feat(ios): auto-select local signing team (#18421)

Merged via /review-pr -> /prepare-pr -> /merge-pr.

Prepared head SHA: bbb9c3aa48
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Co-authored-by: ngutman <1540134+ngutman@users.noreply.github.com>
Reviewed-by: @ngutman

scripts/ios-configure-signing.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+IOS_DIR="${ROOT_DIR}/apps/ios"
+TEAM_ID_SCRIPT="${ROOT_DIR}/scripts/ios-team-id.sh"
+LOCAL_SIGNING_FILE="${IOS_DIR}/.local-signing.xcconfig"
+
+if [[ ! -x "${TEAM_ID_SCRIPT}" ]]; then
+  echo "ERROR: Missing team detection helper: ${TEAM_ID_SCRIPT}" >&2
+  exit 1
+fi
+
+team_id=""
+if team_id="$("${TEAM_ID_SCRIPT}" 2>/dev/null)"; then
+  :
+else
+  if [[ "${IOS_SIGNING_REQUIRED:-0}" == "1" ]]; then
+    "${TEAM_ID_SCRIPT}"
+    exit 1
+  fi
+
+  echo "WARN: Unable to detect an Apple Team ID; keeping existing iOS signing override (if any)." >&2
+  exit 0
+fi
+
+tmp_file="$(mktemp "${TMPDIR:-/tmp}/openclaw-ios-signing.XXXXXX")"
+cat >"${tmp_file}" <<EOF
+// Auto-generated by scripts/ios-configure-signing.sh.
+// This file is local-only and should not be committed.
+OPENCLAW_IOS_SELECTED_TEAM = ${team_id}
+EOF
+
+if [[ -f "${LOCAL_SIGNING_FILE}" ]] && cmp -s "${tmp_file}" "${LOCAL_SIGNING_FILE}"; then
+  rm -f "${tmp_file}"
+  echo "iOS signing team already configured: ${team_id}"
+  exit 0
+fi
+
+mv "${tmp_file}" "${LOCAL_SIGNING_FILE}"
+echo "Configured iOS signing team: ${team_id}"

scripts/ios-team-id.sh

@@ -1,15 +1,134 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-team_id="$(defaults read com.apple.dt.Xcode IDEProvisioningTeamIdentifiers 2>/dev/null | grep -Eo '[A-Z0-9]{10}' | head -n1 || true)"
-
-if [[ -z "$team_id" ]]; then
-  team_id="$(security find-identity -p codesigning -v 2>/dev/null | grep -Eo '\\([A-Z0-9]{10}\\)' | head -n1 | tr -d '()' || true)"
+if [[ -n "${IOS_DEVELOPMENT_TEAM:-}" ]]; then
+  printf '%s\n' "${IOS_DEVELOPMENT_TEAM}"
+  exit 0
 fi
 
