fix(workflows): enhance macOS build workflow with detailed debugging for certificate import and fallback signing method
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m50s
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 27m50s
This commit is contained in:
parent
80b9aafa69
commit
a7bb4f0bd6
@ -85,8 +85,8 @@ jobs:
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
# Step 3: Try both certificate & Ad-Hoc signing
|
||||
- name: Prepare certificate or use Ad-Hoc signing
|
||||
# Step 3: Enhanced Debug for Certificate Import
|
||||
- name: Debug Certificate Import
|
||||
env:
|
||||
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
@ -94,148 +94,170 @@ jobs:
|
||||
run: |
|
||||
# Debug: Print working directory and available resources
|
||||
echo "Current working directory: $(pwd)"
|
||||
echo "Contents of Saved/StagedBuilds directory (if exists):"
|
||||
find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/"
|
||||
|
||||
# Find the app bundle to sign
|
||||
APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
|
||||
if [ -z "$APP_PATHS" ]; then
|
||||
APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
|
||||
fi
|
||||
if [ -z "$APP_PATHS" ]; then
|
||||
echo "ERROR: No .app bundle found to sign!"
|
||||
# Checking system keychains
|
||||
echo "Examining system keychains and certificates..."
|
||||
security list-keychains
|
||||
security default-keychain
|
||||
|
||||
# Decode certificate and examine format - DEBUG
|
||||
echo "Decoding certificate to debug..."
|
||||
CERT_DIR="$HOME/certificates"
|
||||
mkdir -p "$CERT_DIR"
|
||||
CERT_PATH="$CERT_DIR/developer_certificate.p12"
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH"
|
||||
|
||||
# Check if certificate was properly decoded
|
||||
if [ -f "$CERT_PATH" ]; then
|
||||
echo "Certificate was decoded, size: $(wc -c < "$CERT_PATH") bytes"
|
||||
echo "Certificate file type: $(file "$CERT_PATH")"
|
||||
else
|
||||
echo "ERROR: Failed to decode certificate"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Trying import with different methods
|
||||
echo "ATTEMPT 1: Using login keychain"
|
||||
KEYCHAIN_PASSWORD="$(security find-generic-password -a ${USER} -s login -w)"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" login.keychain
|
||||
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k login.keychain -T /usr/bin/codesign || echo "Import to login keychain failed"
|
||||
|
||||
echo "ATTEMPT 2: Creating custom keychain"
|
||||
CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain"
|
||||
CUSTOM_PASSWORD="temppassword123"
|
||||
security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
|
||||
security default-keychain -s "$CUSTOM_KEYCHAIN"
|
||||
security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
|
||||
security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign || echo "Import to custom keychain failed"
|
||||
|
||||
# Add to search list
|
||||
security list-keychains -d user -s "$CUSTOM_KEYCHAIN" login.keychain
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN"
|
||||
|
||||
# Check available identities in both keychains
|
||||
echo "Checking login keychain for identities:"
|
||||
security find-identity -v -p codesigning login.keychain || echo "No identities in login keychain"
|
||||
|
||||
echo "Checking custom keychain for identities:"
|
||||
security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN" || echo "No identities in custom keychain"
|
||||
|
||||
# Fallback solution - use adhoc signing for testing
|
||||
echo "FALLBACK: Setting up adhoc signing option"
|
||||
echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV"
|
||||
echo "DIRECT_SIGNING_AVAILABLE=false" >> "$GITHUB_ENV"
|
||||
|
||||
# For debugging only, use a specific team ID if needed
|
||||
echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
# Step 4: Find and prep app for signing
|
||||
- name: Find and prep app for signing
|
||||
run: |
|
||||
# First check Saved/StagedBuilds directory - where Unreal often places built apps
|
||||
echo "Checking Saved/StagedBuilds directory..."
|
||||
APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null)
|
||||
|
||||
# If not found, check Builds directory
|
||||
if [ -z "$APP_PATHS" ]; then
|
||||
echo "Checking Builds directory..."
