This commit is contained in:
parent
4125cb2ff4
commit
8b1443bbad
@ -12,111 +12,6 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Setup Certificate
|
||||
env:
|
||||
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
echo "🔑 Setting up certificate and keychain..."
|
||||
|
||||
# Create working directory
|
||||
CERT_DIR="$HOME/certificates"
|
||||
mkdir -p "$CERT_DIR"
|
||||
cd "$CERT_DIR"
|
||||
|
||||
# Decode certificate
|
||||
echo "📜 Decoding certificate..."
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
||||
|
||||
# Check certificate info
|
||||
echo "🔍 Certificate info:"
|
||||
file certificate.p12
|
||||
|
||||
# Create keychain with a fixed password
|
||||
KEYCHAIN_PATH="$CERT_DIR/build.keychain-db"
|
||||
KEYCHAIN_PASSWORD="keychainpassword"
|
||||
|
||||
echo "🔐 Creating keychain: $KEYCHAIN_PATH"
|
||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Configure keychain settings
|
||||
security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
|
||||
|
||||
# Add to keychain list and make it default
|
||||
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Download and import Apple root certificates
|
||||
echo "📥 Downloading Apple root certificates..."
|
||||
curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
|
||||
curl -O https://www.apple.com/certificateauthority/DeveloperIDG2.cer
|
||||
|
||||
echo "🔐 Importing Apple root certificates..."
|
||||
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der
|
||||
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der
|
||||
|
||||
# Import certificate with all access rights
|
||||
echo "📥 Importing developer certificate..."
|
||||
security import certificate.p12 \
|
||||
-k "$KEYCHAIN_PATH" \
|
||||
-P "$CERTIFICATE_PASSWORD" \
|
||||
-T "/usr/bin/codesign" \
|
||||
-T "/usr/bin/security" \
|
||||
-T "/usr/bin/xcrun" \
|
||||
-f pkcs12
|
||||
|
||||
# Update keychain partition list
|
||||
security set-key-partition-list \
|
||||
-S apple-tool:,apple:,codesign: \
|
||||
-s \
|
||||
-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Allow codesign to access the keychain
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Verify certificate access
|
||||
echo "🔍 Verifying certificate access..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# Save environment variables
|
||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||
echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
|
||||
echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
|
||||
|
||||
# Check certificate status and get identity
|
||||
echo "✅ Checking codesigning identities..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# Extract the identity hash for signing
|
||||
IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
|
||||
if [ -n "$IDENTITY_HASH" ]; then
|
||||
echo "Found identity hash: $IDENTITY_HASH"
|
||||
echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV"
|
||||
else
|
||||
echo "No valid identity hash found"
|
||||
echo "🔍 Debugging certificate access..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH"
|
||||
exit 1
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
- name: Verify Certificate
|
||||
run: |
|
||||
echo "🔍 Verifying certificate in keychain..."
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
echo "📋 Certificate details:"
|
||||
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \
|
||||
openssl x509 -text | \
|
||||
grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:"
|
||||
shell: bash
|
||||
|
||||
- name: Create Test Entitlements
|
||||
run: |
|
||||
echo "📝 Creating entitlements file..."
|
||||
@ -184,73 +79,22 @@ jobs:
|
||||
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
- name: Test Signing
|
||||
run: |
|
||||
echo "🔏 Testing code signing..."
|
||||
|
||||
# Prepare keychain
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Use identity hash directly for signing
|
||||
echo "📝 Signing app bundle with identity hash: $IDENTITY_HASH"
|
||||
/usr/bin/codesign --force --deep --verbose \
|
||||
--keychain "$KEYCHAIN_PATH" \
|
||||
--sign "$IDENTITY_HASH" \
|
||||
--entitlements "LuckyWorld.entitlements" \
|
||||
"$APP_PATH"
|
||||
|
||||
echo "✅ Signing complete"
|
||||
|
||||
echo "🔍 Verifying signature..."
|
||||
codesign -vv -d "$APP_PATH"
|
||||
|
||||
echo "📋 Checking entitlements..."
|
||||
codesign -d --entitlements :- "$APP_PATH"
|
||||
|
||||
echo "🔒 Testing Gatekeeper assessment..."
|
||||
spctl --assess --type exec "$APP_PATH"
|
||||
shell: bash
|
||||
|
||||
- name: Test Notarization
|
||||
env:
|
||||
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
||||
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
|
||||
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
|
||||
run: |
|
||||
if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then
|
||||
echo "🔐 Testing notarization..."
|
||||
|
||||
# Create API key file
|
||||
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
||||
|
||||
# Zip test app
|
||||
ditto -c -k --keepParent "$APP_PATH" "TestApp.zip"
|
||||
|
||||
# Test notarization
|
||||
xcrun notarytool submit "TestApp.zip" \
|
||||
--key "api_key.p8" \
|
||||
--key-id "$API_KEY_ID" \
|
||||
--issuer "$API_KEY_ISSUER_ID" \
|
||||
--wait
|
||||
|
||||
# Cleanup
|
||||
rm -f api_key.p8 TestApp.zip
|
||||
else
|
||||
echo "⚠️ Notarization secrets not found, skipping notarization test"
|
||||
fi
|
||||
shell: bash
|
||||
- name: Sign and Notarize App
|
||||
uses: lando/code-sign-action@v3
|
||||
with:
|
||||
file: ${{ env.APP_PATH }}
|
||||
certificate-data: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
certificate-password: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
apple-team-id: ${{ secrets.APPLE_TEAM_ID }}
|
||||
apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
|
||||
apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
|
||||
apple-product-id: com.luckyworld.testapp
|
||||
options: --options runtime --entitlements LuckyWorld.entitlements
|
||||
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
run: |
|
||||
echo "🧹 Cleaning up..."
|
||||
|
||||
# Clean up keychain
|
||||
security delete-keychain "$KEYCHAIN_PATH" || true
|
||||
|
||||
# Clean up test files
|
||||
rm -rf "$HOME/certificates" || true
|
||||
rm -rf TestApp.app || true
|
||||
|
||||
echo "✅ Cleanup complete"
|
||||
shell: bash
|
||||
Loading…
x
Reference in New Issue
Block a user