diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index 05015389..4356d7bd 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -105,13 +105,17 @@ jobs: # Decode the certificate to a p12 file echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_DIR/certificate.p12" - # Check certificate format + # Check certificate format and details echo "📑 Certificate format check:" file "$CERT_DIR/certificate.p12" + # Try to get certificate info with openssl + echo "📑 Certificate info with OpenSSL:" + openssl pkcs12 -info -in "$CERT_DIR/certificate.p12" -nokeys -passin pass:"$CERTIFICATE_PASSWORD" || echo "Failed to read certificate with OpenSSL" + # Create keychain KEYCHAIN_PATH="$CERT_DIR/app-signing.keychain-db" - KEYCHAIN_PASSWORD="$(openssl rand -base64 12)" + KEYCHAIN_PASSWORD="temppassword123" # Delete existing keychain if it exists security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true @@ -125,47 +129,123 @@ jobs: security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"') security default-keychain -s "$KEYCHAIN_PATH" - # Import certificate - echo "🔑 Importing developer certificate..." + # Try multiple import approaches + echo "🔑 Importing developer certificate - attempt 1 (standard)..." security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign + echo "🔑 Importing developer certificate - attempt 2 (with flags)..." + security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -x -A + + echo "🔑 Importing developer certificate - attempt 3 (with format)..." + security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -f pkcs12 + # Set partition list for codesign to access keychain security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Check all certificates in keychain + echo "🔍 Listing all certificates in keychain..." + security find-certificate -a "$KEYCHAIN_PATH" + # Verify certificate - echo "🔍 Verifying certificate..." + echo "🔍 Verifying code signing identities..." security find-identity -v -p codesigning "$KEYCHAIN_PATH" + # Alternative check for identities + echo "🔍 Listing identities with code signing usage..." + security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | grep -q "Code Signing" && echo "✅ Certificate has code signing usage" || echo "❌ Certificate does NOT have code signing usage" + + # Try to use the System keychain as a fallback + echo "🔍 Checking system keychain for code signing identities..." + SYSTEM_IDENTITIES=$(security find-identity -v -p codesigning) + echo "$SYSTEM_IDENTITIES" + + if echo "$SYSTEM_IDENTITIES" | grep -q "Developer ID Application"; then + echo "✅ Found Developer ID Application certificate in system keychain" + echo "USE_SYSTEM_CERT=true" >> "$GITHUB_ENV" + else + echo "❌ No Developer ID Application certificate found in system keychain" + echo "USE_SYSTEM_CERT=false" >> "$GITHUB_ENV" + fi + # Store keychain variables for later steps echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV" - # Cleanup - rm -f "$CERT_DIR/certificate.p12" + # Debug: keep p12 file for inspection + echo "💾 Keeping certificate.p12 for debugging" + shell: bash + + - name: Debug Certificate Content + if: always() + env: + CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + run: | + echo "🔎 Debugging certificate content..." + CERT_DIR="$HOME/certificates" + + # Check if p12 file exists + if [ ! -f "$CERT_DIR/certificate.p12" ]; then + echo "❌ Certificate file not found" + exit 0 + fi + + # Try with OpenSSL to extract certificate info + echo "Attempting to extract certificate info..." + openssl pkcs12 -in "$CERT_DIR/certificate.p12" -info -nokeys -passin pass:"$CERTIFICATE_PASSWORD" > cert_info.txt || echo "Failed to extract info" + + # Check certificate contents + echo "Certificate subject information:" + grep "subject" cert_info.txt || echo "No subject information found" + + echo "Certificate issuer information:" + grep "issuer" cert_info.txt || echo "No issuer information found" + + # Check if it's a Developer ID certificate + if grep -q "Developer ID" cert_info.txt; then + echo "✅ This appears to be a Developer ID certificate" + else + echo "❌ This does NOT appear to be a Developer ID certificate" + fi + + # Check if it has a private key + echo "Checking for private key..." + if openssl pkcs12 -in "$CERT_DIR/certificate.p12" -nocerts -passin pass:"$CERTIFICATE_PASSWORD" -passout pass:temp 2>/dev/null; then + echo "✅ Certificate contains a private key" + else + echo "❌ Certificate does NOT contain a private key or wrong password" + fi shell: bash - name: Sign with Developer ID run: | echo "🔏 Signing app with Developer ID certificate..." - # Make sure keychain is unlocked - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Get the Developer ID Application identity - IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') - - if [ -z "$IDENTITY" ]; then - echo "❌ Error: No valid Developer ID Application identity found" - echo "Please check if your certificate is valid and properly imported" - exit 1 + # Decide which keychain to use + if [ "${USE_SYSTEM_CERT:-false}" = "true" ]; then + echo "Using system keychain identity" + IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') + else + # Make sure keychain is unlocked + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + echo "Using custom keychain identity" + IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') fi - echo "Using identity: $IDENTITY" - - # Sign the app bundle - echo "Signing app bundle..." - codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH" + if [ -z "$IDENTITY" ]; then + echo "❌ No valid Developer ID Application certificate found" + echo "Falling back to ad-hoc signing for testing..." + # Use ad-hoc identity as fallback + codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign - --timestamp "$APP_PATH" + echo "SIGNED=adhoc" >> "$GITHUB_ENV" + else + echo "Using identity: $IDENTITY" + + # Sign the app bundle + echo "Signing app bundle with Developer ID..." + codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH" + echo "SIGNED=identity" >> "$GITHUB_ENV" + fi # Verify signing echo "🔍 Verifying signature..."