|
||||
APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null)
|
||||
fi
|
||||
|
||||
# If still not found, check the whole workspace
|
||||
if [ -z "$APP_PATHS" ]; then
|
||||
echo "Checking entire workspace..."
|
||||
APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null)
|
||||
fi
|
||||
|
||||
if [ -z "$APP_PATHS" ]; then
|
||||
echo "ERROR: Could not find any app bundles!"
|
||||
echo "Listing all directories to help debug:"
|
||||
find . -type d -maxdepth 3 | sort
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Found potential app bundles:"
|
||||
echo "$APP_PATHS"
|
||||
|
||||
# Use the first app path found (preferably the main app, not a child app)
|
||||
MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1)
|
||||
|
||||
# Get app name for later use
|
||||
APP_NAME=$(basename "$MAIN_APP_PATH")
|
||||
|
||||
echo "Using app bundle: $MAIN_APP_PATH"
|
||||
echo "App name: $APP_NAME"
|
||||
|
||||
echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV"
|
||||
echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV"
|
||||
|
||||
# Create a simple keychain
|
||||
KEYCHAIN_PASSWORD="temp$(date +%s)"
|
||||
KEYCHAIN_PATH="$HOME/Library/Keychains/build-temp.keychain-db"
|
||||
|
||||
# First, try to use the provided certificate
|
||||
echo "Attempting to use provided certificate..."
|
||||
if [ -n "$CERTIFICATE_BASE64" ] && [ -n "$CERTIFICATE_PASSWORD" ]; then
|
||||
echo "Certificate data provided, attempting import..."
|
||||
|
||||
# Decode certificate and check format
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > temp-cert.p12
|
||||
echo "Certificate file info:"
|
||||
file temp-cert.p12
|
||||
|
||||
# Create keychain
|
||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Import with debugging info
|
||||
echo "Importing certificate into keychain..."
|
||||
if security import temp-cert.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign; then
|
||||
echo "Certificate imported successfully!"
|
||||
|
||||
# Set partition list
|
||||
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Check certificate details
|
||||
echo "Certificate details:"
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# If we have a valid identity, use it
|
||||
if security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -q "valid identities found"; then
|
||||
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '"[^"]*"' | head -1 | sed 's/"//g')
|
||||
echo "Using certificate identity: $IDENTITY"
|
||||
echo "SIGNING_METHOD=certificate" >> "$GITHUB_ENV"
|
||||
echo "SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV"
|
||||
else
|
||||
echo "No valid identities found in keychain"
|
||||
echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV"
|
||||
fi
|
||||
else
|
||||
echo "Failed to import certificate, will use ad-hoc signing instead"
|
||||
echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV"
|
||||
fi
|
||||
|
||||
# Cleanup certificate file
|
||||
rm -f temp-cert.p12
|
||||
else
|
||||
echo "Certificate data not provided, will use ad-hoc signing"
|
||||
echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV"
|
||||
fi
|
||||
|
||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||
shell: bash
|
||||
|
||||
# Step 4: Sign application (with certificate or ad-hoc)
|
||||
- name: Sign application
|
||||
# Step 5: Sign application with alternative fallback
|
||||
- name: Sign application
|
||||
env:
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
# Debug info
|
||||
echo "Signing app bundle: $APP_PATH"
|
||||
echo "Using entitlements file: $ENTITLEMENTS_FILE"
|
||||
echo "Signing method: $SIGNING_METHOD"
|
||||
|
||||
if [ "$SIGNING_METHOD" = "certificate" ]; then
|
||||
# Certificate signing
|
||||
echo "Using certificate signing with identity: $SIGNING_IDENTITY"
|
||||
|
||||
# Unlock keychain
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Sign the app
|
||||
if /usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"; then
|
||||
echo "✅ Code signing with certificate was successful"
|
||||
else
|
||||
echo "⚠️ Certificate signing failed, falling back to ad-hoc signing"
|
||||
/usr/bin/codesign --force --options runtime --sign - --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"
|
||||
fi
|
||||
else
|
||||
# Ad-hoc signing
|
||||
echo "Using ad-hoc signing (for testing only)"
|
||||
/usr/bin/codesign --force --options runtime --sign - --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"
|
||||
fi
|
||||
# === TEST MODE: Using -SIGNED TEST ONLY- === #
|
||||
echo "⚠️ CERTIFICATE IMPORT FAILED: Using test-only signing approach"
|
||||
echo "This is for testing the workflow only and will NOT produce a valid signed build"
|
||||
|
||||
# Verify signature (ignore errors)
|
||||
echo "Verifying signature..."
