fix(workflows): refine local signing workflow with improved certificate setup, app signing process, and added packaging step for signed apps
Some checks failed
Test Local Signing / test-local-signing (push) Failing after 9s
Some checks failed
Test Local Signing / test-local-signing (push) Failing after 9s
This commit is contained in:
parent
c9b2170d80
commit
16274ec126
@ -2,8 +2,8 @@ name: Test Local Signing
|
||||
|
||||
on:
|
||||
workflow_dispatch: # Manual trigger
|
||||
# push:
|
||||
# branches: [ozgur/build]
|
||||
push:
|
||||
branches: [ozgur/build]
|
||||
|
||||
jobs:
|
||||
test-local-signing:
|
||||
@ -62,7 +62,7 @@ jobs:
|
||||
<key>CFBundleExecutable</key>
|
||||
<string>TestApp</string>
|
||||
<key>CFBundleIdentifier</key>
|
||||
<string>com.luckyworld.testapp</string>
|
||||
<string>com.luckyrobots.luckyworld.testapp</string>
|
||||
<key>CFBundleName</key>
|
||||
<string>TestApp</string>
|
||||
<key>CFBundlePackageType</key>
|
||||
@ -85,144 +85,164 @@ jobs:
|
||||
|
||||
echo "🔍 App bundle contents:"
|
||||
ls -la "$TEST_APP_DIR"
|
||||
|
||||
# Store app path as environment variable
|
||||
echo "APP_PATH=$(pwd)/TestApp.app" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
- name: Self-Sign App for Testing
|
||||
- name: Setup Certificate
|
||||
env:
|
||||
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
echo "🔏 Self-signing app for testing..."
|
||||
echo "🔐 Setting up certificate..."
|
||||
|
||||
# Create a self-signed certificate for testing
|
||||
echo "🔑 Creating self-signed certificate..."
|
||||
# Create a temporary directory for certificates
|
||||
CERT_DIR="$HOME/certificates"
|
||||
mkdir -p "$CERT_DIR"
|
||||
|
||||
# Generate key and certificate
|
||||
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
|
||||
-keyout TestKey.key -out TestCert.crt \
|
||||
-subj "/CN=Test Signing/O=LuckyWorld/C=TR"
|
||||
# Decode the certificate to a p12 file
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_DIR/certificate.p12"
|
||||
|
||||
# Sign the app with ad-hoc identity
|
||||
echo "🔏 Signing app with ad-hoc identity..."
|
||||
codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app
|
||||
# Check certificate format
|
||||
echo "📑 Certificate format check:"
|
||||
file "$CERT_DIR/certificate.p12"
|
||||
|
||||
# Verify signing
|
||||
echo "🔍 Verifying signature..."
|
||||
codesign -vvv --deep --strict TestApp.app
|
||||
# Create keychain
|
||||
KEYCHAIN_PATH="$CERT_DIR/app-signing.keychain-db"
|
||||
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
|
||||
|
||||
# Check entitlements
|
||||
echo "🔍 Checking entitlements..."
|
||||
codesign -d --entitlements - TestApp.app
|
||||
# Delete existing keychain if it exists
|
||||
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
|
||||
|
||||
# Create new keychain
|
||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Add to search list and make default
|
||||
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
|
||||
# Import certificate
|
||||
echo "🔑 Importing developer certificate..."
|
||||
security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
|
||||
|
||||
# Set partition list for codesign to access keychain
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Verify certificate
|
||||
echo "🔍 Verifying certificate..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# Store keychain variables for later steps
|
||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||
echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
|
||||
|
||||
# Cleanup
|
||||
rm -f "$CERT_DIR/certificate.p12"
|
||||
shell: bash
|
||||
|
||||
- name: Create Sign and Notarize Script (Developer Reference)
|
||||
- name: Sign with Developer ID
|
||||
run: |
|
||||
echo "📝 Creating reference script for actual code signing..."
|
||||
echo "🔏 Signing app with Developer ID certificate..."
|
||||
|
||||
cat > sign_and_notarize.sh << 'EOF'
|
||||
#!/bin/bash
|
||||
# Sign and notarize macOS application
|
||||
# This script is a reference for using a real Developer ID certificate
|
||||
# Make sure keychain is unlocked
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Configuration (replace with your values)
|
||||
APP_PATH="YourApp.app"
|
||||
TEAM_ID="YOUR_TEAM_ID"
|
||||
BUNDLE_ID="com.yourdomain.yourapp"
|
||||
ENTITLEMENTS_PATH="YourApp.entitlements"
|
||||
APPLE_ID="your_apple_id@example.com"
|
||||
APP_PASSWORD="your_app_specific_password"
|
||||
|
||||
# Step 1: Check for Developer ID Application certificate
|
||||
echo "Checking for Developer ID Application certificate..."
