[:space:]]*//' | sed 's/^/    /' || true
+		openssl pkcs12 -nodes -in "$p12" -passin pass:1234 2>/dev/null | openssl x509 -noout -dates -subject -fingerprint | sed 's/^/    /' || true
 		security import "$p12" -P "${AUTH_TOKEN_LA_DEV_APPLE_P12}" -A -t cert -f pkcs12 -k "$KEYCHAIN_FILE"
 	done
 
diff --git a/tools/devops/automation/templates/common/install-qa-provisioning-profiles.yml b/tools/devops/automation/templates/common/install-qa-provisioning-profiles.yml
@@ -2,57 +2,30 @@ parameters:
 - name: env
   type: object
 
-- name: secureFiles
-  type: object
-  default:
-    [
-      { 'name': 'AppleWWDRCAG3-2.cer', 'secureFile': 'macios-AppleWWDRCAG3-2.cer' },
-      { 'name': 'developer-id-application-luis-aguilera-jul-2029.p12', 'secureFile': 'macios-developer-id-application-luis-aguilera-jul-2029.p12' },
-      { 'name': 'developer-id-installer-luis-aguilera-jul-2029.p12', 'secureFile': 'macios-developer-id-installer-luis-aguilera-jul-2029.p12' },
-      { 'name': 'la_dev_apple.p12', 'secureFile': 'macios-la-dev-apple.p12' },
-      { 'name': 'la_dev_iPhone.p12', 'secureFile': 'macios-la-dev-iPhone.p12' },
-      { 'name': 'la_distr_apple.p12', 'secureFile': 'macios-la-distr-apple.p12' },
-      { 'name': 'la_distr_iphone.p12', 'secureFile': 'macios-la-distr-iphone.p12' },
-      { 'name': 'la_mac_app_dev.p12', 'secureFile': 'macios-la-mac-app-dev.p12' },
-      { 'name': 'la_mac_app_distr.p12', 'secureFile': 'macios-la-mac-app-distr.p12' },
-      { 'name': 'la_mac_installer_distr.p12', 'secureFile': 'macios-la-mac-installer-distr.p12' },
-      { 'name': 'vseng-xamarin-mac-devices-2.p12', 'secureFile': 'macios-vseng-xamarin-mac-devices-2.p12' },
-      { 'name': 'vseng-xamarin-mac-devices.p12', 'secureFile': 'macios-vseng-xamarin-mac-devices.p12' },
-      { 'name': 'vsengxamarinmacdevices.mobileprovision', 'secureFile': 'macios-vsengxamarinmacdevices.mobileprovision' },
-      { 'name': 'WildCardiOSDevelopment.mobileprovision', 'secureFile': 'macios-WildCardiOSDevelopment.mobileprovision' },
-      { 'name': 'WildCardiOSDistribution.mobileprovision', 'secureFile': 'macios-WildCardiOSDistribution.mobileprovision' },
-      { 'name': 'WildCardMacAppDevelopment.provisionprofile', 'secureFile': 'macios-WildCardMacAppDevelopment.provisionprofile' },
-      { 'name': 'WildCardMacDistribution.provisionprofile', 'secureFile': 'macios-WildCardMacDistribution.provisionprofile' },
-      { 'name': 'WildCardtvOSDevelopment.mobileprovision', 'secureFile': 'macios-WildCardtvOSDevelopment.mobileprovision' },
-      { 'name': 'WildCardtvOSDistribution.mobileprovision', 'secureFile': 'macios-WildCardtvOSDistribution.mobileprovision' },
-    ]
 - name: xamarinMaciosPath
   type: string
   default: $(Build.SourcesDirectory)/$(BUILD_REPOSITORY_TITLE)
-  
+
 steps:
 - pwsh: |
     New-Item $(Build.SourcesDirectory)/maccore/tools/provisioning-profiles/certificates-and-profiles -ItemType Directory -Force
   displayName: 'Create secret files folder'
 
-- ${{ each secureFile in parameters.secureFiles }}:
-  - task: DownloadSecureFile@1
-    displayName: 'Download ${{ secureFile.name }}'
-    inputs:
-      secureFile: ${{ secureFile.secureFile }}
+- task: DownloadSecureFile@1
+  displayName: 'Download macios-certificates-and-provisioning-profiles.zip'
+  inputs:
+    secureFile: macios-certificates-and-provisioning-profiles.zip
+
 - pwsh: |
     gci $(Agent.TempDirectory)
+    unzip -l $(Agent.TempDirectory)/macios-certificates-and-provisioning-profiles.zip
   displayName: 'List secure files'
-- pwsh: |
-    $secureFiles = '${{ convertToJson(parameters.secureFiles) }}' | ConvertFrom-Json
-    foreach ($secureFile in $secureFiles) {
-        $sourcePath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath $secureFile.secureFile
-        $destinationPath = Join-Path -Path "$env:BUILD_SOURCESDIRECTORY/maccore/tools/provisioning-profiles/certificates-and-profiles" -ChildPath $secureFile.name
 
-        Copy-Item -Path $sourcePath -Destination $destinationPath -Force
-    }
+- pwsh: |
+    mkdir -p $Env:BUILD_SOURCESDIRECTORY/maccore/tools/provisioning-profiles/certificates-and-profiles
+    unzip -d $Env:BUILD_SOURCESDIRECTORY/maccore/tools/provisioning-profiles/certificates-and-profiles/ $(Agent.TempDirectory)/macios-certificates-and-provisioning-profiles.zip
   displayName: 'Copy Certificates and Profiles'
-  
+
 - pwsh: |
     gci $(Build.SourcesDirectory)/maccore/tools/provisioning-profiles/certificates-and-profiles
   displayName: 'List Certificates and Profiles'
@@ -66,4 +39,4 @@ steps:
 
 - pwsh: |
     Remove-Item $(Build.SourcesDirectory)/maccore/tools/provisioning-profiles/certificates-and-profiles -Recurse -Force
-  displayName: 'Clean certs and profiles'
+  displayName: 'Clean certs and profiles'
