fix(workflows): simplify macOS build workflow with enhanced debugging and direct signing approach
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m51s
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m51s
This commit is contained in:
parent
c98b68281e
commit
515c4c34b5
@ -85,65 +85,70 @@ jobs:
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
# Step 3: Create keychain and import certificate
|
||||
# Step 3: Create keychain and import certificate - SIMPLIFIED for debugging
|
||||
- name: Create keychain and import certificate
|
||||
env:
|
||||
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
# Debug: Print working directory
|
||||
# Debug: Print working directory and available resources
|
||||
echo "Current working directory: $(pwd)"
|
||||
echo "Contents of Builds directory:"
|
||||
find Builds -type d | sort
|
||||
|
||||
# Check what saved builds we have
|
||||
echo "Contents of Saved/StagedBuilds directory (if exists):"
|
||||
find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/"
|
||||
|
||||
# Create temporary directory for keychain and certificates
|
||||
TEMP_DIR=$(mktemp -d)
|
||||
KEYCHAIN_PATH="$TEMP_DIR/build.keychain"
|
||||
KEYCHAIN_PASSWORD="temporary$(date +%s)"
|
||||
# Decode certificate to working directory for simplicity
|
||||
echo "Decoding certificate..."
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
||||
ls -la certificate.p12
|
||||
|
||||
echo "Creating keychain at: $KEYCHAIN_PATH"
|
||||
# Create a simple local keychain
|
||||
echo "Creating login keychain..."
|
||||
KEYCHAIN_PATH="$HOME/Library/Keychains/build.keychain-db"
|
||||
KEYCHAIN_PASSWORD="temp$(date +%s)"
|
||||
|
||||
# Create and configure keychain
|
||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Add to keychain list and make it default
|
||||
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
# Debug import step
|
||||
echo "Importing certificate with flags: -P [PWD] -k $KEYCHAIN_PATH"
|
||||
security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
|
||||
|
||||
# Decode certificate to temporary directory
|
||||
CERT_PATH="$TEMP_DIR/certificate.p12"
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
|
||||
|
||||
# Import certificate with correct flags for automated use
|
||||
security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12
|
||||
|
||||
# Set partition list - important for automated signing without UI prompts
|
||||
# Set partition list for automation
|
||||
echo "Setting key partition list..."
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Get the certificate's Common Name and SHA-1 fingerprint for signing
|
||||
echo "Listing available codesigning identities:"
|
||||
# Check for identities - DEBUG
|
||||
echo "Listing identities after import:"
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# Get the certificate ID (SHA-1 fingerprint) - this is more reliable than using the name
|
||||
CERT_ID=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '[0-9A-F]\{40\}' | head -1)
|
||||
# Verify Apple Team ID matches certificate
|
||||
echo "Expected Apple Team ID: $APPLE_TEAM_ID"
|
||||
|
||||
if [ -z "$CERT_ID" ]; then
|
||||
echo "⚠️ No valid signing certificate found in keychain"
|
||||
exit 1
|
||||
# Get a more detailed certificate info for debugging
|
||||
echo "Certificate details:"
|
||||
security find-certificate -a -c "Developer ID" -p "$KEYCHAIN_PATH" | openssl x509 -text | grep -E "Subject:|Issuer:|Not Before:|Not After :|Serial Number:" || echo "No certificate details found"
|
||||
|
||||
# Use alternative approach to get signing identity
|
||||
SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | sed -E 's/.*\"Developer ID Application: ([^\"]+).*/\1/g' || echo "")
|
||||
if [ -z "$SIGNING_IDENTITY" ]; then
|
||||
# Try with certificate CN directly
|
||||
SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID"
|
||||
echo "Using APPLE_TEAM_ID directly: $SIGNING_IDENTITY"
|
||||
else
|
||||
echo "Found signing identity: $SIGNING_IDENTITY"
|
||||
fi
|
||||
|
||||
echo "Using certificate ID: $CERT_ID"
|
||||
echo "CERT_ID=$CERT_ID" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||
echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||
|
||||
echo "Certificate imported successfully"
|
||||
# Add to search list if needed
|
||||
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
|
||||
