Fix iOS App Store upload validation
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m1s
Lint Governance / BEP Metadata (push) Successful in 1s
Build Site / Next.js Build (push) Failing after 4s

This commit is contained in:
Conrad Kramer 2026-06-07 20:11:38 -07:00
parent fd9ea84ea5
commit 0924e40463
7 changed files with 115 additions and 8 deletions

View file

@ -233,6 +233,18 @@ The same change also makes the forge itself the release authority: release tags
- KMS-backed Apple certificates do not satisfy the existing Xcode/keychain
import path. Shipping with these certificates requires a signer that can
delegate Apple code-signing operations to Google KMS.
- iOS KMS signing must filter provisioning-profile entitlements through the
checked-in iOS entitlement templates before signing. App Store Connect
validates the bundle signature, not just the profile, and rejects profile-only
capabilities such as system extensions or unsupported NetworkExtension values
when they leak into an iOS app or extension signature.
- The App target must keep `Assets.xcassets` in its Resources phase. Xcode
derives the `CFBundleIcons` metadata and standalone App Store icon PNGs from
that resource membership during iOS builds.
- App Store Connect upload steps must fail on `altool` validation output as
well as non-zero process exits. Apple can emit a textual upload failure before
the workflow reaches TestFlight processing, and downstream tester waits must
not run unless the IPA upload was actually accepted.
- If the first key ring or Developer ID key is bootstrapped before the
OpenTofu remote state backend is available locally, the live resources must be
imported into `infra/identity` before enabling managed identity applies.