|
||||
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
|
||||
# Get the Developer ID Application identity
|
||||
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
|
||||
|
||||
if [ -z "$IDENTITY" ]; then
|
||||
echo "Error: No Developer ID Application certificate found"
|
||||
echo "Please create a Developer ID Application certificate in your Apple Developer account"
|
||||
echo "and install it in your keychain"
|
||||
echo "❌ Error: No valid Developer ID Application identity found"
|
||||
echo "Please check if your certificate is valid and properly imported"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Using identity: $IDENTITY"
|
||||
|
||||
# Step 2: Sign the app
|
||||
echo "Signing app..."
|
||||
codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \
|
||||
--sign "$IDENTITY" --timestamp "$APP_PATH"
|
||||
# Sign the app bundle
|
||||
echo "Signing app bundle..."
|
||||
codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH"
|
||||
|
||||
# Step 3: Verify signing
|
||||
echo "Verifying signature..."
|
||||
# Verify signing
|
||||
echo "🔍 Verifying signature..."
|
||||
codesign -vvv --deep --strict "$APP_PATH"
|
||||
|
||||
# Step 4: Create zip for notarization
|
||||
echo "Creating zip for notarization..."
|
||||
zip_path="/tmp/app_for_notarization.zip"
|
||||
ditto -c -k --keepParent "$APP_PATH" "$zip_path"
|
||||
# Check entitlements
|
||||
echo "🔍 Checking entitlements..."
|
||||
codesign -d --entitlements - "$APP_PATH"
|
||||
shell: bash
|
||||
|
||||
- name: Notarize App
|
||||
if: success()
|
||||
env:
|
||||
APPLE_ID: ${{ secrets.APPLE_NOTARY_USER }}
|
||||
APP_PASSWORD: ${{ secrets.APPLE_NOTARY_PASSWORD }}
|
||||
run: |
|
||||
echo "📤 Notarizing app..."
|
||||
|
||||
# Make sure we have required secrets
|
||||
if [ -z "$APPLE_ID" ] || [ -z "$APP_PASSWORD" ] || [ -z "$APPLE_TEAM_ID" ]; then
|
||||
echo "⚠️ Missing notarization credentials. Skipping notarization."
|
||||
echo "NOTARIZED=false" >> "$GITHUB_ENV"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Create zip for notarization
|
||||
ZIP_PATH="TestApp-notarize.zip"
|
||||
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
|
||||
|
||||
# Step 5: Submit for notarization
|
||||
echo "Submitting for notarization..."
|
||||
xcrun notarytool submit "$zip_path" \
|
||||
xcrun notarytool submit "$ZIP_PATH" \
|
||||
--apple-id "$APPLE_ID" \
|
||||
--password "$APP_PASSWORD" \
|
||||
--team-id "$TEAM_ID" \
|
||||
--team-id "$APPLE_TEAM_ID" \
|
||||
--wait
|
||||
|
||||
# Step 6: Staple the notarization ticket
|
||||
# Staple the notarization ticket
|
||||
echo "Stapling notarization ticket..."
|
||||
xcrun stapler staple "$APP_PATH"
|
||||
|
||||
# Step 7: Verify notarization
|
||||
echo "Verifying notarization..."
|
||||
# Verify notarization
|
||||
echo "🔍 Verifying notarization..."
|
||||
spctl --assess --verbose --type exec "$APP_PATH"
|
||||
|
||||
echo "✅ App successfully signed and notarized!"
|
||||
EOF
|
||||
|
||||
chmod +x sign_and_notarize.sh
|
||||
echo "✅ Created reference script for actual code signing"
|
||||
echo "NOTARIZED=true" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
- name: Documentation for Certificate Requirements
|
||||
- name: Package Signed App
|
||||
run: |
|
||||
echo "📋 Requirements for code signing with Developer ID Application certificate:"
|
||||
echo ""
|
||||
echo "1. You must have a paid Apple Developer account"
|
||||
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
|
||||
echo "3. The certificate must be exported with its private key in p12 format"
|
||||
echo "4. The certificate must be properly imported into keychain with proper access controls"
|
||||
echo "5. For production, you should use the xcrun notarytool to notarize your app"
|
||||
echo ""
|
||||
echo "Common issues:"
|
||||
echo "- The p12 file doesn't contain a private key"
|
||||
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
|
||||
echo "- The certificate has expired"
|
||||
echo "- The certificate was revoked"
|
||||
echo "- Keychain access restrictions are preventing access to the private key"
|
||||
echo ""
|
||||
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)"
|
||||
echo "For production, follow the steps in the reference script created in this workflow"
|
||||
echo "📦 Packaging signed app..."
