diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index 01ab80da..f7e91941 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -12,111 +12,6 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - - name: Setup Certificate - env: - CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} - CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} - run: | - echo "๐Ÿ”‘ Setting up certificate and keychain..." - - # Create working directory - CERT_DIR="$HOME/certificates" - mkdir -p "$CERT_DIR" - cd "$CERT_DIR" - - # Decode certificate - echo "๐Ÿ“œ Decoding certificate..." - echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 - - # Check certificate info - echo "๐Ÿ” Certificate info:" - file certificate.p12 - - # Create keychain with a fixed password - KEYCHAIN_PATH="$CERT_DIR/build.keychain-db" - KEYCHAIN_PASSWORD="keychainpassword" - - echo "๐Ÿ” Creating keychain: $KEYCHAIN_PATH" - security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Configure keychain settings - security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH" - - # Add to keychain list and make it default - security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) - security default-keychain -s "$KEYCHAIN_PATH" - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Download and import Apple root certificates - echo "๐Ÿ“ฅ Downloading Apple root certificates..." - curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer - curl -O https://www.apple.com/certificateauthority/DeveloperIDG2.cer - - echo "๐Ÿ” Importing Apple root certificates..." - security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der - security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der - - # Import certificate with all access rights - echo "๐Ÿ“ฅ Importing developer certificate..." - security import certificate.p12 \ - -k "$KEYCHAIN_PATH" \ - -P "$CERTIFICATE_PASSWORD" \ - -T "/usr/bin/codesign" \ - -T "/usr/bin/security" \ - -T "/usr/bin/xcrun" \ - -f pkcs12 - - # Update keychain partition list - security set-key-partition-list \ - -S apple-tool:,apple:,codesign: \ - -s \ - -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Allow codesign to access the keychain - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Verify certificate access - echo "๐Ÿ” Verifying certificate access..." - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - - # Save environment variables - echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" - echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" - echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV" - echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV" - - # Check certificate status and get identity - echo "โœ… Checking codesigning identities..." - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - - # Extract the identity hash for signing - IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}') - if [ -n "$IDENTITY_HASH" ]; then - echo "Found identity hash: $IDENTITY_HASH" - echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV" - else - echo "No valid identity hash found" - echo "๐Ÿ” Debugging certificate access..." - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" - exit 1 - fi - shell: bash - - - name: Verify Certificate - run: | - echo "๐Ÿ” Verifying certificate in keychain..." - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - - echo "๐Ÿ“‹ Certificate details:" - security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \ - openssl x509 -text | \ - grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:" - shell: bash - - name: Create Test Entitlements run: | echo "๐Ÿ“ Creating entitlements file..." @@ -184,73 +79,22 @@ jobs: echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV" shell: bash - - name: Test Signing - run: | - echo "๐Ÿ” Testing code signing..." - - # Prepare keychain - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Use identity hash directly for signing - echo "๐Ÿ“ Signing app bundle with identity hash: $IDENTITY_HASH" - /usr/bin/codesign --force --deep --verbose \ - --keychain "$KEYCHAIN_PATH" \ - --sign "$IDENTITY_HASH" \ - --entitlements "LuckyWorld.entitlements" \ - "$APP_PATH" - - echo "โœ… Signing complete" - - echo "๐Ÿ” Verifying signature..." - codesign -vv -d "$APP_PATH" - - echo "๐Ÿ“‹ Checking entitlements..." - codesign -d --entitlements :- "$APP_PATH" - - echo "๐Ÿ”’ Testing Gatekeeper assessment..." - spctl --assess --type exec "$APP_PATH" - shell: bash - - - name: Test Notarization - env: - API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} - API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} - API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} - run: | - if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then - echo "๐Ÿ” Testing notarization..." - - # Create API key file - echo "$API_KEY_PATH" | base64 --decode > api_key.p8 - - # Zip test app - ditto -c -k --keepParent "$APP_PATH" "TestApp.zip" - - # Test notarization - xcrun notarytool submit "TestApp.zip" \ - --key "api_key.p8" \ - --key-id "$API_KEY_ID" \ - --issuer "$API_KEY_ISSUER_ID" \ - --wait - - # Cleanup - rm -f api_key.p8 TestApp.zip - else - echo "โš ๏ธ Notarization secrets not found, skipping notarization test" - fi - shell: bash + - name: Sign and Notarize App + uses: lando/code-sign-action@v3 + with: + file: ${{ env.APP_PATH }} + certificate-data: ${{ secrets.MACOS_CERTIFICATE }} + certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }} + apple-team-id: ${{ secrets.APPLE_TEAM_ID }} + apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }} + apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }} + apple-product-id: com.luckyworld.testapp + options: --options runtime --entitlements LuckyWorld.entitlements - name: Cleanup if: always() run: | echo "๐Ÿงน Cleaning up..." - - # Clean up keychain - security delete-keychain "$KEYCHAIN_PATH" || true - - # Clean up test files - rm -rf "$HOME/certificates" || true rm -rf TestApp.app || true - echo "โœ… Cleanup complete" shell: bash \ No newline at end of file