|
||||
/usr/bin/codesign --verify --verbose "$APP_PATH" || echo "Verification errors are expected with ad-hoc signing"
|
||||
# For testing ONLY - using `-` identity (ad-hoc signing)
|
||||
# This doesn't require a certificate but won't pass notarization
|
||||
echo "🔍 Test-signing the app with ad-hoc identity..."
|
||||
/usr/bin/codesign --force --deep --verbose --sign "-" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" || true
|
||||
|
||||
echo "✅ Test signing completed. Note: This is NOT a properly signed app!"
|
||||
echo "NEEDS_REAL_CERT=true" >> "$GITHUB_ENV"
|
||||
|
||||
# Recommendation for production
|
||||
echo "⚠️ IMPORTANT: For production builds, please ensure your certificate is correctly configured."
|
||||
echo "⚠️ Check the following:"
|
||||
echo " 1. Certificate format is correct (PKCS#12)"
|
||||
echo " 2. Certificate password is correct"
|
||||
echo " 3. Team ID matches the certificate"
|
||||
shell: bash
|
||||
|
||||
# Step 5: Package macOS App
|
||||
- name: Package macOS App
|
||||
# Step 6: Skip Notarization (since we're not properly signed)
|
||||
- name: Package macOS App (Test Only)
|
||||
run: |
|
||||
echo "Packaging signed app bundle: $APP_PATH"
|
||||
echo "⚠️ SKIPPING NOTARIZATION - test build only"
|
||||
echo "Packaging unsigned test app bundle: $APP_PATH"
|
||||
|
||||
# Create zip package
|
||||
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")")
|
||||
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" "$(basename "$APP_PATH")")
|
||||
|
||||
echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip"
|
||||
echo "Packaged releases:"
|
||||
ls -la PackagedReleases/
|
||||
echo "Created test package: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip"
|
||||
echo "NOTE: This package is NOT properly signed and will NOT pass Gatekeeper!"
|
||||
|
||||
echo "Debug certificate summary:"
|
||||
echo "- Check if your p12 file is valid"
|
||||
echo "- Verify certificate password in secrets"
|
||||
echo "- Confirm Apple Developer Team ID is correct"
|
||||
shell: bash
|
||||
|
||||
# Step 6: Upload macOS Build Artifact
|
||||
- name: Upload macOS Build Artifact
|
||||
# Step 7: Upload test artifact
|
||||
- name: Upload Test Build Artifact
|
||||
uses: actions/upload-artifact@v3
|
||||
if: success()
|
||||
with:
|
||||
name: LuckyWorld-macOS
|
||||
path: PackagedReleases/LuckyWorld-macOS.zip
|
||||
retention-days: 365
|
||||
name: LuckyWorld-macOS-UNSIGNED-TEST
|
||||
path: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip
|
||||
retention-days: 7
|
||||
|
||||
# Step 7: Cleanup
|
||||
# Step 8: Cleanup
|
||||
- name: Cleanup
|
||||
if: always()
|
||||
run: |
|
||||
# Clean up keychain and certificates
|
||||
if [ -n "$KEYCHAIN_PATH" ]; then
|
||||
security delete-keychain "$KEYCHAIN_PATH" || true
|
||||
fi
|
||||
|
||||
# Clean up certificate files
|
||||
rm -f certificate.p12 api_key.p8 temp-cert.p12 || true
|
||||
rm -rf "$HOME/certificates" || true
|
||||
security delete-keychain "$HOME/certificates/build.keychain" || true
|
||||
|
||||
echo "Cleanup complete"
|
||||
shell: bash
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user