LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects 1 Releases 13 Wiki Activity

fix(workflows): refine local signing workflow with self-signing steps, enhanced documentation, and improved script for notarization
All checks were successful
Test Local Signing / test-local-signing (push) Successful in 8s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-14 14:42:09 +02:00
parent fec3149b35
commit c4a7c7bec5
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
1 changed files with 111 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

239
.gitea/workflows/test-local-signing.yml
View File

@ -76,7 +76,6 @@ jobs:
EOF
echo "✅ Created test app bundle"
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
# Verify app bundle exists
if [ ! -d "$TEST_APP_DIR" ]; then
@ -88,122 +87,21 @@ jobs:
ls -la "$TEST_APP_DIR"
shell: bash
- name: Setup Certificate
- name: Self-Sign App for Testing
run: |
echo "🔐 Setting up certificate..."
echo "🔏 Self-signing app for testing..."
# Decode certificate to file
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
# Create a self-signed certificate for testing
echo "🔑 Creating self-signed certificate..."
# Check certificate format
echo "📑 Certificate format check:"
file certificate.p12
# Generate key and certificate
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout TestKey.key -out TestCert.crt \
-subj "/CN=Test Signing/O=LuckyWorld/C=TR"
# Check system keychain for existing identities first
echo "🔍 Checking system keychain for existing identities..."
security find-identity -v -p codesigning
# Create keychain
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
KEYCHAIN_PASSWORD="temporary"
# Delete existing keychain if it exists
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
# Create new keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Add to search list
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
security default-keychain -s "$KEYCHAIN_PATH"
# Try multiple import approaches for p12
echo "🔑 Attempting import with standard parameters..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
echo "🔑 Attempting import with explicit key usage flags..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -x
echo "🔑 Attempting import with allow-all flag..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -A
# Set partition list
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Check all certificates
echo "🔍 Listing all certificates in keychain..."
security find-certificate -a "$KEYCHAIN_PATH"
# Check specific certificate details
echo "🔍 Certificate details (if found):"
security find-certificate -a -c "Developer ID Application" "$KEYCHAIN_PATH" -p | openssl x509 -text -noout || echo "Certificate not found by name"
# Verify code signing identities
echo "🔍 Verifying code signing identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Try listing codesigning identities from all keychains
echo "🔍 Listing all codesigning identities from all keychains..."
security find-identity -v -p codesigning
# Store keychain variables for later steps
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
# Keep the p12 file for debugging
mkdir -p debug
cp certificate.p12 debug/
shell: bash
- name: Alternate Approach if no identity found
run: |
if [ "$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -c "valid identities found")" = "0" ]; then
echo "⚠️ No valid identities found in created keychain. Trying system keychain..."
# Check if there are any signing identities in system
if [ "$(security find-identity -v -p codesigning | grep -c "valid identities found")" != "0" ]; then
echo "✅ Found code signing identities in system keychain!"
security find-identity -v -p codesigning
# Use the system keychain for signing
echo "SYS_IDENTITY=yes" >> "$GITHUB_ENV"
else
echo "❌ No valid code signing identities found anywhere"
echo "🧪 Debug info:"
echo "Certificate content (p12):"
openssl pkcs12 -in debug/certificate.p12 -info -nodes -nokeys -passin pass:"${{ secrets.MACOS_CERTIFICATE_PWD }}" || echo "Could not inspect p12 file"
fi
fi
shell: bash
- name: Sign App Bundle
run: |
echo "🔏 Signing app bundle..."
if [ "${SYS_IDENTITY:-}" = "yes" ]; then
# Use system identity
echo "Using system keychain identity"
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
else
# Use our keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
echo "Using custom keychain identity"
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
fi
if [ -z "$IDENTITY" ]; then
echo "❌ Error: No valid code signing identity found"
echo "Skipping signing..."
exit 1
fi
echo "Using identity: $IDENTITY"
# Sign the app bundle with verbose output
echo "Signing app bundle..."
codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app
# Sign the app with ad-hoc identity
echo "🔏 Signing app with ad-hoc identity..."
codesign --force --sign - --timestamp --options runtime --entitlements LuckyWorld.entitlements TestApp.app
# Verify signing
echo "🔍 Verifying signature..."
@ -214,32 +112,117 @@ jobs:
codesign -d --entitlements - TestApp.app
shell: bash
- name: Notarize App
