From 89ecd771334e5566839a588ea98d2e22490c2c8b Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Wed, 16 Apr 2025 12:22:06 +0200 Subject: [PATCH] fix(actions): refine macOS notarization workflow by removing build cache management and enhancing identity handling during signing process --- .gitea/workflows/test-macos-build.yml | 78 +++++++++++++-------------- 1 file changed, 38 insertions(+), 40 deletions(-) diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index 17960280..b497a33b 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -41,22 +41,6 @@ jobs: echo "Environment setup complete" shell: bash - # Restore cache for build dependencies - - name: Restore Build Cache - id: build-cache - uses: actions/cache@v3 - with: - path: | - DerivedDataCache - Intermediate - Saved/Autosaves - Saved/Config - .unreal - key: ${{ runner.os }}-macbuild-${{ hashFiles('**/*.uproject') }}-${{ hashFiles('Config/**') }} - restore-keys: | - ${{ runner.os }}-macbuild-${{ hashFiles('**/*.uproject') }}- - ${{ runner.os }}-macbuild- - # Build for macOS - use your own build script - name: Build for macOS run: | @@ -167,19 +151,6 @@ jobs: echo "Found entitlements file: ${{ env.ENTITLEMENTS_FILE }}" fi shell: bash - - # Save cache for next workflow run - - name: Save Build Cache - if: always() - uses: actions/cache/save@v3 - with: - path: | - DerivedDataCache - Intermediate - Saved/Autosaves - Saved/Config - .unreal - key: ${{ steps.build-cache.outputs.cache-primary-key }} # Create a debug log file for notarize action - name: Create debug log directory @@ -320,16 +291,25 @@ jobs: debug_log "Importing certificate into keychain" security import "$CERTIFICATE_PATH" -k "$KEYCHAIN_NAME" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign - # Allow codesign to access keychain items + # Add to search list and set as default + security list-keychains -d user -s "$KEYCHAIN_NAME" login.keychain + security default-keychain -s "$KEYCHAIN_NAME" + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME" + + # Allow codesign to access keychain items without prompting security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME" - # Verify certificate was imported - security find-identity -v "$KEYCHAIN_NAME" | grep "Developer ID Application" - IDENTITY_RESULT=$? + # List all identities to find the exact name + debug_log "Listing all identities in the keychain:" + IDENTITY_INFO=$(security find-identity -v "$KEYCHAIN_NAME") + debug_log "$IDENTITY_INFO" - if [ $IDENTITY_RESULT -eq 0 ]; then - debug_log "Certificate imported successfully" - SIGNING_IDENTITY="Developer ID Application: ${{ secrets.APPLE_TEAM_ID }}" + # Parse the exact identity name from the output + EXACT_IDENTITY=$(echo "$IDENTITY_INFO" | grep "Developer ID Application" | head -1 | sed -E 's/.*"(Developer ID Application: .*)"/\1/') + + if [[ -n "$EXACT_IDENTITY" ]]; then + debug_log "Found exact identity: $EXACT_IDENTITY" + SIGNING_IDENTITY="$EXACT_IDENTITY" echo "SIGNING_IDENTITY=$SIGNING_IDENTITY" >> $GITHUB_ENV echo "CERTIFICATE_AVAILABLE=true" >> $GITHUB_ENV else @@ -357,6 +337,12 @@ jobs: debug_log "Starting application signing process" + # Make sure keychain is unlocked and available + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME" + security list-keychains + security default-keychain + security find-identity -v "$KEYCHAIN_NAME" | grep "Developer ID Application" + # Check if certificate is available if [[ "$CERTIFICATE_AVAILABLE" == "false" ]]; then debug_log "No certificate available and fallback disabled. Skipping signing." @@ -370,6 +356,7 @@ jobs: # Sign the app if [[ "$CERTIFICATE_AVAILABLE" == "true" ]]; then debug_log "Signing with Developer ID certificate" + debug_log "Using identity: $SIGNING_IDENTITY" # First remove existing signatures debug_log "Removing existing signatures..." @@ -399,11 +386,22 @@ jobs: find "$APP_PATH/Contents/MacOS" -type f -exec codesign --force --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" {} \; 2>/dev/null || true fi - # Sign app bundle - debug_log "Signing main app bundle..." - codesign --force --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" + # Try with exact hash ID if available + if [[ "$IDENTITY_INFO" =~ ([0-9A-F]{40}) ]]; then + HASH_ID="${BASH_REMATCH[1]}" + debug_log "Trying to sign with hash ID: $HASH_ID" + + # Sign app bundle with hash ID + debug_log "Signing main app bundle with hash ID..." + codesign --force --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$HASH_ID" "$APP_PATH" + SIGN_RESULT=$? + else + # Sign app bundle + debug_log "Signing main app bundle..." + codesign --force --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_PATH" + SIGN_RESULT=$? + fi - SIGN_RESULT=$? if [ $SIGN_RESULT -eq 0 ]; then debug_log "App signed successfully with Developer ID" echo "SIGNING_RESULT=true" >> $GITHUB_ENV