Proposal: Preinstall all WWDR certificates on macOS Shared Runners
As a follow-up to this discussion in Slack (https://gitlab.slack.com/archives/CMB49D9FZ/p1659450611480709) I wanted to create this issue to propose the idea of preinstalling all Apple WWDR certificates on macOS shared runners.
Background
Signing certificates from Apple require an intermediate certificate issued by Apple (aka. WWDR) to be valid. If the associated WWDR certificate is missing, the application's signing certificate is invalid, and code signing will fail. The workaround for this is to install the correct WWDR certificate https://help.apple.com/xcode/mac/current/#/devc4c7101d8.
Problem
There are currently six valid WWDR certificates available from Apple (G1 - G6 https://www.apple.com/certificateauthority/), and the certificate required to build a given project depends on which WWDR certificate was used originally to generate the project's signing certificates. If the specific WWDR certificate isn't present in the Runner's keychain, the build will fail in confusing ways (i.e. gitlab-com/runner-saas-macos-access-requests#457 (moved))
Fastlane attempts to help by installing the latest (G6) WWDR certificate, which helps in some cases but can cause confusion when G6 isn't the WWDR needed for the project https://github.com/fastlane/fastlane/issues/20518.
Proposal
Ensuring all valid WWDR certificates are preinstalled in the system keychain on all macOS runner instances would provide maximum compatibility for projects using them and remove one potential failure point for folks trying to run their builds on GitLab. This example MR shows a working example of a failing build being fixed by downloading and adding the certs https://gitlab.com/gitlab-org/incubation-engineering/devops-for-mobile-apps/ios_demo/-/merge_requests/1/diffs
There would be some work required to keep the list up to date, and remove expired certs from the list, so that would need to be accounted for.
Any thoughts, feedback, or suggestions?