LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions 1 Packages Projects 1 Releases 13 Wiki Activity

fix(workflows): update macOS build workflow to enable push triggers and enhance documentation for code signing requirements
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 29m25s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-14 14:45:43 +02:00
parent c4a7c7bec5
commit c9b2170d80
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
2 changed files with 161 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitea/workflows/test-local-signing.yml
View File

@ -2,8 +2,8 @@ name: Test Local Signing
on:
workflow_dispatch: # Manual trigger
push:
branches: [ozgur/build]
# push:
# branches: [ozgur/build]
jobs:
test-local-signing:

189
.gitea/workflows/test-macos-build.yml
View File

@ -2,8 +2,8 @@ name: Test macOS Build Action
on:
workflow_dispatch: # Manual trigger only for testing
# push:
# branches: [ozgur/build]
push:
branches: [ozgur/build]
jobs:
test-macos-build:
@ -254,45 +254,174 @@ jobs:
echo "Signing app bundle: $APP_PATH"
echo "Using entitlements file: $ENTITLEMENTS_FILE"
# === TEST MODE: Using -SIGNED TEST ONLY- === #
echo "⚠️ CERTIFICATE IMPORT FAILED: Using test-only signing approach"
echo "This is for testing the workflow only and will NOT produce a valid signed build"
# Sign the app with ad-hoc identity
echo "🔏 Signing app with ad-hoc identity..."
/usr/bin/codesign --force --sign - --timestamp --options runtime --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH"
# For testing ONLY - using `-` identity (ad-hoc signing)
# This doesn't require a certificate but won't pass notarization
echo "🔍 Test-signing the app with ad-hoc identity..."
/usr/bin/codesign --force --deep --verbose --sign "-" --entitlements "$WORKSPACE_DIR/$ENTITLEMENTS_FILE" "$APP_PATH" || true
# Verify signing
echo "🔍 Verifying signature..."
codesign -vvv --deep --strict "$APP_PATH"
echo "✅ Test signing completed. Note: This is NOT a properly signed app!"
# Check entitlements
echo "🔍 Checking entitlements..."
codesign -d --entitlements - "$APP_PATH"
echo "✅ Ad-hoc signing completed for testing purposes"
echo "NEEDS_REAL_CERT=true" >> "$GITHUB_ENV"
# Recommendation for production
echo "⚠️ IMPORTANT: For production builds, please ensure your certificate is correctly configured."
echo "⚠️ Check the following:"
echo " 1. Certificate format is correct (PKCS#12)"
echo " 2. Certificate password is correct"
echo " 3. Team ID matches the certificate"
shell: bash
# Step 6: Skip Notarization (since we're not properly signed)
# Step 6: Create Reference Script for Production Signing
- name: Create Production Signing Reference
run: |
echo "📝 Creating reference script for production code signing..."
cat > sign_and_notarize_production.sh << 'EOF'
#!/bin/bash
# Sign and notarize macOS application
# This script is a reference for using a real Developer ID certificate
# Configuration (replace with your values)
APP_PATH="LuckyWorld-Mac-Shipping.app" # Your app path
TEAM_ID="${APPLE_TEAM_ID}" # Your Apple Team ID
BUNDLE_ID="com.luckyworld.game" # Your app bundle ID
ENTITLEMENTS_PATH="LuckyWorld.entitlements" # Your entitlements file
APPLE_ID="${APPLE_NOTARY_USER}" # Your Apple ID
APP_PASSWORD="${APPLE_NOTARY_PASSWORD}" # Your app-specific password
# Step 1: Check for Developer ID Application certificate
echo "Checking for Developer ID Application certificate..."
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
if [ -z "$IDENTITY" ]; then
echo "Error: No Developer ID Application certificate found"
echo "Please create a Developer ID Application certificate in your Apple Developer account"
echo "and install it in your keychain"
exit 1
fi
echo "Using identity: $IDENTITY"
# Step 2: Sign the app
echo "Signing app..."
codesign --force --options runtime --entitlements "$ENTITLEMENTS_PATH" \
--sign "$IDENTITY" --timestamp "$APP_PATH"
# Step 3: Verify signing
echo "Verifying signature..."
codesign -vvv --deep --strict "$APP_PATH"
# Step 4: Create zip for notarization
echo "Creating zip for notarization..."
