diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index c41f69d1..9fb0c33c 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -99,60 +99,51 @@ jobs: security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security list-keychains -s "$KEYCHAIN_PATH" $(security list-keychains | xargs) - # Download and import Apple root certificates - echo "📥 Downloading Apple root certificates..." - curl -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer - curl -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer - - # Check certificate formats - echo "🔍 Checking certificate formats..." - file AppleWWDRCAG3.cer - file DeveloperIDG2.cer - - # Import Apple WWDRCA certificate - echo "🔑 Importing Apple WWDRCA certificate..." - security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign - - # Import Developer ID certificate - try with explicit format - echo "🔑 Importing Developer ID certificate..." - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f pkcs7 || \ - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f openssl || \ - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign + # Add to keychain list and make it default + security list-keychains -s "$KEYCHAIN_PATH" login.keychain + security default-keychain -s "$KEYCHAIN_PATH" # Import developer certificate - echo "🔑 Importing developer p12 certificate..." + echo "🔑 Importing developer certificate..." echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign - # Set partition list to allow codesign to access keychain without password + # Set partition list to allow codesign to access without password security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Set keychain as default - security default-keychain -s "$KEYCHAIN_PATH" - # Verify certificate echo "🔍 Verifying certificate..." security find-identity -v -p codesigning "$KEYCHAIN_PATH" + # Make keychain available for 1 hour + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Cleanup - rm -f certificate.p12 AppleWWDRCAG3.cer DeveloperIDG2.cer + rm -f certificate.p12 shell: bash - name: Sign App Bundle run: | echo "🔏 Signing app bundle..." - # Get the identity hash - IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | awk '{print $2}') - if [ -z "$IDENTITY" ]; then + # Get the identity name (not hash) + IDENTITY_NAME=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | sed -E 's/.*"Developer ID Application: ([^"]*).*/\1/') + IDENTITY_FULL="Developer ID Application: $IDENTITY_NAME" + + echo "Found identity: $IDENTITY_FULL" + + if [ -z "$IDENTITY_NAME" ]; then echo "❌ Error: No valid Developer ID Application identity found" exit 1 fi + # Make sure keychain is unlocked + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Sign the app bundle - codesign --force --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app + echo "Signing with identity: $IDENTITY_FULL" + codesign --force --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY_FULL" --timestamp TestApp.app # Verify signing echo "🔍 Verifying signature..."