Builders

    Fastlane Match Decrypt Certificate Failed (Incorrect Password)

    A CI log showing a Fastlane match could not decrypt certificate error caused by an incorrect passphrase or OpenSSL mismatch.

    A Fastlane match could not decrypt or incorrect password error means match cannot decrypt your stored certificates and profiles, almost always because the passphrase is wrong, or because an OpenSSL version change broke decryption of an older-encrypted repository. First confirm the match password is exactly the one used to encrypt the repo, since a mismatch is the most common cause. If the password is right, an OpenSSL mismatch is likely, which updating Fastlane to a version that handles it usually resolves. If the password is genuinely lost or the encryption is broken beyond repair, the clean fix is to nuke the certificates and recreate them, understanding that nuking revokes the existing ones.

    Short answer

    The error means match cannot decrypt your credentials, so check the passphrase and your Fastlane version, and recreate if needed. Per Fastlane's match documentation, match encrypts certificates and profiles with a passphrase, so an incorrect password or a mismatched OpenSSL version prevents decryption. Confirm the match password matches what encrypted the repo, and update Fastlane, since an OpenSSL change caused decryption failures for older-encrypted repositories. If the password is lost or the encryption is broken, run match nuke to revoke and delete the credentials, then recreate them per the code signing guide. Nuking revokes existing certificates, so coordinate with your team first.

    What the error means

    The error is match telling you it cannot decrypt the certificates and provisioning profiles it stores, so it cannot provide the signing material your build needs. Match keeps these credentials encrypted, typically in a git repository, and decrypts them with a passphrase when you run a build. When decryption fails, either the passphrase is wrong or the encrypted data cannot be read with the current tooling.

    Reading it that way narrows the causes to two main ones. The first is a passphrase mismatch, where the match password you are providing is not the one used to encrypt the repo. The second is an OpenSSL version issue, where the credentials were encrypted with an older OpenSSL and cannot be decrypted with a newer one that changed its defaults. Both surface as a decrypt failure, so identifying which you have decides the fix.

    Check the match password first

    The most common cause is a wrong passphrase, so verify it first. Match encrypts and decrypts with a password, usually supplied through the match password environment variable, and it must be exactly the one used when the repository was set up or last encrypted. A typo, a different value on a CI machine, or a changed passphrase all produce an incorrect password error.

    Confirm the value in your environment and, on CI, in your secrets. Make sure the same passphrase that encrypted the repo is the one available wherever the build runs, since a common failure is the password being correct locally but missing or different in CI. If the password is genuinely correct and decryption still fails, that points away from a passphrase problem and toward the OpenSSL issue.

    OpenSSL version errors

    A second, well-known cause is an OpenSSL version mismatch, which produces decrypt or bad-decrypt errors even when the passphrase is right. Match uses OpenSSL to encrypt and decrypt the stored credentials, and a change in OpenSSL defaults, such as the key derivation used by newer versions, meant that repositories encrypted with an older OpenSSL could not be decrypted by a newer one out of the box. This is why a match repo that worked before can suddenly fail after an environment update.

    The fix is usually to update Fastlane, since newer versions handle the OpenSSL change and can decrypt or transparently re-encrypt older repositories. Make sure your local and CI environments run a current Fastlane and a compatible OpenSSL, so the tooling can read the existing credentials. If updating does not resolve it because the encryption is genuinely incompatible, re-encrypting the repo, or nuking and recreating, is the path forward.

    How to nuke and recreate

    When the passphrase is lost or the encryption cannot be recovered, the clean fix is to nuke and recreate. Running match nuke for a credential type, such as nuke distribution or nuke development, revokes the certificates of that type on the Apple Developer account and removes them along with their profiles from the match repository. You then run match again, which generates fresh certificates and profiles and encrypts them with your current passphrase.

    This resets your signing material to a known-good state encrypted correctly. After nuking, the recreation step issues new credentials, so your builds sign with material that decrypts cleanly. It is the definitive fix when the stored credentials are simply unusable, whether because the password is gone or the encryption is broken, since it replaces them entirely rather than trying to recover them.

    When to nuke versus when not to

    Nuke is powerful but disruptive, so use it deliberately. Because match nuke revokes the existing certificates on the Apple account, any other app, developer, or CI pipeline relying on those certificates will be affected, and their builds may fail until they pick up the new credentials. So before nuking, confirm you understand what those certificates are used for and coordinate with anyone who shares them.

    Do not nuke as a first response to a decrypt error. If the cause is a wrong passphrase or an OpenSSL version issue, fixing the password or updating Fastlane resolves it without revoking anything. Reserve nuke for when the password is genuinely lost or the encryption is irrecoverable, and when you have accounted for the impact of revoking the shared certificates. Used carefully, it is a clean reset; used carelessly, it breaks other people's builds.