-if [[ -z "$team_id" ]]; then
-  echo "No Apple Team ID found. Open Xcode or install signing certificates first." >&2
+preferred_team="${IOS_PREFERRED_TEAM_ID:-${OPENCLAW_IOS_DEFAULT_TEAM_ID:-Y5PE65HELJ}}"
+preferred_team_name="${IOS_PREFERRED_TEAM_NAME:-}"
+allow_keychain_fallback="${IOS_ALLOW_KEYCHAIN_TEAM_FALLBACK:-0}"
+prefer_non_free_team="${IOS_PREFER_NON_FREE_TEAM:-1}"
+
+declare -a team_ids=()
+declare -a team_is_free=()
+declare -a team_names=()
+
+append_team() {
+  local candidate_id="$1"
+  local candidate_is_free="$2"
+  local candidate_name="$3"
+  [[ -z "$candidate_id" ]] && return
+
+  local i
+  for i in "${!team_ids[@]}"; do
+    if [[ "${team_ids[$i]}" == "$candidate_id" ]]; then
+      return
+    fi
+  done
+
+  team_ids+=("$candidate_id")
+  team_is_free+=("$candidate_is_free")
+  team_names+=("$candidate_name")
+}
+
+load_teams_from_xcode_preferences() {
+  local plist_path="${HOME}/Library/Preferences/com.apple.dt.Xcode.plist"
+  [[ -f "$plist_path" ]] || return 0
+
+  while IFS=$'\t' read -r team_id is_free team_name; do
+    [[ -z "$team_id" ]] && continue
+    append_team "$team_id" "${is_free:-0}" "${team_name:-}"
+  done < <(
+    plutil -extract IDEProvisioningTeams json -o - "$plist_path" 2>/dev/null \
+      | /usr/bin/python3 -c '
+import json
+import sys
+
+try:
+    data = json.load(sys.stdin)
+except Exception:
+    raise SystemExit(0)
+
+if not isinstance(data, dict):
+    raise SystemExit(0)
+
+for teams in data.values():
+    if not isinstance(teams, list):
+        continue
+    for team in teams:
+        if not isinstance(team, dict):
+            continue
+        team_id = str(team.get("teamID", "")).strip()
+        if not team_id:
+            continue
+        is_free = "1" if bool(team.get("isFreeProvisioningTeam", False)) else "0"
+        team_name = str(team.get("teamName", "")).replace("\t", " ").strip()
+        print(f"{team_id}\t{is_free}\t{team_name}")
+'
+  )
+}
+
+load_teams_from_legacy_defaults_key() {
+  while IFS= read -r team; do
+    [[ -z "$team" ]] && continue
+    append_team "$team" "0" ""
+  done < <(
+    defaults read com.apple.dt.Xcode IDEProvisioningTeamIdentifiers 2>/dev/null \
+      | grep -Eo '[A-Z0-9]{10}' || true
+  )
+}
+
+load_teams_from_xcode_preferences
+load_teams_from_legacy_defaults_key
+
+if [[ ${#team_ids[@]} -eq 0 && "$allow_keychain_fallback" == "1" ]]; then
+  while IFS= read -r team; do
+    [[ -z "$team" ]] && continue
+    append_team "$team" "0" ""
+  done < <(
+    security find-identity -p codesigning -v 2>/dev/null \
+      | grep -Eo '\([A-Z0-9]{10}\)' \
+      | tr -d '()' || true
+  )
+fi
+
+if [[ ${#team_ids[@]} -eq 0 ]]; then
+  if [[ "$allow_keychain_fallback" == "1" ]]; then
+    echo "No Apple Team ID found. Open Xcode or install signing certificates first." >&2
+  else
+    echo "No Apple Team ID found in Xcode accounts. Open Xcode → Settings → Accounts and sign in, then retry." >&2
+    echo "(Set IOS_ALLOW_KEYCHAIN_TEAM_FALLBACK=1 to allow keychain-only team detection.)" >&2
+  fi
   exit 1
 fi
 
-echo "$team_id"
+for i in "${!team_ids[@]}"; do
+  if [[ "${team_ids[$i]}" == "$preferred_team" ]]; then
+    printf '%s\n' "${team_ids[$i]}"
+    exit 0
+  fi
+done
+
+if [[ -n "$preferred_team_name" ]]; then
+  preferred_team_name_lc="$(printf '%s' "$preferred_team_name" | tr '[:upper:]' '[:lower:]')"
+  for i in "${!team_ids[@]}"; do
+    team_name_lc="$(printf '%s' "${team_names[$i]}" | tr '[:upper:]' '[:lower:]')"
+    if [[ "$team_name_lc" == "$preferred_team_name_lc" ]]; then
+      printf '%s\n' "${team_ids[$i]}"
+      exit 0
+    fi
+  done
+fi
+
+if [[ "$prefer_non_free_team" == "1" ]]; then
+  for i in "${!team_ids[@]}"; do
+    if [[ "${team_is_free[$i]}" == "0" ]]; then
+      printf '%s\n' "${team_ids[$i]}"
+      exit 0
+    fi
+  done
+fi
+
+printf '%s\n' "${team_ids[0]}"