Private key management with automatic signing

I am currently attempting to set up iOS app building via CI (using GitHub Actions). I would like to use automatic signing via xcodebuild -allowProvisioningUpdates and an App Store Connect API key. However, this will only work properly on the first CI run, since a certificate will be created, but is not available for subsequent runs since it is on a new machine (failing with Your account already has an Apple Development signing certificate for this machine, but its private key is not installed in your keychain).

Is there a way to do either of the following?

  1. Via the CLI, generate a new p12 certificate on-demand which I can cache and add to the keychain for future signing

  2. Make just the RSA private key available to xcode so that in the automated signing process, it can create a CSR with that key if needed and download the cer (which may already exist for that key) and generate the p12 on demand

I was also running into this same problem recently.

I was surprised to see it was creating a new cert but then failed to be able to use it again after.

In my case it fails even on the first attempt, not just the first run.

Private key management with automatic signing
 
 
Q