    Causes and fixes

    Matching the cause to a fix keeps you from nuking unnecessarily. The table below pairs the common causes with their fixes.

    CauseWhat is wrongFix
    Wrong match passwordThe passphrase does not matchUse the correct passphrase, including on CI
    OpenSSL version mismatchOld-encrypted repo, newer OpenSSLUpdate Fastlane and OpenSSL to compatible versions
    Lost passphraseCannot decrypt at allNuke and recreate the credentials
    Broken encryptionCredentials are irrecoverableRe-encrypt, or nuke and recreate
    Wrong repo or branchMatch is reading the wrong storagePoint match at the correct repository

    Read the table against your situation. A decrypt error with a correct password usually points to OpenSSL and an update, while a genuinely lost password is the case where nuke and recreate is the answer.

    Fix checklist

    Working through the causes in order avoids an unnecessary nuke. The checklist below covers the steps.

    CheckActionDone?
    Verify the passphraseConfirm the match password is correct everywhere[ ]
    Update FastlaneUse a version that handles the OpenSSL change[ ]
    Confirm the repoEnsure match reads the correct repository and branch[ ]
    Coordinate before nukeAccount for shared certificates being revoked[ ]
    Nuke and recreateIf unrecoverable, nuke then recreate the credentials[ ]

    The steps that resolve most cases without revoking anything are verifying the passphrase and updating Fastlane. Reserve nuke and recreate for a genuinely lost password or broken encryption, after coordinating the impact on shared certificates.

    After signing: scan before you submit

    Fixing match decryption gets your build signed, but a build that signs cleanly can still be rejected in review for reasons unrelated to signing. Security and privacy issues are a common one, and they are cheaper to catch before submission than after.

    A scanner like PTKD.com analyzes your .ipa and reports findings ordered by severity and mapped to OWASP MASVS, so you catch issues like unjustified permissions, cleartext traffic, or embedded secrets before you submit. To be clear about the boundary: PTKD does not manage your certificates, decrypt a match repo, or handle passphrases. It checks the built, signed artifact for the security issues that a valid signature does not address.

    What to take away

    • The error means match cannot decrypt your credentials, usually from a wrong passphrase or an OpenSSL version mismatch.
    • Check the match password first, including on CI, since a missing or different passphrase there is a common cause.
    • OpenSSL version changes broke decryption of older-encrypted repos; updating Fastlane and OpenSSL usually resolves it.
    • If the password is lost or the encryption is broken, nuke and recreate the credentials, understanding that nuking revokes existing certificates.
    • After signing is fixed, scan your build with PTKD.com for the security issues a valid signature does not cover.
    • #fastlane match
    • #code signing
    • #openssl
    • #match nuke
    • #ci/cd

    Frequently asked questions

    What does Fastlane match could not decrypt mean?
    It means match cannot decrypt the certificates and provisioning profiles it stores, so it cannot provide the signing material your build needs. Match keeps these encrypted, usually in a git repo, and decrypts them with a passphrase. When decryption fails, either the passphrase is wrong or the encrypted data cannot be read with the current OpenSSL tooling.
    How do I fix an incorrect match password?
    Verify the passphrase, usually supplied through the match password environment variable, is exactly the one used when the repo was set up or last encrypted, and confirm it is present and identical wherever the build runs, including CI secrets. A common failure is the password being correct locally but missing or different in CI, which produces the incorrect password error.
    How do I fix OpenSSL errors in Fastlane match?
    Update Fastlane. Match uses OpenSSL to encrypt and decrypt, and a change in OpenSSL defaults meant repositories encrypted with an older version could not be decrypted by a newer one, producing decrypt or bad-decrypt errors even with the right passphrase. Newer Fastlane versions handle this and can decrypt or re-encrypt older repos; ensure local and CI run a current, compatible version.
    How do I nuke and recreate match certificates?
    Run match nuke for the credential type, such as nuke distribution or nuke development, which revokes those certificates on the Apple account and removes them and their profiles from the match repo, then run match again to generate fresh credentials encrypted with your current passphrase. This resets your signing material to a known-good, correctly encrypted state.
    When should I not nuke my match certificates?
    Not as a first response. Because nuke revokes the certificates on the Apple account, any other app, developer, or pipeline relying on them is affected and may fail until they pick up new credentials. If the cause is a wrong passphrase or OpenSSL mismatch, fixing the password or updating Fastlane resolves it without revoking anything, so reserve nuke for a lost password or broken encryption.
    Does fixing signing mean my app will pass review?
    No. Fixing match decryption only gets the build signed; it can still be rejected in review for reasons unrelated to signing, such as security or privacy issues. A scanner like PTKD.com (https://ptkd.com) checks your .ipa for unjustified permissions, cleartext traffic, and embedded secrets, mapped to OWASP MASVS, which is separate from the signing credentials.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free