fix(workflows): enhance local signing workflow with detailed certificate setup, app signing, and notarization steps

2025-04-14 14:31:33 +02:00 · 2025-04-14 14:31:33 +02:00 · 171fb0a35e
commit 171fb0a35e
parent 3711f6db96
1 changed files with 66 additions and 12 deletions
--- a/.gitea/workflows/test-local-signing.yml
+++ b/.gitea/workflows/test-local-signing.yml
@ -88,22 +88,76 @@ jobs:
          ls -la "$TEST_APP_DIR"
        shell: bash
        
-      - name: Sign and Notarize App
-        uses: lando/code-sign-action@v3
-        with:
-          file: TestApp.app
-          certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
-          certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-          apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
-          apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
-          apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
-          apple-product-id: com.luckyworld.testapp
-          options: --options runtime --entitlements LuckyWorld.entitlements
+      - name: Setup Certificate
+        run: |
+          echo "🔐 Setting up certificate..."
+          
+          # Create keychain
+          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
+          KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
+          
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security list-keychains -s "$KEYCHAIN_PATH" $(security list-keychains | xargs)
+          
+          # Import certificate
+          echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
+          security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
+          
+          # Set keychain as default
+          security default-keychain -s "$KEYCHAIN_PATH"
+          
+          # Verify certificate
+          echo "🔍 Verifying certificate..."
+          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+          
+          # Cleanup
+          rm -f certificate.p12
+        shell: bash
+        
+      - name: Sign App Bundle
+        run: |
+          echo "🔏 Signing app bundle..."
+          
+          # Sign the app bundle
+          codesign --force --options runtime --entitlements LuckyWorld.entitlements --sign "Developer ID Application" --timestamp TestApp.app
+          
+          # Verify signing
+          echo "🔍 Verifying signature..."
+          codesign -vvv --deep --strict TestApp.app
+          
+          # Check entitlements
+          echo "🔍 Checking entitlements..."
+          codesign -d --entitlements - TestApp.app
+        shell: bash
+        
+      - name: Notarize App
+        run: |
+          echo "📤 Notarizing app..."
+          
+          # Create zip for notarization
+          ditto -c -k --keepParent TestApp.app TestApp.zip
+          
+          # Submit for notarization
+          xcrun notarytool submit TestApp.zip \
+            --apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
+            --password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
+            --team-id "${{ secrets.APPLE_TEAM_ID }}" \
+            --wait
+          
+          # Staple the notarization ticket
+          xcrun stapler staple TestApp.app
+          
+          # Verify notarization
+          spctl --assess --verbose --type exec TestApp.app
+        shell: bash
        
      - name: Cleanup
        if: always()
        run: |
          echo "🧹 Cleaning up..."
-          rm -rf TestApp.app || true
+          rm -rf TestApp.app TestApp.zip || true
+          security delete-keychain "$KEYCHAIN_PATH" || true
          echo "✅ Cleanup complete"
        shell: bash