shell: bash
|
||||
|
||||
# Step 4: Find and prep app for signing
|
||||
@ -175,83 +180,50 @@ jobs:
|
||||
echo "Found potential app bundles:"
|
||||
echo "$APP_PATHS"
|
||||
|
||||
# Use the first app path found
|
||||
APP_PATH=$(echo "$APP_PATHS" | head -1)
|
||||
# Use the first app path found (preferably the main app, not a child app)
|
||||
MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1)
|
||||
|
||||
# Get app name for later use
|
||||
APP_NAME=$(basename "$APP_PATH")
|
||||
APP_NAME=$(basename "$MAIN_APP_PATH")
|
||||
|
||||
echo "Using app bundle: $APP_PATH"
|
||||
echo "Using app bundle: $MAIN_APP_PATH"
|
||||
echo "App name: $APP_NAME"
|
||||
|
||||
echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV"
|
||||
echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV"
|
||||
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
# Step 5: Sign application with codesign - improved based on forums
|
||||
# Step 5: Sign application with codesign - DIRECT METHOD
|
||||
- name: Sign application
|
||||
env:
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
# Debug info
|
||||
echo "Signing app bundle: $APP_PATH"
|
||||
echo "Using entitlements file: $ENTITLEMENTS_FILE"
|
||||
echo "Using certificate ID: $CERT_ID"
|
||||
echo "Using signing identity: $SIGNING_IDENTITY"
|
||||
|
||||
# Make sure keychain is accessible
|
||||
security unlock-keychain -p "$(security find-generic-password -a ${USER} -s login -w)" login.keychain
|
||||
security unlock-keychain -p "temporary" "$KEYCHAIN_PATH" || true
|
||||
echo "Unlocking keychains..."
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" || true
|
||||
|
||||
# Sign all dylib files
|
||||
echo "🔍 Signing all .dylib files..."
|
||||
find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do
|
||||
echo "Signing dylib: $DYLIB"
|
||||
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$DYLIB"
|
||||
done
|
||||
# Verify signing identity accessibility
|
||||
echo "Verifying codesigning identities..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# Sign all .so files
|
||||
echo "🔍 Signing all .so files..."
|
||||
find "$APP_PATH" -type f -name "*.so" | while read SO; do
|
||||
echo "Signing .so: $SO"
|
||||
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$SO"
|
||||
done
|
||||
|
||||
# Sign all executables in frameworks
|
||||
echo "🔍 Signing framework executables..."
|
||||
find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do
|
||||
echo "Signing framework binary: $FMWK_BIN"
|
||||
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FMWK_BIN"
|
||||
done
|
||||
|
||||
# Sign all other executables
|
||||
echo "🔍 Signing other executables..."
|
||||
find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do
|
||||
echo "Signing executable: $EXEC"
|
||||
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$EXEC"
|
||||
done
|
||||
|
||||
# Sign all frameworks
|
||||
echo "🔍 Signing frameworks..."
|
||||
find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do
|
||||
echo "Signing framework: $FRAMEWORK"
|
||||
codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FRAMEWORK"
|
||||
done
|
||||
|
||||
# Finally sign the app bundle itself with entitlements
|
||||
echo "🔍 Signing the main app bundle with entitlements..."
|
||||
codesign --force --options runtime --deep --timestamp --verbose --sign "$CERT_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH"
|
||||
# Sign the app directly, with a more direct approach
|
||||
echo "🔍 Signing the app bundle with its contents..."
|
||||
/usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"
|
||||
|
||||
# Verify signature
|
||||
echo "Verifying signature..."
|
||||
codesign --verify --verbose "$APP_PATH"
|
||||
|
||||
# Use spctl to check if app is acceptable by Gatekeeper
|
||||
echo "Checking if app will pass Gatekeeper validation..."
|
||||
spctl -vvv --assess --type exec "$APP_PATH"
|
||||
/usr/bin/codesign --verify --verbose "$APP_PATH"
|
||||
|
||||
# Check the result
|
||||
if [ $? -eq 0 ]; then
|
||||
echo "✅ Code signing and Gatekeeper validation was successful"
|
||||
echo "✅ Code signing was successful"
|
||||
else
|
||||
echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization"
|
||||
echo "⚠️ Code signing verification had issues, but continuing with notarization..."
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user