fix(workflows): improve keychain handling and identity extraction in local signing workflow

2025-04-14 14:14:51 +02:00 · 2025-04-14 14:14:51 +02:00 · 8dcb496b3c
commit 8dcb496b3c
parent 52bb9a0f7b
1 changed files with 32 additions and 14 deletions
--- a/.gitea/workflows/test-local-signing.yml
+++ b/.gitea/workflows/test-local-signing.yml
@ -33,25 +33,33 @@ jobs:
          echo "🔍 Certificate info:"
          file certificate.p12
          
-          # Create keychain
-          KEYCHAIN_PATH="$CERT_DIR/build.keychain"
-          KEYCHAIN_PASSWORD="temporary$(date +%s)"
+          # Create keychain with a fixed password
+          KEYCHAIN_PATH="$CERT_DIR/build.keychain-db"
+          KEYCHAIN_PASSWORD="keychainpassword"
          
          echo "🔐 Creating keychain: $KEYCHAIN_PATH"
          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+          
+          # Configure keychain settings
+          security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
+          
+          # Add to keychain list and make it default
+          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
          security default-keychain -s "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
-          # Import certificate
+          # Import certificate with all access rights
          echo "📥 Importing certificate..."
          security import certificate.p12 \
            -k "$KEYCHAIN_PATH" \
            -P "$CERTIFICATE_PASSWORD" \
-            -T /usr/bin/codesign
+            -T "/usr/bin/codesign" \
+            -T "/usr/bin/security" \
+            -T "/usr/bin/xcrun"
          
-          # Configure keychain settings
+          # Update keychain partition list
          security set-key-partition-list \
-            -S apple-tool:,apple: \
+            -S apple-tool:,apple:,codesign: \
            -s \
            -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
@ -61,14 +69,26 @@ jobs:
          echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
          echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
          
-          # Check certificate status
+          # Check certificate status and get identity
          echo "✅ Checking codesigning identities..."
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+          
+          # Extract the identity hash for signing
+          IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
+          if [ -n "$IDENTITY_HASH" ]; then
+            echo "Found identity hash: $IDENTITY_HASH"
+            echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV"
+          else
+            echo "No valid identity hash found"
+            security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+            exit 1
+          fi
        shell: bash
        
      - name: Verify Certificate
        run: |
          echo "🔍 Verifying certificate in keychain..."
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
          
          echo "📋 Certificate details:"
@ -151,13 +171,11 @@ jobs:
          # Prepare keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
-          # Find signing identity
-          SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID"
-          echo "Using signing identity: $SIGNING_IDENTITY"
-          
-          echo "📝 Signing app bundle..."
+          # Use identity hash directly for signing
+          echo "📝 Signing app bundle with identity hash: $IDENTITY_HASH"
          /usr/bin/codesign --force --deep --verbose \
-            --sign "$SIGNING_IDENTITY" \
+            --keychain "$KEYCHAIN_PATH" \
+            --sign "$IDENTITY_HASH" \
            --entitlements "LuckyWorld.entitlements" \
            "$APP_PATH"