chore: add EAS production cert

[weitingsun]

Description

Add RC and Production EAS certificates

Changelog

CHANGELOG entry: Added RC and Production EAS certificates

Related issues

Fixes: #23448

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Introduces environment-driven OTA code signing and production channel support.

• Adds certs/production.certificate.pem and certs/rc.certificate.pem; keeps certs/exp.certificate.pem
• app.config.js: selects updates.codeSigningCertificate and codeSigningMetadata.keyid via METAMASK_ENVIRONMENT (fallback to exp); removes hardcoded request headers
• scripts/update-expo-channel.js: adds production to CONFIG_MAP; derives OTA env (production/rc/exp) and loads matching cert/keyid; writes code-signing certificate and metadata to Android (AndroidManifest.xml) and iOS (Expo.plist); continues setting channel, runtimeVersion, update URL, check policy, and launch wait
• General refactors: path constants formatting and safer missing-cert handling

^{Written by Cursor Bugbot for commit 4edfcde. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[Cal-L]

Probably cleaner to have an object that maps to the correct values instead. It'll make it a little easier to read and to manage in case environment requirements change

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 90%

click to see 🤖 AI reasoning details

The changes are purely build-time configuration changes for Expo OTA (Over-The-Air) updates:

1. app.config.js: Modified to support environment-specific code signing certificates for OTA updates. This is a build configuration file that determines which certificate to use based on METAMASK_ENVIRONMENT.

2. certs/*.certificate.pem (3 new files): Added new code signing certificates for exp, production, and rc environments. These are static certificate files used during the build process.

3. scripts/update-expo-channel.js: Updated the build script to support environment-specific certificates and added production environment configuration.

These changes:

• Are build-time/deployment infrastructure changes, not runtime app code
• Don't modify any app functionality, UI, or user-facing features
• Don't touch any controllers, Engine, or core app modules
• Are specifically about code signing for OTA updates (a deployment concern)
• Don't affect how the app behaves once built and running

Since E2E tests verify runtime app behavior and these changes only affect the build/deployment pipeline for OTA updates, no E2E tests are necessary to validate these changes.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Cal-L]

LGTM