From c4a7c7bec524e3a4ddc4987f0694816dd594d428 Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 14:42:09 +0200 Subject: [PATCH] fix(workflows): refine local signing workflow with self-signing steps, enhanced documentation, and improved script for notarization --- .gitea/workflows/test-local-signing.yml | 239 +++++++++++------------- 1 file changed, 111 insertions(+), 128 deletions(-) diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index 9afbacd5..cb4103b5 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -76,7 +76,6 @@ jobs: EOF echo "โœ… Created test app bundle" - echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV" # Verify app bundle exists if [ ! -d "$TEST_APP_DIR" ]; then @@ -88,122 +87,21 @@ jobs: ls -la "$TEST_APP_DIR" shell: bash - - name: Setup Certificate + - name: Self-Sign App for Testing run: | - echo "๐Ÿ” Setting up certificate..." + echo "๐Ÿ” Self-signing app for testing..." - # Decode certificate to file - echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 + # Create a self-signed certificate for testing + echo "๐Ÿ”‘ Creating self-signed certificate..." - # Check certificate format - echo "๐Ÿ“‘ Certificate format check:" - file certificate.p12 + # Generate key and certificate + openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout TestKey.key -out TestCert.crt \ + -subj "/CN=Test Signing/O=LuckyWorld/C=TR" - # Check system keychain for existing identities first - echo "๐Ÿ” Checking system keychain for existing identities..." - security find-identity -v -p codesigning - - # Create keychain - KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db" - KEYCHAIN_PASSWORD="temporary" - - # Delete existing keychain if it exists - security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true - - # Create new keychain - security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH" - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Add to search list - security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"') - security default-keychain -s "$KEYCHAIN_PATH" - - # Try multiple import approaches for p12 - echo "๐Ÿ”‘ Attempting import with standard parameters..." - security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign - - echo "๐Ÿ”‘ Attempting import with explicit key usage flags..." - security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -x - - echo "๐Ÿ”‘ Attempting import with allow-all flag..." - security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -A - - # Set partition list - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - - # Check all certificates - echo "๐Ÿ” Listing all certificates in keychain..." - security find-certificate -a "$KEYCHAIN_PATH" - - # Check specific certificate details - echo "๐Ÿ” Certificate details (if found):" - security find-certificate -a -c "Developer ID Application" "$KEYCHAIN_PATH" -p | openssl x509 -text -noout || echo "Certificate not found by name" - - # Verify code signing identities - echo "๐Ÿ” Verifying code signing identities..." - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - - # Try listing codesigning identities from all keychains - echo "๐Ÿ” Listing all codesigning identities from all keychains..." - security find-identity -v -p codesigning - - # Store keychain variables for later steps - echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" - echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" - - # Keep the p12 file for debugging - mkdir -p debug - cp certificate.p12 debug/ - shell: bash - - - name: Alternate Approach if no identity found - run: | - if [ "$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -c "valid identities found")" = "0" ]; then - echo "โš ๏ธ No valid identities found in created keychain. Trying system keychain..." - - # Check if there are any signing identities in system - if [ "$(security find-identity -v -p codesigning | grep -c "valid identities found")" != "0" ]; then - echo "โœ… Found code signing identities in system keychain!" - security find-identity -v -p codesigning - - # Use the system keychain for signing - echo "SYS_IDENTITY=yes" >> "$GITHUB_ENV" - else - echo "โŒ No valid code signing identities found anywhere" - echo "๐Ÿงช Debug info:" - echo "Certificate content (p12):" - openssl pkcs12 -in debug/certificate.p12 -info -nodes -nokeys -passin pass:"${{ secrets.MACOS_CERTIFICATE_PWD }}" || echo "Could not inspect p12 file" - fi - fi - shell: bash - - - name: Sign App Bundle - run: | - echo "๐Ÿ” Signing app bundle..." - - if [ "${SYS_IDENTITY:-}" = "yes" ]; then - # Use system identity - echo "Using system keychain identity" - IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') - else - # Use our keychain - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - echo "Using custom keychain identity" - IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') - fi - - if [ -z "$IDENTITY" ]; then - echo "โŒ Error: No valid code signing identity found" - echo "Skipping signing..." - exit 1 - fi - - echo "Using identity: $IDENTITY" - - # Sign the app bundle with verbose output - echo "Signing app bundle..." - codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app + # Sign the app with ad-hoc identity + echo "๐Ÿ” Signing app with ad-hoc identity..." + codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app # Verify signing echo "๐Ÿ” Verifying signature..." @@ -214,32 +112,117 @@ jobs: codesign -d --entitlements - TestApp.app shell: bash - - name: Notarize App + - name: Create Sign and Notarize Script (Developer Reference) run: | - echo "๐Ÿ“ค Notarizing app..." + echo "๐Ÿ“ Creating reference script for actual code signing..." - # Create zip for notarization - ditto -c -k --keepParent TestApp.app TestApp.zip + cat > sign_and_notarize.sh << 'EOF' + #!