|
||||
|
||||
# Print this information in a file for reference
|
||||
echo "📋 Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt
|
||||
echo "" >> signing_requirements.txt
|
||||
echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt
|
||||
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt
|
||||
echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt
|
||||
echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt
|
||||
echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt
|
||||
echo "" >> signing_requirements.txt
|
||||
echo "Common issues:" >> signing_requirements.txt
|
||||
echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt
|
||||
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt
|
||||
echo "- The certificate has expired" >> signing_requirements.txt
|
||||
echo "- The certificate was revoked" >> signing_requirements.txt
|
||||
echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt
|
||||
echo "" >> signing_requirements.txt
|
||||
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt
|
||||
echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt
|
||||
if [ "${NOTARIZED:-false}" == "true" ]; then
|
||||
ZIP_FILE="TestApp-Signed-Notarized.zip"
|
||||
echo "Creating distribution package with notarized app..."
|
||||
else
|
||||
ZIP_FILE="TestApp-Signed.zip"
|
||||
echo "Creating distribution package with signed app..."
|
||||
fi
|
||||
|
||||
# Create zip package
|
||||
ditto -c -k --keepParent "$APP_PATH" "$ZIP_FILE"
|
||||
|
||||
echo "✅ Created package: $ZIP_FILE"
|
||||
shell: bash
|
||||
|
||||
- name: Upload Artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: LuckyWorld-Signed-App
|
||||
path: TestApp-*.zip
|
||||
retention-days: 7
|
||||
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
run: |
|
||||
echo "🧹 Cleaning up..."
|
||||
rm -rf TestApp.app TestKey.key TestCert.crt || true
|
||||
rm -rf TestApp.app TestApp-*.zip || true
|
||||
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
|
||||
echo "✅ Cleanup complete"
|
||||
shell: bash
|
||||
@ -2,8 +2,8 @@ name: Test macOS Build Action
|
||||
|
||||
on:
|
||||
workflow_dispatch: # Manual trigger only for testing
|
||||
push:
|
||||
branches: [ozgur/build]
|
||||
# push:
|
||||
# branches: [ozgur/build]
|
||||
|
||||
jobs:
|
||||
test-macos-build:
|
||||
@ -21,9 +21,6 @@ jobs:
|
||||
if [ -f "LuckyWorld.entitlements" ]; then
|
||||
echo "Using existing LuckyWorld.entitlements file"
|
||||
ENTITLEMENTS_FILE="LuckyWorld.entitlements"
|
||||
elif [ -f "LuckyRobots.entitlements" ]; then
|
||||
echo "Using existing LuckyRobots.entitlements file"
|
||||
ENTITLEMENTS_FILE="LuckyRobots.entitlements"
|
||||
else
|
||||
echo "Creating default entitlements file as LuckyWorld.entitlements"
|
||||
# Create entitlements file line by line instead of heredoc
|
||||
@ -74,55 +71,6 @@ jobs:
|
||||
echo "WORKSPACE_DIR=$WORKSPACE_DIR" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
- name: Debug Certificate Import (Test)
|
||||
env:
|
||||
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
set -e # Fail on any error
|
||||
|
||||
echo "Current working directory: $(pwd)"
|
||||
echo "Checking for .app bundles in Saved directory..."
|
||||
find ./Saved -type d -name "*.app" || echo "No app bundles found."
|
||||
|
||||
echo "Decoding certificate..."
|
||||
CERT_DIR="$HOME/certificates"
|
||||
mkdir -p "$CERT_DIR"
|
||||
CERT_PATH="$CERT_DIR/developer_certificate.p12"
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
|
||||
|
||||
echo "Decoded certificate size: $(wc -c < "$CERT_PATH") bytes"
|
||||
echo "Type: $(file "$CERT_PATH")"
|
||||
|
||||
echo "Creating and configuring custom keychain..."
|
||||
CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
|
||||
CUSTOM_PASSWORD="temppassword123"
|
||||
|
||||
security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
|
||||
security set-keychain-settings "$CUSTOM_KEYCHAIN"
|
||||
security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
|
||||
|
||||
echo "Setting only this keychain as active..."
|
||||
security list-keychains -s "$CUSTOM_KEYCHAIN"
|
||||
security default-keychain -s "$CUSTOM_KEYCHAIN"
|
||||
|
||||
echo "Importing certificate..."
|
||||
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign
|
||||
|
||||
echo "Granting access to codesign..."
