From a7bb4f0bd6a3fdba1c66d774ce06ef1fe953c64b Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 00:59:16 +0200 Subject: [PATCH] fix(workflows): enhance macOS build workflow with detailed debugging for certificate import and fallback signing method --- .gitea/workflows/test-macos-build.yml | 240 ++++++++++++++------------ 1 file changed, 131 insertions(+), 109 deletions(-) diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index 8d2fa513..0ee596fc 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -85,8 +85,8 @@ jobs: fi shell: bash - # Step 3: Try both certificate & Ad-Hoc signing - - name: Prepare certificate or use Ad-Hoc signing + # Step 3: Enhanced Debug for Certificate Import + - name: Debug Certificate Import env: CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} @@ -94,148 +94,170 @@ jobs: run: | # Debug: Print working directory and available resources echo "Current working directory: $(pwd)" + echo "Contents of Saved/StagedBuilds directory (if exists):" + find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/" - # Find the app bundle to sign - APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null) - if [ -z "$APP_PATHS" ]; then - APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null) - fi - if [ -z "$APP_PATHS" ]; then - echo "ERROR: No .app bundle found to sign!" + # Checking system keychains + echo "Examining system keychains and certificates..." + security list-keychains + security default-keychain + + # Decode certificate and examine format - DEBUG + echo "Decoding certificate to debug..." + CERT_DIR="$HOME/certificates" + mkdir -p "$CERT_DIR" + CERT_PATH="$CERT_DIR/developer_certificate.p12" + echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" + + # Check if certificate was properly decoded + if [ -f "$CERT_PATH" ]; then + echo "Certificate was decoded, size: $(wc -c < "$CERT_PATH") bytes" + echo "Certificate file type: $(file "$CERT_PATH")" + else + echo "ERROR: Failed to decode certificate" exit 1 fi + # Trying import with different methods + echo "ATTEMPT 1: Using login keychain" + KEYCHAIN_PASSWORD="$(security find-generic-password -a ${USER} -s login -w)" + security unlock-keychain -p "$KEYCHAIN_PASSWORD" login.keychain + security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k login.keychain -T /usr/bin/codesign || echo "Import to login keychain failed" + + echo "ATTEMPT 2: Creating custom keychain" + CUSTOM_KEYCHAIN="$CERT_DIR/build.keychain" + CUSTOM_PASSWORD="temppassword123" + security create-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN" + security default-keychain -s "$CUSTOM_KEYCHAIN" + security unlock-keychain -p "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN" + security import "$CERT_PATH" -P "$CERTIFICATE_PASSWORD" -k "$CUSTOM_KEYCHAIN" -T /usr/bin/codesign || echo "Import to custom keychain failed" + + # Add to search list + security list-keychains -d user -s "$CUSTOM_KEYCHAIN" login.keychain + security set-key-partition-list -S apple-tool:,apple: -s -k "$CUSTOM_PASSWORD" "$CUSTOM_KEYCHAIN" + + # Check available identities in both keychains + echo "Checking login keychain for identities:" + security find-identity -v -p codesigning login.keychain || echo "No identities in login keychain" + + echo "Checking custom keychain for identities:" + security find-identity -v -p codesigning "$CUSTOM_KEYCHAIN" || echo "No identities in custom keychain" + + # Fallback solution - use adhoc signing for testing + echo "FALLBACK: Setting up adhoc signing option" + echo "KEYCHAIN_PATH=$CUSTOM_KEYCHAIN" >> "$GITHUB_ENV" + echo "KEYCHAIN_PASSWORD=$CUSTOM_PASSWORD" >> "$GITHUB_ENV" + echo "DIRECT_SIGNING_AVAILABLE=false" >> "$GITHUB_ENV" + + # For debugging only, use a specific team ID if needed + echo "APPLE_TEAM=$APPLE_TEAM_ID" >> "$GITHUB_ENV" + shell: bash + + # Step 4: Find and prep app for signing + - name: Find and prep app for signing + run: | + # First check Saved/StagedBuilds directory - where Unreal often places built apps + echo "Checking Saved/StagedBuilds directory..." + APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null) + + # If not found, check Builds directory + if [ -z "$APP_PATHS" ]; then + echo "Checking Builds directory..." + APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null) + fi + + # If still not found, check the whole workspace + if [ -z "$APP_PATHS" ]; then + echo "Checking entire workspace..." + APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null) + fi + + if [ -z "$APP_PATHS" ]; then + echo "ERROR: Could not find any app bundles!" + echo "Listing all directories to help debug:" + find . -type d -maxdepth 3 | sort + exit 1 + fi + + echo "Found potential app bundles:" + echo "$APP_PATHS" + # Use the first app path found (preferably the main app, not a child app) MAIN_APP_PATH=$(echo "$APP_PATHS" | grep -v "CrashReportClient" | head -1 || echo "$APP_PATHS" | head -1) + + # Get app name for later use APP_NAME=$(basename "$MAIN_APP_PATH") echo "Using app bundle: $MAIN_APP_PATH" + echo "App name: $APP_NAME" + echo "APP_PATH=$MAIN_APP_PATH" >> "$GITHUB_ENV" echo "APP_NAME=$APP_NAME" >> "$GITHUB_ENV" - - # Create a simple keychain - KEYCHAIN_PASSWORD="temp$(date +%s)" - KEYCHAIN_PATH="$HOME/Library/Keychains/build-temp.keychain-db" - - # First, try to use the provided certificate - echo "Attempting to use provided certificate..." - if [ -n "$CERTIFICATE_BASE64" ] && [ -n "$CERTIFICATE_PASSWORD" ]; then - echo "Certificate data provided, attempting import..." - - # Decode certificate and check format - echo "$CERTIFICATE_BASE64" | base64 --decode > temp-cert.p12 - echo "Certificate file info:" - file temp-cert.p12 - - # Create keychain - security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security default-keychain -s "$KEYCHAIN_PATH" - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Import with debugging info - echo "Importing certificate into keychain..." - if security import temp-cert.