InstallAppleCertificate@2 - Install Apple certificate v2 task

Use this task to install the Apple certificate that is required to build on a macOS agent. You can use this task to install an Apple certificate that is stored as a secure file on the server.

Install an Apple certificate required to build on a macOS agent.

Syntax

# Install Apple certificate v2
# Install an Apple certificate required to build on a macOS agent machine.
- task: InstallAppleCertificate@2
  inputs:
    certSecureFile: # string. Required. Certificate (P12). 
    #certPwd: # string. Certificate (P12) password. 
  # Advanced
    keychain: 'temp' # 'default' | 'temp' | 'custom'. Required. Keychain. Default: temp.
    #keychainPassword: # string. Required when keychain = custom || keychain = default. Keychain password. 
    #customKeychainPath: # string. Required when keychain = custom. Custom keychain path. 
    #deleteCert: # boolean. Optional. Use when keychain = custom || keychain = default. Delete certificate from keychain. 
    #deleteCustomKeychain: # boolean. Optional. Use when keychain = custom. Delete custom keychain. 
    #signingIdentity: # string. Certificate signing identity. 
    #setUpPartitionIdACLForPrivateKey: # boolean. Set up partition_id ACL for the imported private key.
# Install Apple certificate v2
# Install an Apple certificate required to build on a macOS agent machine.
- task: InstallAppleCertificate@2
  inputs:
    certSecureFile: # string. Required. Certificate (P12). 
    #certPwd: # string. Certificate (P12) password. 
  # Advanced
    keychain: 'temp' # 'default' | 'temp' | 'custom'. Required. Keychain. Default: temp.
    #keychainPassword: # string. Required when keychain = custom || keychain = default. Keychain password. 
    #customKeychainPath: # string. Required when keychain = custom. Custom keychain path. 
    #deleteCert: # boolean. Optional. Use when keychain = custom || keychain = default. Delete certificate from keychain. 
    #deleteCustomKeychain: # boolean. Optional. Use when keychain = custom. Delete custom keychain. 
    #signingIdentity: # string. Certificate signing identity.
# Install Apple Certificate v2
# Install an Apple certificate required to build on a macOS agent.
- task: InstallAppleCertificate@2
  inputs:
    certSecureFile: # string. Required. Certificate (P12). 
    #certPwd: # string. Certificate (P12) password. 
  # Advanced
    keychain: 'temp' # 'default' | 'temp' | 'custom'. Required. Keychain. Default: temp.
    #keychainPassword: # string. Required when keychain = custom || keychain = default. Keychain password. 
    #customKeychainPath: # string. Required when keychain = custom. Custom keychain path. 
    #deleteCert: # boolean. Optional. Use when keychain = custom || keychain = default. Delete certificate from keychain. 
    #deleteCustomKeychain: # boolean. Optional. Use when keychain = custom. Delete custom keychain. 
    #signingIdentity: # string. Certificate signing identity.

Inputs

certSecureFile - Certificate (P12)
string. Required.

Specifies the certificate (.p12) that was uploaded to Secure Files to install on the macOS agent.


certPwd - Certificate (P12) password
string.

Specifies the password to the Apple certificate (.p12). Use a new build variable with its lock enabled on the Variables tab to encrypt this value.


keychain - Keychain
string. Required. Allowed values: default (Default Keychain), temp (Temporary Keychain), custom (Custom Keychain). Default value: temp.

Specifies the keychain in which to install the Apple certificate. For Microsoft-hosted builds, use Temporary Keychain. A temporary keychain will always be deleted after the build or release is complete.


keychainPassword - Keychain password
string. Required when keychain = custom || keychain = default.

Specifies the password to unlock the keychain. Use a new build variable with its lock enabled on the Variables tab to encrypt this value. A password is generated for the temporary keychain if not specified.


customKeychainPath - Custom keychain path
string. Required when keychain = custom.

Specifies the full path to a custom keychain file. The keychain will be created if it does not already exist.


deleteCert - Delete certificate from keychain
boolean. Optional. Use when keychain = custom || keychain = default.

Specifies the certificate to delete from the keychain after the build or release is complete.


deleteCustomKeychain - Delete custom keychain
boolean. Optional. Use when keychain = custom.

Specifies the custom keychain to delete from the agent after the build or release is complete.


signingIdentity - Certificate signing identity
string.

Specifies the Common Name of the subject in the signing certificate. Will attempt to parse the Common Name if this is left empty.


setUpPartitionIdACLForPrivateKey - Set up partition_id ACL for the imported private key
boolean.

If true, sets the partition_id ACL for the imported private key so that codesign won't prompt to use the key for signing. This isn't necessary for temporary keychains on MacOS High Sierra. Learn more about Open Radar.


Task control options

All tasks have control options in addition to their task inputs. For more information, see Control options and common task properties.

Output variables

This task defines the following output variables, which you can consume in downstream steps, jobs, and stages.

signingIdentity
Specifies the resolved Common Name of the subject in the signing certificate. Either supplied as an input or parsed from the P12 certificate file.

keychainPath
Specifies the path for the keychain file with the certificate.

Remarks

Use this task to install an Apple certificate that is required to build on a macOS agent. You can use this task to install an Apple certificate that is stored as a secure file on the server.

Requirements

Requirement Description
Pipeline types YAML, Classic build, Classic release
Runs on Agent, DeploymentGroup
Demands Self-hosted agents must have capabilities that match the following demands to run jobs that use this task: xcode
Capabilities This task does not satisfy any demands for subsequent tasks in the job.
Command restrictions This task runs using the following command restrictions: restricted
Settable variables This task has permission to set the following variables: signingIdentity, keychainPassword, keychainPath, APPLE_CERTIFICATE_SIGNING_IDENTITY, APPLE_CERTIFICATE_KEYCHAIN
Agent version 2.182.1 or greater
Task category Utility
Requirement Description
Pipeline types YAML, Classic build, Classic release
Runs on Agent, DeploymentGroup
Demands Self-hosted agents must have capabilities that match the following demands to run jobs that use this task: xcode
Capabilities This task does not satisfy any demands for subsequent tasks in the job.
Command restrictions Any
Settable variables Any
Agent version 2.116.0 or greater
Task category Utility