From 171fb0a35e5ec685b36afaac3d3c4bf1dbc582d5 Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 14:31:33 +0200 Subject: [PATCH] fix(workflows): enhance local signing workflow with detailed certificate setup, app signing, and notarization steps --- .gitea/workflows/test-local-signing.yml | 78 +++++++++++++++++++++---- 1 file changed, 66 insertions(+), 12 deletions(-) diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index 46840e11..020d5686 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -88,22 +88,76 @@ jobs: ls -la "$TEST_APP_DIR" shell: bash - - name: Sign and Notarize App - uses: lando/code-sign-action@v3 - with: - file: TestApp.app - certificate-data: ${{ secrets.MACOS_CERTIFICATE }} - certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }} - apple-team-id: ${{ secrets.APPLE_TEAM_ID }} - apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} - apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} - apple-product-id: com.luckyworld.testapp - options: --options runtime --entitlements LuckyWorld.entitlements + - name: Setup Certificate + run: | + echo "๐Ÿ” Setting up certificate..." + + # Create keychain + KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db" + KEYCHAIN_PASSWORD="$(openssl rand -base64 12)" + + security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH" + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + security list-keychains -s "$KEYCHAIN_PATH" $(security list-keychains | xargs) + + # Import certificate + echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 + security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign + + # Set keychain as default + security default-keychain -s "$KEYCHAIN_PATH" + + # Verify certificate + echo "๐Ÿ” Verifying certificate..." + security find-identity -v -p codesigning "$KEYCHAIN_PATH" + + # Cleanup + rm -f certificate.p12 + shell: bash + + - name: Sign App Bundle + run: | + echo "๐Ÿ” Signing app bundle..." + + # Sign the app bundle + codesign --force --options runtime --entitlements LuckyWorld.entitlements --sign "Developer ID Application" --timestamp TestApp.app + + # Verify signing + echo "๐Ÿ” Verifying signature..." + codesign -vvv --deep --strict TestApp.app + + # Check entitlements + echo "๐Ÿ” Checking entitlements..." + codesign -d --entitlements - TestApp.app + shell: bash + + - name: Notarize App + run: | + echo "๐Ÿ“ค Notarizing app..." + + # Create zip for notarization + ditto -c -k --keepParent TestApp.app TestApp.zip + + # Submit for notarization + xcrun notarytool submit TestApp.zip \ + --apple-id "${{ secrets.APPLE_NOTARY_USER }}" \ + --password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \ + --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + --wait + + # Staple the notarization ticket + xcrun stapler staple TestApp.app + + # Verify notarization + spctl --assess --verbose --type exec TestApp.app + shell: bash - name: Cleanup if: always() run: | echo "๐Ÿงน Cleaning up..." - rm -rf TestApp.app || true + rm -rf TestApp.app TestApp.zip || true + security delete-keychain "$KEYCHAIN_PATH" || true echo "โœ… Cleanup complete" shell: bash \ No newline at end of file