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign; then - echo "Certificate imported successfully!" - - # Set partition list - security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Check certificate details - echo "Certificate details:" - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - - # If we have a valid identity, use it - if security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -q "valid identities found"; then - IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '"[^"]*"' | head -1 | sed 's/"//g') - echo "Using certificate identity: $IDENTITY" - echo "SIGNING_METHOD=certificate" >> "$GITHUB_ENV" - echo "SIGNING_IDENTITY=$IDENTITY" >> "$GITHUB_ENV" - else - echo "No valid identities found in keychain" - echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV" - fi - else - echo "Failed to import certificate, will use ad-hoc signing instead" - echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV" - fi - - # Cleanup certificate file - rm -f temp-cert.p12 - else - echo "Certificate data not provided, will use ad-hoc signing" - echo "SIGNING_METHOD=ad-hoc" >> "$GITHUB_ENV" - fi - - echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" - echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" shell: bash - # Step 4: Sign application (with certificate or ad-hoc) - - name: Sign application + # Step 5: Sign application with alternative fallback + - name: Sign application + env: + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | # Debug info echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" - echo "Signing method: $SIGNING_METHOD" - if [ "$SIGNING_METHOD" = "certificate" ]; then - # Certificate signing - echo "Using certificate signing with identity: $SIGNING_IDENTITY" - - # Unlock keychain - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Sign the app - if /usr/bin/codesign --force --options runtime --sign "$SIGNING_IDENTITY" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH"; then - echo "✅ Code signing with certificate was successful" - else - echo "⚠️ Certificate signing failed, falling back to ad-hoc signing" - /usr/bin/codesign --force --options runtime --sign - --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH" - fi - else - # Ad-hoc signing - echo "Using ad-hoc signing (for testing only)" - /usr/bin/codesign --force --options runtime --sign - --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --deep --verbose "$APP_PATH" - fi + # === TEST MODE: Using -SIGNED TEST ONLY- === # + echo "⚠️ CERTIFICATE IMPORT FAILED: Using test-only signing approach" + echo "This is for testing the workflow only and will NOT produce a valid signed build" - # Verify signature (ignore errors) - echo "Verifying signature..." - /usr/bin/codesign --verify --verbose "$APP_PATH" || echo "Verification errors are expected with ad-hoc signing" + # For testing ONLY - using `-` identity (ad-hoc signing) + # This doesn't require a certificate but won't pass notarization + echo "🔍 Test-signing the app with ad-hoc identity..." + /usr/bin/codesign --force --deep --verbose --sign "-" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" || true + + echo "✅ Test signing completed. Note: This is NOT a properly signed app!" + echo "NEEDS_REAL_CERT=true" >> "$GITHUB_ENV" + + # Recommendation for production + echo "⚠️ IMPORTANT: For production builds, please ensure your certificate is correctly configured." + echo "⚠️ Check the following:" + echo " 1. Certificate format is correct (PKCS#12)" + echo " 2. Certificate password is correct" + echo " 3. Team ID matches the certificate" shell: bash - # Step 5: Package macOS App - - name: Package macOS App + # Step 6: Skip Notarization (since we're not properly signed) + - name: Package macOS App (Test Only) run: | - echo "Packaging signed app bundle: $APP_PATH" + echo "⚠️ SKIPPING NOTARIZATION - test build only" + echo "Packaging unsigned test app bundle: $APP_PATH" # Create zip package - (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS.zip" "$(basename "$APP_PATH")") + (cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" "$(basename "$APP_PATH")") - echo "Created packaged release: PackagedReleases/LuckyWorld-macOS.zip" - echo "Packaged releases:" - ls -la PackagedReleases/ + echo "Created test package: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" + echo "NOTE: This package is NOT properly signed and will NOT pass Gatekeeper!" + + echo "Debug certificate summary:" + echo "- Check if your p12 file is valid" + echo "- Verify certificate password in secrets" + echo "- Confirm Apple Developer Team ID is correct" shell: bash - # Step 6: Upload macOS Build Artifact - - name: Upload macOS Build Artifact + # Step 7: Upload test artifact + - name: Upload Test Build Artifact uses: actions/upload-artifact@v3 if: success() with: - name: LuckyWorld-macOS - path: PackagedReleases/LuckyWorld-macOS.zip - retention-days: 365 + name: LuckyWorld-macOS-UNSIGNED-TEST + path: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip + retention-days: 7 - # Step 7: Cleanup + # Step 8: Cleanup - name: Cleanup if: always() run: | # Clean up keychain and certificates - if [ -n "$KEYCHAIN_PATH" ]; then - security delete-keychain "$KEYCHAIN_PATH" || true - fi - - # Clean up certificate files - rm -f certificate.p12 api_key.p8 temp-cert.p12 || true + rm -rf "$HOME/certificates" || true + security delete-keychain "$HOME/certificates/build.keychain" || true echo "Cleanup complete" shell: bash