diff --git a/.gitea/workflows/test-macos-build.yml b/.gitea/workflows/test-macos-build.yml index e914741c..ec8be996 100644 --- a/.gitea/workflows/test-macos-build.yml +++ b/.gitea/workflows/test-macos-build.yml @@ -90,59 +90,85 @@ jobs: env: CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | # Debug: Print working directory echo "Current working directory: $(pwd)" echo "Contents of Builds directory:" find Builds -type d | sort - # Create keychain - KEYCHAIN_PATH="${WORKSPACE_DIR}/build.keychain" - KEYCHAIN_PASSWORD="temporary" + # Check what saved builds we have + echo "Contents of Saved/StagedBuilds directory (if exists):" + find ./Saved -type d -name "*.app" 2>/dev/null || echo "No .app bundles found in Saved/" + + # Create temporary directory for keychain and certificates + TEMP_DIR=$(mktemp -d) + KEYCHAIN_PATH="$TEMP_DIR/build.keychain" + KEYCHAIN_PASSWORD="temporary$(date +%s)" + + echo "Creating keychain at: $KEYCHAIN_PATH" # Create and configure keychain security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Set keychain search list and make it default + # Add to keychain list and make it default security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g) security default-keychain -s "$KEYCHAIN_PATH" - # Decode and import developer certificate - echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 + # Decode certificate to temporary directory + CERT_PATH="$TEMP_DIR/certificate.p12" + echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_PATH" - # Import developer certificate with proper parameters - echo "Importing developer certificate..." - security import certificate.p12 -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign + # Import certificate with correct flags for automated use + security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 # Set partition list - important for automated signing without UI prompts security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Verify certificates were imported correctly - echo "Listing imported certificates..." + # Get the certificate's Common Name and SHA-1 fingerprint for signing + echo "Listing available codesigning identities:" security find-identity -v -p codesigning "$KEYCHAIN_PATH" - # Export keychain path and password for later use - echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" - echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" + # Get the certificate ID (SHA-1 fingerprint) - this is more reliable than using the name + CERT_ID=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -o '[0-9A-F]\{40\}' | head -1) - echo "Certificate imported to keychain" + if [ -z "$CERT_ID" ]; then + echo "⚠️ No valid signing certificate found in keychain" + exit 1 + fi + + echo "Using certificate ID: $CERT_ID" + echo "CERT_ID=$CERT_ID" >> "$GITHUB_ENV" + echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" + + echo "Certificate imported successfully" shell: bash # Step 4: Find and prep app for signing - name: Find and prep app for signing run: | - # Find app bundle - look everywhere - APP_PATHS=$(find . -type d -name "*.app" 2>/dev/null) + # First check Saved/StagedBuilds directory - where Unreal often places built apps + echo "Checking Saved/StagedBuilds directory..." + APP_PATHS=$(find ./Saved/StagedBuilds -type d -name "*.app" 2>/dev/null) + # If not found, check Builds directory if [ -z "$APP_PATHS" ]; then - # No *.app extension found, look in Builds/Mac directory for any directory - APP_PATHS=$(find ./Builds/Mac -type d -mindepth 1 -maxdepth 1 2>/dev/null) + echo "Checking Builds directory..." + APP_PATHS=$(find ./Builds -type d -name "*.app" 2>/dev/null) + fi + + # If still not found, check the whole workspace + if [ -z "$APP_PATHS" ]; then + echo "Checking entire workspace..." + APP_PATHS=$(find . -type d -name "*.app" -not -path "*/\.*" 2>/dev/null) fi if [ -z "$APP_PATHS" ]; then echo "ERROR: Could not find any app bundles!" + echo "Listing all directories to help debug:" + find . -type d -maxdepth 3 | sort exit 1 fi @@ -169,58 +195,54 @@ jobs: run: | echo "Signing app bundle: $APP_PATH" echo "Using entitlements file: $ENTITLEMENTS_FILE" + echo "Using certificate ID: $CERT_ID" - # First sign PhysX and problematic frameworks specifically (based on forum reports) - echo "🔍 Signing PhysX and special libraries first..." - find "$APP_PATH" -type f -name "*PhysX*" -o -name "*APEX*" | while read SPECIAL_LIB; do - if [ -f "$SPECIAL_LIB" ]; then - echo "Signing special library: $SPECIAL_LIB" - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SPECIAL_LIB" - fi - done + # Make sure keychain is accessible + security unlock-keychain -p "$(security find-generic-password -a ${USER} -s login -w)" login.keychain + security unlock-keychain -p "temporary" "$KEYCHAIN_PATH" || true # Sign all dylib files echo "🔍 Signing all .dylib files..." find "$APP_PATH" -type f -name "*.dylib" | while read DYLIB; do echo "Signing dylib: $DYLIB" - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$DYLIB" + codesign --force --options runtime --timestamp --sign "$CERT_ID" "$DYLIB" done # Sign all .so files echo "🔍 Signing all .so files..." find "$APP_PATH" -type f -name "*.so" | while read SO; do echo "Signing .so: $SO" - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$SO" + codesign --force --options runtime --timestamp --sign "$CERT_ID" "$SO" done # Sign all executables in frameworks echo "🔍 Signing framework executables..." find "$APP_PATH" -path "*.framework/*" -type f -perm +111 | while read FMWK_BIN; do echo "Signing framework binary: $FMWK_BIN" - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FMWK_BIN" + codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FMWK_BIN" done # Sign all other executables echo "🔍 Signing other executables..." find "$APP_PATH" -type f -perm +111 -not -path "*.framework/*" -not -name "*.dylib" -not -name "*.so" | while read EXEC; do echo "Signing executable: $EXEC" - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$EXEC" + codesign --force --options runtime --timestamp --sign "$CERT_ID" "$EXEC" done # Sign all frameworks echo "🔍 Signing frameworks..." find "$APP_PATH" -name "*.framework" -type d | while read FRAMEWORK; do echo "Signing framework: $FRAMEWORK" - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --options runtime --timestamp "$FRAMEWORK" + codesign --force --options runtime --timestamp --sign "$CERT_ID" "$FRAMEWORK" done # Finally sign the app bundle itself with entitlements echo "🔍 Signing the main app bundle with entitlements..." - /usr/bin/codesign -f -v -s "Developer ID Application: $APPLE_TEAM_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" --options runtime --deep --timestamp "$APP_PATH" + codesign --force --options runtime --deep --timestamp --verbose --sign "$CERT_ID" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" # Verify signature echo "Verifying signature..." - /usr/bin/codesign --verify --verbose "$APP_PATH" + codesign --verify --verbose "$APP_PATH" # Use spctl to check if app is acceptable by Gatekeeper echo "Checking if app will pass Gatekeeper validation..."