Fix installable build

[crazytonyli]

Set MATCH_CERTIFICATE_ID env var so that fastlane match can install the right certificate for us. See the code comments for details.

[dangermattic]

	1 Warning
⚠️	PR is not assigned to a milestone.

Generated by 🚫 Danger

[wpmobilebot]

You can test the changes in simplenote-ios from this Pull Request by:

• Clicking here or scanning the QR code below to access App Center
• Then installing the build number pr1592-625a3dd-018f83c4-6049-4257-a66c-73d15f69833e on your iPhone

If you need access to App Center, please ask a maintainer to add you.

[AliSoftware]

🎗️ Not related to this PR so could be addressed separately (just thought of it since this PR is about Prototype Builds) but would be nice to use our release-toolkit's prototype_build_details_comment action to generate the PR comment (which is formatted nicer and solves the issue with QR code image)

[AliSoftware]

Is there a reason for us having two certificates in the match repo currently? Maybe as we go through transitioning to a soon-to-be-expired one to a new further-expiration-date one?

I think I remember an issue or even a PR in fastlane exactly about that though (making fastlane always use the latest cert instead of just the first one) 🤔

Which, if that's the root cause for this issue in this repo and what this workaround aims to solve here, would be a better solution long term, and if so, worth taking note of them in that comment so that we can adopt the better solution once fixed in fastlane itself in the future.

[AliSoftware]

I think I remember an issue or even a PR in fastlane exactly about that though

This is the one I was thinking about

[crazytonyli]

Is there a reason for us having two certificates in the match repo currently? Maybe as we go through transitioning to a soon-to-be-expired one to a new further-expiration-date one?

I haven't been following certificates renewal closing, so I'm not sure why we have two.

making fastlane always use the latest cert instead of just the first one

I don't think that's a proper fix. That's no difference than picking first or last one. The correct fix should be installing the certificate that's used by the provisioning profiles. Or, just install all certificates and let Xcode figure out the rest.

[AliSoftware]

The correct fix should be installing the certificate that's used by the provisioning profiles. Or, just install all certificates and let Xcode figure out the rest.

Good point. You might want to leave a comment in the fastlane PR I mention above about this btw, as if it gets merged and shipped then the next time we update fastlane that might break our setups if they start picking the latest? 🤔

[AliSoftware]

And also in the short term if there's no good reason for us to have two distinct certificates in the Enterprise account, I think we should remove the one that is only used my Simplenote profiles to instead only keep the cert used by all other apps and profiles, even if that means you'll need to refresh the Simplenote profiles to use the other certificate.

That way that will avoid confusion in the future (about "why do we have 2 certificates? Which one is used by what? Which one should we renew?") and ease maintenance of our Enterprise account (including freeing up a slot for helping doing certificate rotation when the main cert will be about to expire, as iirc we can only have a maximum of two distribution certificates per account at a time?)

And finally doing such a cleanup in our account will also avoid you needing that fix (and us having to update the fix when certificates are renewed)

[crazytonyli]

I thought about that, but didn't do it because S8CMX4U6QW is newer than the other certificate (UW99FF5HN9): S8CMX4U6QW expires at 2027-01-07 17:22:57 UTC and UW99FF5HN9 expires at 2025-02-22 08:40:35 UTC.

It feels strange to revoke a newer certificate and keep an older one. But I guess that doesn't really
matter in how we use them in practice. I can look into renewing profiles.

[crazytonyli]

The in-house distribution provisioning profiles are renewed and installable build step now passes. I'll close this PR.