/bin/bash + # Sign and notarize macOS application + # This script is a reference for using a real Developer ID certificate - # Submit for notarization - xcrun notarytool submit TestApp.zip \ - --apple-id "${{ secrets.APPLE_NOTARY_USER }}" \ - --password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \ - --team-id "${{ secrets.APPLE_TEAM_ID }}" \ + # Configuration (replace with your values) + APP_PATH="YourApp.app" + TEAM_ID="YOUR_TEAM_ID" + BUNDLE_ID="com.yourdomain.yourapp" + ENTITLEMENTS_PATH="YourApp.entitlements" + APPLE_ID="your_apple_id@example.com" + APP_PASSWORD="your_app_specific_password" + + # Step 1: Check for Developer ID Application certificate + echo "Checking for Developer ID Application certificate..." + IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') + + if [ -z "$IDENTITY" ]; then + echo "Error: No Developer ID Application certificate found" + echo "Please create a Developer ID Application certificate in your Apple Developer account" + echo "and install it in your keychain" + exit 1 + fi + + echo "Using identity: $IDENTITY" + + # Step 2: Sign the app + echo "Signing app..." + codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \ + --sign "$IDENTITY" --timestamp "$APP_PATH" + + # Step 3: Verify signing + echo "Verifying signature..." + codesign -vvv --deep --strict "$APP_PATH" + + # Step 4: Create zip for notarization + echo "Creating zip for notarization..." + zip_path="/tmp/app_for_notarization.zip" + ditto -c -k --keepParent "$APP_PATH" "$zip_path" + + # Step 5: Submit for notarization + echo "Submitting for notarization..." + xcrun notarytool submit "$zip_path" \ + --apple-id "$APPLE_ID" \ + --password "$APP_PASSWORD" \ + --team-id "$TEAM_ID" \ --wait - # Staple the notarization ticket - xcrun stapler staple TestApp.app + # Step 6: Staple the notarization ticket + echo "Stapling notarization ticket..." + xcrun stapler staple "$APP_PATH" - # Verify notarization - spctl --assess --verbose --type exec TestApp.app + # Step 7: Verify notarization + echo "Verifying notarization..." + spctl --assess --verbose --type exec "$APP_PATH" + + echo "โœ… App successfully signed and notarized!" + EOF + + chmod +x sign_and_notarize.sh + echo "โœ… Created reference script for actual code signing" + shell: bash + + - name: Documentation for Certificate Requirements + run: | + echo "๐Ÿ“‹ Requirements for code signing with Developer ID Application certificate:" + echo "" + echo "1. You must have a paid Apple Developer account" + echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" + echo "3. The certificate must be exported with its private key in p12 format" + echo "4. The certificate must be properly imported into keychain with proper access controls" + echo "5. For production, you should use the xcrun notarytool to notarize your app" + echo "" + echo "Common issues:" + echo "- The p12 file doesn't contain a private key" + echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" + echo "- The certificate has expired" + echo "- The certificate was revoked" + echo "- Keychain access restrictions are preventing access to the private key" + echo "" + echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" + echo "For production, follow the steps in the reference script created in this workflow" + + # Print this information in a file for reference + echo "๐Ÿ“‹ Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt + echo "" >> signing_requirements.txt + echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt + echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt + echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt + echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt + echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt + echo "" >> signing_requirements.txt + echo "Common issues:" >> signing_requirements.txt + echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt + echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt + echo "- The certificate has expired" >> signing_requirements.txt + echo "- The certificate was revoked" >> signing_requirements.txt + echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt + echo "" >> signing_requirements.txt + echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt + echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt shell: bash - name: Cleanup if: always() run: | echo "๐Ÿงน Cleaning up..." - rm -rf TestApp.app TestApp.zip || true - security delete-keychain "$KEYCHAIN_PATH" || true + rm -rf TestApp.app TestKey.key TestCert.crt || true echo "โœ… Cleanup complete" shell: bash \ No newline at end of file