diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index 3012f2bb..c41f69d1 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -103,17 +103,32 @@ jobs: # Download and import Apple root certificates echo "📥 Downloading Apple root certificates..." - curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer - curl -O https://www.apple.com/certificateauthority/DeveloperIDG2.cer + curl -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer + curl -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer - # Import Apple root certificates + # Check certificate formats + echo "🔍 Checking certificate formats..." + file AppleWWDRCAG3.cer + file DeveloperIDG2.cer + + # Import Apple WWDRCA certificate + echo "🔑 Importing Apple WWDRCA certificate..." security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign + + # Import Developer ID certificate - try with explicit format + echo "🔑 Importing Developer ID certificate..." + security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f pkcs7 || \ + security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl || \ security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign # Import developer certificate + echo "🔑 Importing developer p12 certificate..." echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign + # Set partition list to allow codesign to access keychain without password + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Set keychain as default security default-keychain -s "$KEYCHAIN_PATH"