Claude Code Plugins

Community-maintained marketplace

Feedback

match

@greenstevester/fastlane-skill
1
0

Set up Match for iOS code signing certificate management

Install Skill

1Download skill
2Enable skills in Claude

Open claude.ai/settings/capabilities and find the "Skills" section

3Upload to Claude

Click "Upload skill" and select the downloaded ZIP file

Note: Please verify skill by going through its instructions before using it.

SKILL.md

name: match description: Set up Match for iOS code signing certificate management argument-hint: [--readonly] [--type development|appstore|adhoc] allowed-tools: Bash, Read, Write, Edit

Code Signing with Match

Set up Fastlane Match to manage iOS code signing certificates and provisioning profiles in a shared Git repository.

Pre-flight Checks

  • Fastlane installed: !fastlane --version 2>/dev/null | grep "fastlane " | head -1 || echo "✗ Not installed - run: brew install fastlane"
  • Fastfile exists: !ls fastlane/Fastfile 2>/dev/null && echo "✓ Found" || echo "✗ Not found - run /setup-fastlane first"
  • Existing Matchfile: !ls fastlane/Matchfile 2>/dev/null && echo "✓ Already configured" || echo "○ Not configured yet"
  • Git available: !git --version 2>/dev/null | head -1 || echo "✗ Git not installed"

Arguments: ${ARGUMENTS:-setup}

What is Match?

Match stores your iOS certificates and provisioning profiles in a private Git repository, encrypted with a passphrase. Benefits:

  • Team sharing: Everyone uses the same certificates (no more "works on my machine")
  • CI/CD ready: Clone the repo in your pipeline, no manual cert management
  • Revoke protection: Prevents accidental certificate revocation
  • Audit trail: Git history shows who changed what and when

Step 1: Create a Private Git Repository

Create a private repository to store your encrypted certificates:

# GitHub CLI (recommended)
gh repo create certificates --private --clone
cd certificates && cd ..

# Or manually at github.com/new (select Private)

Repository naming conventions:

  • certificates or ios-certificates
  • fastlane-certs
  • {company}-signing

Security: This repo will contain encrypted certificates. Keep it private and limit access to team members who need to build the app.

Step 2: Initialize Match

Run match init to create your Matchfile:

fastlane match init

When prompted:

  1. Storage mode: Select git
  2. Git URL: Enter your private repo URL (e.g., git@github.com:yourorg/certificates.git)

This creates fastlane/Matchfile:

git_url("git@github.com:yourorg/certificates.git")

storage_mode("git")

type("development") # Default type, can be overridden per-lane

# app_identifier(["com.yourcompany.app"])  # Optional: limit to specific apps
# username("user@example.com")              # Optional: Apple ID

Step 3: Generate Certificates

Generate certificates for each distribution type:

Development (for debugging on devices)

fastlane match development

App Store (for TestFlight and App Store)

fastlane match appstore

Ad Hoc (for direct device distribution)

fastlane match adhoc

First run prompts:

  1. Apple ID: Your Apple Developer account email
  2. Passphrase: Create a strong passphrase to encrypt certificates (save this securely!)

Important: Save the passphrase in a password manager. You'll need it for CI/CD and new team members.

Step 4: Integrate with Fastfile

Update your lanes to use Match before building:

default_platform(:ios)

platform :ios do
  desc "Sync all certificates"
  lane :sync_signing do
    match(type: "development")
    match(type: "appstore")
  end

  desc "Build for TestFlight"
  lane :beta do |options|
    match(type: "appstore", readonly: true)
    increment_build_number unless options[:skip_build_increment]
    gym(scheme: "YourApp", export_method: "app-store")
    pilot(skip_waiting_for_build_processing: true)
  end

  desc "Build for App Store"
  lane :release do
    match(type: "appstore", readonly: true)
    increment_build_number
    gym(scheme: "YourApp", export_method: "app-store")
    deliver(submit_for_review: false, force: true)
  end
end

Key pattern: Use readonly: true in build lanes to prevent accidental certificate regeneration.

Step 5: Onboard Team Members

New team members run:

# Clone and decrypt existing certificates (readonly)
fastlane match development --readonly
fastlane match appstore --readonly

They'll need:

  1. Access to the private certificates repository
  2. The Match passphrase
  3. Apple Developer team membership

Readonly mode ensures they can't accidentally revoke or regenerate certificates.

Step 6: CI/CD Setup

Set these environment variables in your CI/CD system:

# Required
MATCH_PASSWORD="your-match-passphrase"
MATCH_GIT_URL="git@github.com:yourorg/certificates.git"

# For App Store Connect (choose one method)
# Method 1: App-specific password
FASTLANE_USER="your@appleid.com"
FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD="xxxx-xxxx-xxxx-xxxx"

# Method 2: API Key (recommended for CI)
APP_STORE_CONNECT_API_KEY_ID="ABC123"
APP_STORE_CONNECT_API_KEY_ISSUER_ID="xyz-xyz-xyz"
APP_STORE_CONNECT_API_KEY_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"

GitHub Actions Example

- name: Install certificates
  run: fastlane match appstore --readonly
  env:
    MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
    MATCH_GIT_URL: ${{ secrets.MATCH_GIT_URL }}

Xcode Cloud

Add to ci_scripts/ci_post_clone.sh:

# Install Fastlane and sync certificates
brew install fastlane
fastlane match appstore --readonly

Set MATCH_PASSWORD in Xcode Cloud environment variables.

Troubleshooting

"Couldn't decrypt the repo"

Wrong passphrase. Verify MATCH_PASSWORD is correct.

"Code signing error: No provisioning profiles"

Run fastlane match appstore (without --readonly) to generate profiles.

"Your certificate has been revoked"

Someone revoked certs in Apple Developer portal. Regenerate:

fastlane match nuke development  # Removes all development certs
fastlane match development       # Regenerates

"Multiple teams found"

Specify team in Matchfile:

team_id("ABCD1234")

"Unable to find app with bundle identifier"

Register the app first:

fastlane produce create -a com.yourcompany.app -n "Your App Name"

Match Commands Reference

# Setup
fastlane match init                    # Create Matchfile
fastlane match development             # Generate dev certs
fastlane match appstore                # Generate App Store certs
fastlane match adhoc                   # Generate Ad Hoc certs

# Team use (readonly - won't modify certs)
fastlane match development --readonly
fastlane match appstore --readonly

# Maintenance
fastlane match nuke development        # Revoke all dev certs
fastlane match nuke distribution       # Revoke all dist certs
fastlane match change_password         # Change encryption passphrase

# Debugging
fastlane match development --verbose   # Detailed output

Security Best Practices

  1. Private repository: Never make the certificates repo public
  2. Strong passphrase: Use 20+ characters, store in password manager
  3. Limit access: Only team members who build should have repo access
  4. Rotate periodically: Change passphrase annually with match change_password
  5. API keys over passwords: Use App Store Connect API keys for CI/CD

Files Created

fastlane/
└── Matchfile          # Match configuration

# In your certificates repo:
certs/
├── development/       # Development certificates
└── distribution/      # App Store/Ad Hoc certificates
profiles/
├── development/       # Development provisioning profiles
├── appstore/          # App Store provisioning profiles
└── adhoc/             # Ad Hoc provisioning profiles