From 751105d1e2000be699b52ef5fb3f3017b8568898 Mon Sep 17 00:00:00 2001
From: Ozgur Ersoy <git@moersoy.com>
Date: Mon, 14 Apr 2025 15:48:44 +0200
Subject: [PATCH] fix(workflows): update local signing workflow to use
 certificate hash for improved identity handling and debugging

---
 .gitea/workflows/test-local-signing.yml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml
index 4356d7bd..6fde664c 100644
--- a/.gitea/workflows/test-local-signing.yml
+++ b/.gitea/workflows/test-local-signing.yml
@@ -224,26 +224,29 @@ jobs:
           # Decide which keychain to use
           if [ "${USE_SYSTEM_CERT:-false}" = "true" ]; then
             echo "Using system keychain identity"
-            IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
+            # Get certificate hash instead of name to avoid ambiguity
+            IDENTITY_HASH=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk '{print $2}')
+            echo "Using certificate hash: $IDENTITY_HASH"
           else
             # Make sure keychain is unlocked
             security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
             echo "Using custom keychain identity"
-            IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
+            # Get certificate hash instead of name to avoid ambiguity
+            IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
+            echo "Using certificate hash: $IDENTITY_HASH"
           fi
           
-          if [ -z "$IDENTITY" ]; then
+          if [ -z "$IDENTITY_HASH" ]; then
             echo "❌ No valid Developer ID Application certificate found"
             echo "Falling back to ad-hoc signing for testing..."
             # Use ad-hoc identity as fallback
             codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign - --timestamp "$APP_PATH"
             echo "SIGNED=adhoc" >> "$GITHUB_ENV"
           else
-            echo "Using identity: $IDENTITY"
+            echo "Signing app bundle with Developer ID hash: $IDENTITY_HASH"
             
-            # Sign the app bundle
-            echo "Signing app bundle with Developer ID..."
-            codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH"
+            # Sign the app bundle using the hash
+            codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY_HASH" --timestamp "$APP_PATH"
             echo "SIGNED=identity" >> "$GITHUB_ENV"
           fi