[Music] welcome back to our lane channel in the series of fastlane for ios in this video you'll learn about fastlane's ambitious solution that deeply simplifies and centralized team-centered code signing for ios and the action that powers a called match you'll also firm up and expand your knowledge of fast lanes use and best practices as you discover several ways to make your lanes more flexible robust and production ready in the previous video you learned how fast lane can automatically manage your personal code signing credentials via the actions called certain psy these tools elegantly automated obtaining storing and managing these resources and yet even with all of that the certificates and profiles served and side delivered were still the property of just one individual developer they're stored on top of her or his developers machine and they're tied to that person's personal account now this works great when you're a team of one but what happens if your team grows to two or four or twenty now as each team member is brought on board they each bring in their own development machines their own ios devices and most importantly their personal signing requests certificates and keys and these all get added to the mix okay so here's how this workflow would work a team manager creates a new private git repo then new private keys profiles and certificates are obtained from apple encrypted and stored in the private repo subsequently each team member imports the certificates and private keys to their key chain and the provisioning profiles are copied to their libraries so personally when i first encountered this idea i was intrigued and also honestly nervous do i want to store my code signing assets including my private code signing keys in the cloud and what if an attacker somehow does steal a private key well as it turns out in order to code sign your app they'd also need to break into your separate project code repository to do any damage further to get an app code signed by apple they'd need to submit it for review requiring they get your app store connect credentials and those assets aren't in the git repo either similar safeties hold for attempts to install a signed application onto an ad hoc ios device where once again the attacker would still need additional assets that aren't in this private repo now enterprise profiles do present more risk and there's a possibility that the attacker could distribute a signed application with the organization's name but even here the enterprise certificate could simply be revoked and that would instantly break any illicitly modified apps okay as a final precaution fastlane advises using the best practice of having every team member enable two-factor get authentication this provides a final layer of security and of course it's equally advisable for all of your project hit repos okay so what's the verdict well there's no absolute answer of course there's a finite risk with any code signing approach including the one that we've all been using for years every developer and team must find their balance between security convenience and efficiency but i feel that any added risk here is quite minimal and that the potential gains on the other hand are very compelling okay one last note the fastlane team has added integration with google cloud which you can use an alternative to get and if you have an investment in the google infrastructure this may appeal to you however in this course we're going to focus exclusively on git okay going back to the primary purpose of the video you'll meet your match all right so match is designed to fully deliver on fastlane's ambitious vision for team-based code signing match is tasked with handling the heavy lifting of creating encrypting and securely storing a team certificates and profiles in a single git repository and that and again retrieving decrypting and utilizing these on individual developers machines now one measure of match's ambition is fast lanes pledged that a team can set up code signing on a brand new machine in less than a minute to use match you must first set up a private git repository dedicated solely to storing your team certificates at the time of this recording github gitlab and bitbucket all let you create a private repository with free accounts so it's your choice once again we'll use terminal as our fastlane sandbox back in my project root directory i'll run i'm prompted to choose whether my private repo is in git or google cloud and then to enter the url of our private git repo i've created the process completes with a helpful summary let's take a look at this in finder as you can see this has created a new match file with our repos url you've previously seen app file and you'll encounter several more examples of storing project information in this kind of a settings file an additional benefit to this approach is that all configurations are automatically committed and shared with all team members as part of the project repo itself we're now ready to set up a completely new set of development assets encrypt and upload them to our git repo and then store the decrypted keys locally all it takes to do all this in the command line is the simple command when we run this you're prompted for a passphrase for encryption for completeness now i'll also run fastlane match app store and then fastlane match adhoc this ensures that we'll have these in place later on when we need them okay let's take a look at the results in our private repo with those three simple commands match has created a full set of team code signing assets that cover all phases of ios development notice that all our certificates along with their private keys live inside a certs folder and again all these assets are also encrypted by open ssl along with the passphrase you entered similarly take a look at profiles as you can see we have the matching profiles for ad hoc app store and development phases one last thing match also adds a very helpful readme that contains helpful onboarding instructions for other team members from here on out whenever anyone on my team needs to set up a new development machine all they're going to have to do is follow this simple readme and the new machine will be good to go that's it for setup next let's take a look at using match in a lane as with other actions you've seen using match in a lane is clean and simple you don't need to include your get info here because it's cleanly stored in your newly created match file currently matches only addressing development code signing assets you'll later add ad hoc and app store assets when we focus on these phases of app development one particularly useful parameter is force for new devices it automatically regenerates your provisioning profile if any of your team's device counts have changed i'll save and close this file then i'll go to my fast file i'll create a new lane here and i'll call it sync all development i'll add a line to call match now it's time to add parameters to specify development mode and save my changes as you can see in very short order our new lane checks everything to make any needed updates including silently decrypting and then encrypting logging into our apple and git accounts and managing our keychains and even more now i'm a fairly simple boy but i find all this pretty amazing back in my code editor i'll add my new lane and stub out my call to register devices now i need to find my device udid if you haven't done this before you can use xcode to do this by connecting your device opening devices selecting the device clicking on the identifier property to toggle it from a serial number to udid and then copying it now to switch lanes i'll simply add a call to sync device info at the beginning of our sinkhole development lane i'll save my changes and then back in terminal i'll run our updated sync all development lane as expected fastlane cruised on over to sync device info and once that lane was finished they returned back to our original lane and completed the rest of it in case you have a lot of devices then saving the list of devices in fast file will make fast file cluttered there is another way to help you to solve this problem i'll start by creating a new device file inside the project fastlane folder and update device file now back in my fast file i'll replace the device's parameter and values with a reference to my new device file okay i'll try out our updated lane back in terminal nice the new device list works just as expected so over the video we finished our tour of fast lane actions aimed at the development phase of ios app development now in the next video we'll turn our focus to the second core phase of ios development beta testing and test distribution there's a lot of really great and exciting things in store and i think you're going to love what we learned next i'll see you there