Code signing for SaaS runners on macOS

Before you can integrate GitLab with Apple services, install to a device, or deploy to the Apple App Store, you must code sign your application.

To code sign an iOS project, you need the following files:

  • A certificate issued by Apple.
  • A provisioning profile.

Code signing iOS Projects with fastlane

When you use SaaS runners on macOS, each job runs on a VM. Included in each VM is fastlane, an open-source solution aimed at simplifying mobile app deployment.

These steps outline the minimal setup required to use fastlane to code sign your application. Refer to the fastlane getting started guide, best practices for integrating with GitLab CI and the fastlane code signing getting started guide for installation instructions, and an overview of how to use fastlane to handle code signing.

To use fastlane to code sign your application:

  1. At the root of your project repository, on your local development system, run this command:

    fastlane match init

    This command creates the fastlane directory and adds two files: Fastfile and Appfile.

  2. Open Appfile and edit it to include your Apple ID and app ID.

    app_identifier("APP IDENTIFIER") # The bundle identifier of your app
    apple_id("APPLE ID") # Your Apple email address
  3. Open Fastfile, which includes the fastlane build steps. In the following snippet, the steps get_certificates, get_provisioning_profile,match, gym, and upload_to_testflight are fastlane actions.

    # This file contains the configuration
    # You can find the documentation at
    platform :ios do
      desc "Build the application"
      lane :beta do
        build_number: latest_testflight_build_number + 1,
        xcodeproj: "${PROJECT_NAME}.xcodeproj"
        # match(type: "appstore",read_only: true)

The example configuration also includes an optional Gymfile. This file stores configuration parameters and is used by the fastlane gym action.

Using fastlane match

To simplify the code signing process and implement the Code Signing Best Practices Guide recommendations, use fastlane match.

  • Use one code signing identity shared across your team.
  • Store the required certificates and provisioning profiles in a separate GitLab project repository.

Match automatically syncs iOS and macOS keys and provisioning profiles across all team members with access to the GitLab project. Each team member with access to the project can use the credentials for code signing.

To use fastlane match:

  1. Initialize match in the project repository:

    bundle exec fastlane match init
  2. Select git as your storage node.
  3. Enter the URL of the GitLab project you plan to use to store your code signing identities.
  4. Optional. To create a new certificate and provisioning profile, run:

    bundle exec fastlane match development

For different code signing identities’ storage options, and for a complete step-by-step guide for using match, refer to the match documentation.

Environment variables and authentication

To complete the setup, you must configure environment variables to use with fastlane. The required variables are outlined in the fastlane documentation.

To support Apple’s two factor authentication requirement, configure these variables:


To authenticate fastlane with the App Store for the TestFlight upload, configure these variables:


View the fastlane authentication with Apple Services guide for an overview of authentication options.