Ensure a valid push profile is active, creating a new one if needed (via pem)
Automatically generate and renew your push notification profiles
Tired of manually creating and maintaining your push notification profiles for your iOS apps? Tired of generating a pem file for your server?
pem does all that for you, just by simply running pem.
pem creates new .pem, .cer, and .p12 files to be uploaded to your push server if a valid push notification profile is needed. pem does not cover uploading the file to your server.
To automate iOS Provisioning profiles you can use match.
pem is part of fastlane: The easiest way to automate beta deployments and releases for your iOS and Android apps.
Well, it's actually just one: Generate the pem file for your server.
Check out this gif:
Yes, that's the whole command!
This does the following:
- Create a new signing request
- Create a new push certification
- Downloads the certificate
- Generates a new
.pemfile in the current working directory, which you can upload to your server
Note that pem will never revoke your existing certificates. pem can't download any of your existing push certificates, as the private key is only available on the machine it was created on.
If you already have a push certificate enabled, which is active for at least 30 more days, pem will not create a new certificate. If you still want to create one, use the
fastlane pem --force
You can pass parameters like this:
fastlane pem -a com.krausefx.app -u username
If you want to generate a development certificate instead:
fastlane pem --development
If you want to generate a Website Push certificate:
fastlane pem --website_push
Set a password for your
fastlane pem -p "MyPass"
You can specify a name for the output file:
fastlane pem -o my.pem
To get a list of available options run:
fastlane action pem
Note about empty
p12 passwords and Keychain Access.app
pem will produce a valid
p12 without specifying a password, or using the empty-string as the password.
While the file is valid, the Mac's Keychain Access will not allow you to open the file without specifying a passphrase.
Instead, you may verify the file is valid using OpenSSL:
openssl pkcs12 -info -in my.p12
% openssl pkcs12 -in my.p12 -out my.pem Enter Import Password: <hit enter: the p12 has no password> MAC verified OK Enter PEM pass phrase: <enter a temporary password to encrypt the pem file> % openssl pkcs12 -export -in my.pem -out my-with-passphrase.p12 Enter pass phrase for temp.pem: <enter the temporary password to decrypt the pem file> Enter Export Password: <enter a password for encrypting the new p12 file>
fastlane action pem to get a list of available environment variables.
How does it work?
pem uses spaceship to communicate with the Apple Developer Portal to request a new push certificate for you.
How is my password stored?
pem # alias for "get_push_certificate"
get_push_certificate( force: true, # create a new profile, even if the old one is still valid app_identifier: "net.sunapps.9", # optional app identifier, save_private_key: true, new_profile: proc do |profile_path| # this block gets called when a new profile was generated puts profile_path # the absolute path to the new PEM file # insert the code to upload the PEM file to the server end )
||Renew the development push certificate instead of the production one||
||Create a Website Push certificate||
||Generate a p12 file additionally to a PEM file||
||If the current certificate is active for less than this number of days, generate a new one||
||Create a new push certificate, even if the current one is active for 30 (or PEM_ACTIVE_DAYS_LIMIT) more days||
||Set to save the private RSA key||
||The bundle identifier of your app||*|
||Your Apple ID Username||*|
||The ID of your Developer Portal team if you're in multiple teams||*|
||The name of your Developer Portal team if you're in multiple teams||*|
||The password that is used for your p12 file||
||The file name of the generated .pem file|
||The path to a directory in which all certificates and private keys should be stored||
||Block that is called if there is a new profile|
* = default value is dependent on the user's system
To show the documentation in your terminal, run
fastlane action get_push_certificate
It is recommended to add the above action into your
Fastfile, however sometimes you might want to run one-offs. To do so, you can run the following command from your terminal
fastlane run get_push_certificate
To pass parameters, make use of the
: symbol, for example
fastlane run get_push_certificate parameter1:"value1" parameter2:"value2"
It's important to note that the CLI supports primitive types like integers, floats, booleans, and strings. Arrays can be passed as a comma delimited string (e.g.
param:"1,2,3"). Hashes are not currently supported.
It is recommended to add all fastlane actions you use to your
This action, just like the rest of fastlane, is fully open source, view the source code on GitHub