fix(workflows): improve keychain handling and identity extraction in local signing workflow

.gitea/workflows/test-local-signing.yml

@@ -33,25 +33,33 @@ jobs:
           echo "🔍 Certificate info:"
           file certificate.p12
           
-          # Create keychain
-          KEYCHAIN_PATH="$CERT_DIR/build.keychain"
-          KEYCHAIN_PASSWORD="temporary$(date +%s)"
+          # Create keychain with a fixed password
+          KEYCHAIN_PATH="$CERT_DIR/build.keychain-db"
+          KEYCHAIN_PASSWORD="keychainpassword"
           
           echo "🔐 Creating keychain: $KEYCHAIN_PATH"
           security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Configure keychain settings
+          security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
+          
+          # Add to keychain list and make it default
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
           security default-keychain -s "$KEYCHAIN_PATH"
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           
-          # Import certificate
+          # Import certificate with all access rights
           echo "📥 Importing certificate..."
           security import certificate.p12 \
             -k "$KEYCHAIN_PATH" \
             -P "$CERTIFICATE_PASSWORD" \
-            -T /usr/bin/codesign
+            -T "/usr/bin/codesign" \
+            -T "/usr/bin/security" \
+            -T "/usr/bin/xcrun"
           
-          # Configure keychain settings
+          # Update keychain partition list
           security set-key-partition-list \
-            -S apple-tool:,apple: \
+            -S apple-tool:,apple:,codesign: \
             -s \
             -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           
@@ -61,14 +69,26 @@ jobs:
           echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
           echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
           
-          # Check certificate status
+          # Check certificate status and get identity
           echo "✅ Checking codesigning identities..."
           security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+          
+          # Extract the identity hash for signing
+          IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
+          if [ -n "$IDENTITY_HASH" ]; then
+            echo "Found identity hash: $IDENTITY_HASH"
+            echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV"
+          else
+            echo "No valid identity hash found"
+            security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+            exit 1
+          fi
         shell: bash
         
       - name: Verify Certificate
         run: |
           echo "🔍 Verifying certificate in keychain..."
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           security find-identity -v -p codesigning "$KEYCHAIN_PATH"
           
           echo "📋 Certificate details:"
@@ -151,13 +171,11 @@ jobs:
           # Prepare keychain
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           
-          # Find signing identity
-          SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID"
-          echo "Using signing identity: $SIGNING_IDENTITY"
-          
-          echo "📝 Signing app bundle..."
+          # Use identity hash directly for signing
+          echo "📝 Signing app bundle with identity hash: $IDENTITY_HASH"
           /usr/bin/codesign --force --deep --verbose \
-            --sign "$SIGNING_IDENTITY" \
+            --keychain "$KEYCHAIN_PATH" \
+            --sign "$IDENTITY_HASH" \
             --entitlements "LuckyWorld.entitlements" \
             "$APP_PATH"