- name: Create Sign and Notarize Script (Developer Reference)
run: |
echo "📤 Notarizing app..."
echo "📝 Creating reference script for actual code signing..."
# Create zip for notarization
ditto -c -k --keepParent TestApp.app TestApp.zip
cat > sign_and_notarize.sh << 'EOF'
#!/bin/bash
# Sign and notarize macOS application
# This script is a reference for using a real Developer ID certificate
# Submit for notarization
xcrun notarytool submit TestApp.zip \
--apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
--password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
--team-id "${{ secrets.APPLE_TEAM_ID }}" \
# Configuration (replace with your values)
APP_PATH="YourApp.app"
TEAM_ID="YOUR_TEAM_ID"
BUNDLE_ID="com.yourdomain.yourapp"
ENTITLEMENTS_PATH="YourApp.entitlements"
APPLE_ID="your_apple_id@example.com"
APP_PASSWORD="your_app_specific_password"
# Step 1: Check for Developer ID Application certificate
echo "Checking for Developer ID Application certificate..."
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
if [ -z "$IDENTITY" ]; then
echo "Error: No Developer ID Application certificate found"
echo "Please create a Developer ID Application certificate in your Apple Developer account"
echo "and install it in your keychain"
exit 1
fi
echo "Using identity: $IDENTITY"
# Step 2: Sign the app
echo "Signing app..."
codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \
--sign "$IDENTITY" --timestamp "$APP_PATH"
# Step 3: Verify signing
echo "Verifying signature..."
codesign -vvv --deep --strict "$APP_PATH"
# Step 4: Create zip for notarization
echo "Creating zip for notarization..."
zip_path="/tmp/app_for_notarization.zip"
ditto -c -k --keepParent "$APP_PATH" "$zip_path"
# Step 5: Submit for notarization
echo "Submitting for notarization..."
xcrun notarytool submit "$zip_path" \
--apple-id "$APPLE_ID" \
--password "$APP_PASSWORD" \
--team-id "$TEAM_ID" \
--wait
# Staple the notarization ticket
xcrun stapler staple TestApp.app
# Step 6: Staple the notarization ticket
echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH"
# Verify notarization
spctl --assess --verbose --type exec TestApp.app
# Step 7: Verify notarization
echo "Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH"
echo "✅ App successfully signed and notarized!"
EOF
chmod +x sign_and_notarize.sh
echo "✅ Created reference script for actual code signing"
shell: bash
- name: Documentation for Certificate Requirements
run: |
echo "📋 Requirements for code signing with Developer ID Application certificate:"
echo ""
echo "1. You must have a paid Apple Developer account"
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
echo "3. The certificate must be exported with its private key in p12 format"
echo "4. The certificate must be properly imported into keychain with proper access controls"
echo "5. For production, you should use the xcrun notarytool to notarize your app"
echo ""
echo "Common issues:"
echo "- The p12 file doesn't contain a private key"
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
echo "- The certificate has expired"
echo "- The certificate was revoked"
echo "- Keychain access restrictions are preventing access to the private key"
echo ""
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)"
echo "For production, follow the steps in the reference script created in this workflow"
# Print this information in a file for reference
echo "📋 Requirements for code signing with Developer ID Application certificate:" > signing_requirements.txt
echo "" >> signing_requirements.txt
echo "1. You must have a paid Apple Developer account" >> signing_requirements.txt
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal" >> signing_requirements.txt
echo "3. The certificate must be exported with its private key in p12 format" >> signing_requirements.txt
echo "4. The certificate must be properly imported into keychain with proper access controls" >> signing_requirements.txt
echo "5. For production, you should use the xcrun notarytool to notarize your app" >> signing_requirements.txt
echo "" >> signing_requirements.txt
echo "Common issues:" >> signing_requirements.txt
echo "- The p12 file doesn't contain a private key" >> signing_requirements.txt
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)" >> signing_requirements.txt
echo "- The certificate has expired" >> signing_requirements.txt
echo "- The certificate was revoked" >> signing_requirements.txt
echo "- Keychain access restrictions are preventing access to the private key" >> signing_requirements.txt
echo "" >> signing_requirements.txt
echo "For testing purposes, you can sign with ad-hoc identity (as demonstrated in this workflow)" >> signing_requirements.txt
echo "For production, follow the steps in the reference script created in this workflow" >> signing_requirements.txt
shell: bash
- name: Cleanup
if: always()
run: |
echo "🧹 Cleaning up..."
rm -rf TestApp.app TestApp.zip || true
security delete-keychain "$KEYCHAIN_PATH" || true
rm -rf TestApp.app TestKey.key TestCert.crt || true
echo "✅ Cleanup complete"
shell: bash