A Fastlane match could not decrypt or incorrect password error means match cannot decrypt your stored certificates and profiles, almost always because the passphrase is wrong, or because an OpenSSL version change broke decryption of an older-encrypted repository. First confirm the match password is exactly the one used to encrypt the repo, since a mismatch is the most common cause. If the password is right, an OpenSSL mismatch is likely, which updating Fastlane to a version that handles it usually resolves. If the password is genuinely lost or the encryption is broken beyond repair, the clean fix is to nuke the certificates and recreate them, understanding that nuking revokes the existing ones.
Short answer
The error means match cannot decrypt your credentials, so check the passphrase and your Fastlane version, and recreate if needed. Per Fastlane's match documentation, match encrypts certificates and profiles with a passphrase, so an incorrect password or a mismatched OpenSSL version prevents decryption. Confirm the match password matches what encrypted the repo, and update Fastlane, since an OpenSSL change caused decryption failures for older-encrypted repositories. If the password is lost or the encryption is broken, run match nuke to revoke and delete the credentials, then recreate them per the code signing guide. Nuking revokes existing certificates, so coordinate with your team first.
What the error means
The error is match telling you it cannot decrypt the certificates and provisioning profiles it stores, so it cannot provide the signing material your build needs. Match keeps these credentials encrypted, typically in a git repository, and decrypts them with a passphrase when you run a build. When decryption fails, either the passphrase is wrong or the encrypted data cannot be read with the current tooling.
Reading it that way narrows the causes to two main ones. The first is a passphrase mismatch, where the match password you are providing is not the one used to encrypt the repo. The second is an OpenSSL version issue, where the credentials were encrypted with an older OpenSSL and cannot be decrypted with a newer one that changed its defaults. Both surface as a decrypt failure, so identifying which you have decides the fix.
Check the match password first
The most common cause is a wrong passphrase, so verify it first. Match encrypts and decrypts with a password, usually supplied through the match password environment variable, and it must be exactly the one used when the repository was set up or last encrypted. A typo, a different value on a CI machine, or a changed passphrase all produce an incorrect password error.
Confirm the value in your environment and, on CI, in your secrets. Make sure the same passphrase that encrypted the repo is the one available wherever the build runs, since a common failure is the password being correct locally but missing or different in CI. If the password is genuinely correct and decryption still fails, that points away from a passphrase problem and toward the OpenSSL issue.
OpenSSL version errors
A second, well-known cause is an OpenSSL version mismatch, which produces decrypt or bad-decrypt errors even when the passphrase is right. Match uses OpenSSL to encrypt and decrypt the stored credentials, and a change in OpenSSL defaults, such as the key derivation used by newer versions, meant that repositories encrypted with an older OpenSSL could not be decrypted by a newer one out of the box. This is why a match repo that worked before can suddenly fail after an environment update.
The fix is usually to update Fastlane, since newer versions handle the OpenSSL change and can decrypt or transparently re-encrypt older repositories. Make sure your local and CI environments run a current Fastlane and a compatible OpenSSL, so the tooling can read the existing credentials. If updating does not resolve it because the encryption is genuinely incompatible, re-encrypting the repo, or nuking and recreating, is the path forward.
How to nuke and recreate
When the passphrase is lost or the encryption cannot be recovered, the clean fix is to nuke and recreate. Running match nuke for a credential type, such as nuke distribution or nuke development, revokes the certificates of that type on the Apple Developer account and removes them along with their profiles from the match repository. You then run match again, which generates fresh certificates and profiles and encrypts them with your current passphrase.
This resets your signing material to a known-good state encrypted correctly. After nuking, the recreation step issues new credentials, so your builds sign with material that decrypts cleanly. It is the definitive fix when the stored credentials are simply unusable, whether because the password is gone or the encryption is broken, since it replaces them entirely rather than trying to recover them.
When to nuke versus when not to
Nuke is powerful but disruptive, so use it deliberately. Because match nuke revokes the existing certificates on the Apple account, any other app, developer, or CI pipeline relying on those certificates will be affected, and their builds may fail until they pick up the new credentials. So before nuking, confirm you understand what those certificates are used for and coordinate with anyone who shares them.
Do not nuke as a first response to a decrypt error. If the cause is a wrong passphrase or an OpenSSL version issue, fixing the password or updating Fastlane resolves it without revoking anything. Reserve nuke for when the password is genuinely lost or the encryption is irrecoverable, and when you have accounted for the impact of revoking the shared certificates. Used carefully, it is a clean reset; used carelessly, it breaks other people's builds.
Causes and fixes
Matching the cause to a fix keeps you from nuking unnecessarily. The table below pairs the common causes with their fixes.
| Cause | What is wrong | Fix |
|---|---|---|
| Wrong match password | The passphrase does not match | Use the correct passphrase, including on CI |
| OpenSSL version mismatch | Old-encrypted repo, newer OpenSSL | Update Fastlane and OpenSSL to compatible versions |
| Lost passphrase | Cannot decrypt at all | Nuke and recreate the credentials |
| Broken encryption | Credentials are irrecoverable | Re-encrypt, or nuke and recreate |
| Wrong repo or branch | Match is reading the wrong storage | Point match at the correct repository |
Read the table against your situation. A decrypt error with a correct password usually points to OpenSSL and an update, while a genuinely lost password is the case where nuke and recreate is the answer.
Fix checklist
Working through the causes in order avoids an unnecessary nuke. The checklist below covers the steps.
| Check | Action | Done? |
|---|---|---|
| Verify the passphrase | Confirm the match password is correct everywhere | [ ] |
| Update Fastlane | Use a version that handles the OpenSSL change | [ ] |
| Confirm the repo | Ensure match reads the correct repository and branch | [ ] |
| Coordinate before nuke | Account for shared certificates being revoked | [ ] |
| Nuke and recreate | If unrecoverable, nuke then recreate the credentials | [ ] |
The steps that resolve most cases without revoking anything are verifying the passphrase and updating Fastlane. Reserve nuke and recreate for a genuinely lost password or broken encryption, after coordinating the impact on shared certificates.
After signing: scan before you submit
Fixing match decryption gets your build signed, but a build that signs cleanly can still be rejected in review for reasons unrelated to signing. Security and privacy issues are a common one, and they are cheaper to catch before submission than after.
A scanner like PTKD.com analyzes your .ipa and reports findings ordered by severity and mapped to OWASP MASVS, so you catch issues like unjustified permissions, cleartext traffic, or embedded secrets before you submit. To be clear about the boundary: PTKD does not manage your certificates, decrypt a match repo, or handle passphrases. It checks the built, signed artifact for the security issues that a valid signature does not address.
What to take away
- The error means match cannot decrypt your credentials, usually from a wrong passphrase or an OpenSSL version mismatch.
- Check the match password first, including on CI, since a missing or different passphrase there is a common cause.
- OpenSSL version changes broke decryption of older-encrypted repos; updating Fastlane and OpenSSL usually resolves it.
- If the password is lost or the encryption is broken, nuke and recreate the credentials, understanding that nuking revokes existing certificates.
- After signing is fixed, scan your build with PTKD.com for the security issues a valid signature does not cover.



