From 4400b47873ec04b88a9f993431c246eb503d307d Mon Sep 17 00:00:00 2001
From: Ozgur Ersoy <git@moersoy.com>
Date: Sun, 13 Apr 2025 16:08:47 +0200
Subject: [PATCH] fix(workflows): enhance macOS signing workflow with keychain
 management and cleanup steps

---
 .gitea/workflows/test-signing.yml | 132 +++++++++++++++++++-----------
 1 file changed, 84 insertions(+), 48 deletions(-)

diff --git a/.gitea/workflows/test-signing.yml b/.gitea/workflows/test-signing.yml
index 8c20e2fe..6fb3f1d8 100644
--- a/.gitea/workflows/test-signing.yml
+++ b/.gitea/workflows/test-signing.yml
@@ -35,9 +35,6 @@ jobs:
           
           echo "Created entitlements file:"
           cat LuckyRobots.entitlements
-          
-          # Move entitlements to home directory to ensure consistent access
-          cp LuckyRobots.entitlements ~/LuckyRobots.entitlements
         shell: bash
       
       - name: Download and Extract Artifact
@@ -113,61 +110,87 @@ jobs:
           fi
           
           echo "Found app bundle at: $APP_PATH"
-          # Make a local copy to ensure access
-          LOCAL_APP="$WORKSPACE_DIR/LuckyWorld.app"
-          echo "Creating accessible copy at: $LOCAL_APP"
-          
-          # Remove if exists
-          rm -rf "$LOCAL_APP"
-          cp -R "$APP_PATH" "$LOCAL_APP"
-          
-          echo "app_path=$LOCAL_APP" >> $GITHUB_OUTPUT
-        shell: bash
-      
-      - name: Validate App Path
-        id: validate-app
-        run: |
-          APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
-          
-          echo "Validating path: $APP_PATH"
-          
-          if [ ! -d "$APP_PATH" ]; then
-            echo "Error: Application path does not exist: $APP_PATH"
-            exit 1
-          fi
-          
-          # Ensure the path is absolute
-          if [[ "$APP_PATH" != /* ]]; then
-            APP_PATH="$(pwd)/$APP_PATH"
-            echo "Converted to absolute path: $APP_PATH"
-          fi
-          
-          echo "Will sign and notarize: $APP_PATH"
-          echo "Contents of app bundle:"
-          ls -la "$APP_PATH"
           echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
         shell: bash
       
+      - name: Setup for Signing
+        id: setup-signing
+        env:
+          APPLE_CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        run: |
+          # Decode the base64 certificate
+          echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
+          
+          # Create keychain and import certificate
+          KEYCHAIN_PATH="signing-keychain.keychain-db"
+          KEYCHAIN_PASSWORD="temporary"
+          
+          # Create custom keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Download Apple root certificates
+          echo "Downloading Apple Developer certificates..."
+          curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
+          curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
+          
+          # Import all certificates to our custom keychain
+          security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
+          security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der -A
+          security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          
+          # Set keychain for signing
+          security list-keychain -d user -s "$KEYCHAIN_PATH"
+          security default-keychain -s "$KEYCHAIN_PATH"
+          
+          # Always trust our certificates
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Setup API key
+          echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > api_key.p8
+          echo "keychain_path=$KEYCHAIN_PATH" >> $GITHUB_OUTPUT
+          echo "keychain_password=$KEYCHAIN_PASSWORD" >> $GITHUB_OUTPUT
+          echo "api_key_path=$(pwd)/api_key.p8" >> $GITHUB_OUTPUT
+        shell: bash
+      
       - name: Sign macOS App
-        uses: lando/code-sign-action@v3
         id: sign-app
-        with:
-          file: ${{ steps.validate-app.outputs.app_path }}
-          certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
-          certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-          apple-team-id: "${{ secrets.APPLE_TEAM_ID }}"
-          options: --force --options runtime --deep --timestamp --entitlements ~/LuckyRobots.entitlements
+        env:
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+        run: |
+          APP_PATH="${{ steps.extract-artifact.outputs.app_path }}"
+          
+          echo "Signing app bundle: $APP_PATH"
+          
+          # First, handle problematic libraries separately
+          find "$APP_PATH" -name "*.dylib" | while read DYLIB; do
+            echo "Signing library: $DYLIB"
+            codesign --force --options runtime --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" "$DYLIB"
+          done
+          
+          # Now sign the application itself
+          echo "Signing main application bundle..."
+          /usr/bin/codesign --force --options runtime --deep --timestamp --sign "Developer ID Application: $APPLE_TEAM_ID" --entitlements ./LuckyRobots.entitlements "$APP_PATH"
+          
+          # Verify signature
+          echo "Verifying signature..."
+          codesign --verify --verbose "$APP_PATH"
+          
+          echo "App signing completed successfully"
+          echo "app_path=$APP_PATH" >> $GITHUB_OUTPUT
+        shell: bash
       
       - name: Notarize macOS App
         run: |
           # Create a temporary file for notarization
-          APP_PATH="${{ steps.validate-app.outputs.app_path }}"
+          APP_PATH="${{ steps.sign-app.outputs.app_path }}"
           NOTARIZE_APP_PATH="./LuckyRobots-notarize.zip"
           ditto -c -k --keepParent "$APP_PATH" "$NOTARIZE_APP_PATH"
           
-          # Set up API key
-          API_KEY_PATH="$(pwd)/api_key.p8"
-          echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 --decode > "$API_KEY_PATH"
+          # Get API key path from previous step
+          API_KEY_PATH="${{ steps.setup-signing.outputs.api_key_path }}"
           
           # Submit for notarization using API key
           echo "Submitting for notarization with API key..."
@@ -184,7 +207,7 @@ jobs:
       - name: Package macOS App
         run: |
           # Package the signed and notarized app
-          APP_PATH="${{ steps.validate-app.outputs.app_path }}"
+          APP_PATH="${{ steps.sign-app.outputs.app_path }}"
           APP_NAME=$(basename "$APP_PATH")
           WORKSPACE_DIR="$(pwd)"
           OUTPUT_DIR="$WORKSPACE_DIR/TestSignedApps"
@@ -206,4 +229,17 @@ jobs:
         with:
           name: TestSigned-macOS-App
           path: TestSignedApps/Test-*.zip
-          retention-days: 7 
\ No newline at end of file
+          retention-days: 7
+      
+      - name: Cleanup
+        if: always()
+        run: |
+          # Clean up keychain
+          KEYCHAIN_PATH="${{ steps.setup-signing.outputs.keychain_path }}"
+          if [ -n "$KEYCHAIN_PATH" ]; then
+            security delete-keychain "$KEYCHAIN_PATH" || true
+          fi
+          
+          # Clean up temp files
+          rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer || true
+        shell: bash 
\ No newline at end of file