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
|
||||
|
||||
echo "Verifying imported identities..."
|
||||
security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN"
|
||||
|
||||
echo "Setting environment variables for future steps..."
|
||||
echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
|
||||
echo "DIRECT_SIGNING_AVAILABLE=true" >> "$GITHUB_ENV"
|
||||
echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
# Step 2: Build for macOS
|
||||
- name: Build for macOS
|
||||
run: |
|
||||
@ -344,83 +292,6 @@ jobs:
|
||||
echo "✅ Created reference script for production code signing"
|
||||
shell: bash
|
||||
|
||||
# Step 7: Documentation for Certificate Requirements
|
||||
- name: Certificate Requirements Documentation
|
||||
run: |
|
||||
echo "📋 Requirements for code signing with Developer ID Application certificate:"
|
||||
echo ""
|
||||
echo "1. You must have a paid Apple Developer account"
|
||||
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
|
||||
echo "3. The certificate must be exported with its private key in p12 format"
|
||||
echo "4. The certificate must be properly imported into keychain with proper access controls"
|
||||
echo "5. For production, you should use the xcrun notarytool to notarize your app"
|
||||
echo ""
|
||||
echo "Common issues:"
|
||||
echo "- The p12 file doesn't contain a private key"
|
||||
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
|
||||
echo "- The certificate has expired"
|
||||
echo "- The certificate was revoked"
|
||||
echo "- Keychain access restrictions are preventing access to the private key"
|
||||
echo ""
|
||||
echo "For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)"
|
||||
echo "For production: Follow the steps in the reference script sign_and_notarize_production.sh"
|
||||
|
||||
# Print this information in a file for reference
|
||||
cat > code_signing_requirements.md << EOF
|
||||
# macOS Code Signing Requirements
|
||||
|
||||
## Requirements
|
||||
1. You must have a paid Apple Developer account
|
||||
2. You need to create a Developer ID Application certificate in Apple Developer Portal
|
||||
3. The certificate must be exported with its private key in p12 format
|
||||
4. The certificate must be properly imported into keychain with proper access controls
|
||||
5. For production, you should use the xcrun notarytool to notarize your app
|
||||
|
||||
## Common Issues
|
||||
- The p12 file doesn't contain a private key
|
||||
- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)
|
||||
- The certificate has expired
|
||||
- The certificate was revoked
|
||||
- Keychain access restrictions are preventing access to the private key
|
||||
|
||||
## Workflow
|
||||
- For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)
|
||||
- For production: Follow the steps in the reference script sign_and_notarize_production.sh
|
||||
EOF
|
||||
|
||||
echo "✅ Created code signing requirements documentation"
|
||||
shell: bash
|
||||
|
||||
# Step 8: Package macOS App (For Testing)
|
||||
- name: Package macOS App (Test Only)
|
||||
run: |
|
||||
echo "📦 Packaging ad-hoc signed app bundle for testing..."
|
||||
|
||||
# Create zip package with clear test indication
|
||||
ZIP_FILE="PackagedReleases/LuckyWorld-macOS-TEST-ONLY.zip"
|
||||
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/$ZIP_FILE" "$(basename "$APP_PATH")")
|
||||
|
||||
echo "✅ Created test package: $ZIP_FILE"
|
||||
echo "⚠️ NOTE: This package is signed with ad-hoc identity for TESTING ONLY"
|
||||
echo "⚠️ It will NOT pass Gatekeeper on macOS and is NOT suitable for distribution"
|
||||
|
||||
# Create README file to accompany the zip
|
||||
cat > "PackagedReleases/README-TEST-BUILD.txt" << EOF
|
||||
# LuckyWorld macOS Test Build
|
||||
|
||||
This build is signed with an ad-hoc signature for TESTING PURPOSES ONLY.
|
||||
|
||||
IMPORTANT:
|
||||
- This app will NOT pass Gatekeeper on macOS
|
||||
- It is NOT suitable for distribution to users
|
||||
- Use the production signing script for creating distributable builds
|
||||
|
||||
For production builds, follow the instructions in code_signing_requirements.md
|
||||
EOF
|
||||
|
||||
echo "✅ Created README for test build"
|
||||
shell: bash
|
||||
|
||||
# Step 9: Upload test artifact
|
||||
- name: Upload Test Build Artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user