diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index ec8be996..2dda1929 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -85,65 +85,70 @@ jobs: fi shell: bash - # Step 3: Create keychain and import certificate + # Step 3: Create keychain and import certificate - SIMPLIFIED for debugging - name: Create keychain and import certificate env: CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | - # Debug: Print working directory + # Debug: Print working directory and available resources echo "Current working directory: $(pwd)" echo "Contents of Builds directory:" find Builds -type d | sort - # Check what saved builds we have echo "Contents of Saved/StagedBuilds directory (if exists):" find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/" - # Create temporary directory for keychain and certificates - TEMP_DIR=$(mktemp -d) - KEYCHAIN_PATH="$TEMP_DIR/build.keychain" - KEYCHAIN_PASSWORD="temporary$(date +%s)" + # Decode certificate to working directory for simplicity + echo "Decoding certificate..." + echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 + ls -la certificate.p12 - echo "Creating keychain at: $KEYCHAIN_PATH" + # Create a simple local keychain + echo "Creating login keychain..." + KEYCHAIN_PATH="$HOME/Library/Keychains/build.keychain-db" + KEYCHAIN_PASSWORD="temp$(date +%s)" - # Create and configure keychain security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" + security default-keychain -s "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Add to keychain list and make it default - security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) - security default-keychain -s "$KEYCHAIN_PATH" + # Debug import step + echo "Importing certificate with flags: -P [PWD] -k $KEYCHAIN_PATH" + security import certificate.p12 -P "$CERTIFICATE_PASSWORD" -k "$KEYCHAIN_PATH" -T /usr/bin/codesign - # Decode certificate to temporary directory - CERT_PATH="$TEMP_DIR/certificate.p12" - echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" - - # Import certificate with correct flags for automated use - security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 - - # Set partition list - important for automated signing without UI prompts + # Set partition list for automation + echo "Setting key partition list..." security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Get the certificate's Common Name and SHA-1 fingerprint for signing - echo "Listing available codesigning identities:" + # Check for identities - DEBUG + echo "Listing identities after import:" security find-identity -v -p codesigning "$KEYCHAIN_PATH" - # Get the certificate ID (SHA-1 fingerprint) - this is more reliable than using the name - CERT_ID=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '[0-9A-F]\{40\}' | head -1) + # Verify Apple Team ID matches certificate + echo "Expected Apple Team ID: $APPLE_TEAM_ID" - if [ -z "$CERT_ID" ]; then - echo "⚠️ No valid signing certificate found in keychain" - exit 1 + # Get a more detailed certificate info for debugging + echo "Certificate details:" + security find-certificate -a -c "Developer ID" -p "$KEYCHAIN_PATH" | openssl x509 -text | grep -E "Subject:|Issuer:|Not Before:|Not After :|Serial Number:" || echo "No certificate details found" + + # Use alternative approach to get signing identity + SIGNING_IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | sed -E 's/.*\"Developer ID Application: ([^\"]+).*/\1/g' || echo "") + if [ -z "$SIGNING_IDENTITY" ]; then + # Try with certificate CN directly + SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID" + echo "Using APPLE_TEAM_ID directly: $SIGNING_IDENTITY" + else + echo "Found signing identity: $SIGNING_IDENTITY" fi - echo "Using certificate ID: $CERT_ID" - echo "CERT_ID=$CERT_ID" >> "$GITHUB_ENV" echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" + echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> "$GITHUB_ENV" + echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" - echo "Certificate imported successfully" + # Add to search list if needed + security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) shell: bash # Step 4: Find and prep app for signing @@ -175,83 +180,50 @@ jobs: echo "Found potential app bundles:" echo "$APP_PATHS" - # Use the first app path found - APP_PATH=$(echo "$APP_PATHS" | head -1) + # Use the first app path found (preferably the main app, not a child app) + MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1) # Get app name for later use - APP_NAME=$(basename "$APP_PATH") + APP_NAME=$(basename "$MAIN_APP_PATH") - echo "Using app bundle: $APP_PATH" + echo "Using app bundle: $MAIN_APP_PATH" echo "App name: $APP_NAME" - echo "APP_PATH=$APP_PATH" >> "$GITHUB_ENV" + echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV" echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV" shell: bash - # Step 5: Sign application with codesign - improved based on forums + # Step 5: Sign application with codesign - DIRECT METHOD - name: Sign application env: APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | + # Debug info echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" - echo "Using certificate ID: $CERT_ID" + echo "Using signing identity: $SIGNING_IDENTITY" # Make sure keychain is accessible - security unlock-keychain -p "$(security find-generic-password -a ${USER} -s login -w)" login.keychain - security unlock-keychain -p "temporary" "$KEYCHAIN_PATH" || true + echo "Unlocking keychains..." + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" || true - # Sign all dylib files - echo "🔍 Signing all .dylib files..." - find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do - echo "Signing dylib: $DYLIB" - codesign --force --options runtime --timestamp --sign "$CERT_ID" "$DYLIB" - done + # Verify signing identity accessibility + echo "Verifying codesigning identities..." + security find-identity -v -p codesigning "$KEYCHAIN_PATH" - # Sign all .so files - echo "🔍 Signing all .so files..." - find "$APP_PATH" -type f -name "*.so" | while read SO; do - echo "Signing .so: $SO" - codesign --force --options runtime --timestamp --sign "$CERT_ID" "$SO" - done - - # Sign all executables in frameworks - echo "🔍 Signing framework executables..." - find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do - echo "Signing framework binary: $FMWK_BIN" - codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FMWK_BIN" - done - - # Sign all other executables - echo "🔍 Signing other executables..." - find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do - echo "Signing executable: $EXEC" - codesign --force --options runtime --timestamp --sign "$CERT_ID" "$EXEC" - done - - # Sign all frameworks - echo "🔍 Signing frameworks..." - find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do - echo "Signing framework: $FRAMEWORK" - codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FRAMEWORK" - done - - # Finally sign the app bundle itself with entitlements - echo "🔍 Signing the main app bundle with entitlements..." - codesign --force --options runtime --deep --timestamp --verbose --sign "$CERT_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" + # Sign the app directly, with a more direct approach + echo "🔍 Signing the app bundle with its contents..." + /usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH" # Verify signature echo "Verifying signature..." - codesign --verify --verbose "$APP_PATH" - - # Use spctl to check if app is acceptable by Gatekeeper - echo "Checking if app will pass Gatekeeper validation..." - spctl -vvv --assess --type exec "$APP_PATH" + /usr/bin/codesign --verify --verbose "$APP_PATH" + # Check the result if [ $? -eq 0 ]; then - echo "✅ Code signing and Gatekeeper validation was successful" + echo "✅ Code signing was successful" else - echo "⚠️ Gatekeeper validation had warnings, but continuing with notarization" + echo "⚠️ Code signing verification had issues, but continuing with notarization..." fi shell: bash