ZIP_PATH="${APP_PATH%.app}-notarize.zip"
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
# Step 5: Submit for notarization
echo "Submitting for notarization..."
xcrun notarytool submit "$ZIP_PATH" \
--apple-id "$APPLE_ID" \
--password "$APP_PASSWORD" \
--team-id "$TEAM_ID" \
--wait
# Step 6: Staple the notarization ticket
echo "Stapling notarization ticket..."
xcrun stapler staple "$APP_PATH"
# Step 7: Verify notarization
echo "Verifying notarization..."
spctl --assess --verbose --type exec "$APP_PATH"
# Step 8: Create final distribution zip
echo "Creating final distribution zip..."
FINAL_ZIP="${APP_PATH%.app}-macOS-Signed.zip"
ditto -c -k --keepParent "$APP_PATH" "$FINAL_ZIP"
echo "✅ App successfully signed and notarized!"
echo "Final package: $FINAL_ZIP"
EOF
chmod +x sign_and_notarize_production.sh
echo "✅ Created reference script for production code signing"
shell: bash
# Step 7: Documentation for Certificate Requirements
- name: Certificate Requirements Documentation
run: |
echo "📋 Requirements for code signing with Developer ID Application certificate:"
echo ""
echo "1. You must have a paid Apple Developer account"
echo "2. You need to create a Developer ID Application certificate in Apple Developer Portal"
echo "3. The certificate must be exported with its private key in p12 format"
echo "4. The certificate must be properly imported into keychain with proper access controls"
echo "5. For production, you should use the xcrun notarytool to notarize your app"
echo ""
echo "Common issues:"
echo "- The p12 file doesn't contain a private key"
echo "- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)"
echo "- The certificate has expired"
echo "- The certificate was revoked"
echo "- Keychain access restrictions are preventing access to the private key"
echo ""
echo "For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)"
echo "For production: Follow the steps in the reference script sign_and_notarize_production.sh"
# Print this information in a file for reference
cat > code_signing_requirements.md << EOF
# macOS Code Signing Requirements
## Requirements
1. You must have a paid Apple Developer account
2. You need to create a Developer ID Application certificate in Apple Developer Portal
3. The certificate must be exported with its private key in p12 format
4. The certificate must be properly imported into keychain with proper access controls
5. For production, you should use the xcrun notarytool to notarize your app
## Common Issues
- The p12 file doesn't contain a private key
- The certificate is not a Developer ID Application type (it might be Developer ID Installer or other type)
- The certificate has expired
- The certificate was revoked
- Keychain access restrictions are preventing access to the private key
## Workflow
- For testing CI/CD pipeline: Use ad-hoc signing (as demonstrated in this workflow)
- For production: Follow the steps in the reference script sign_and_notarize_production.sh
EOF
echo "✅ Created code signing requirements documentation"
shell: bash
# Step 8: Package macOS App (For Testing)
- name: Package macOS App (Test Only)
run: |
echo "⚠️ SKIPPING NOTARIZATION - test build only"
echo "Packaging unsigned test app bundle: $APP_PATH"
echo "📦 Packaging ad-hoc signed app bundle for testing..."
# Create zip package
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip" "$(basename "$APP_PATH")")
# Create zip package with clear test indication
ZIP_FILE="PackagedReleases/LuckyWorld-macOS-TEST-ONLY.zip"
(cd "$(dirname "$APP_PATH")" && zip -r "${WORKSPACE_DIR}/$ZIP_FILE" "$(basename "$APP_PATH")")
echo "Created test package: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip"
echo "NOTE: This package is NOT properly signed and will NOT pass Gatekeeper!"
echo "✅ Created test package: $ZIP_FILE"
echo "⚠️ NOTE: This package is signed with ad-hoc identity for TESTING ONLY"
echo "⚠️ It will NOT pass Gatekeeper on macOS and is NOT suitable for distribution"
echo "Debug certificate summary:"
echo "- Check if your p12 file is valid"
echo "- Verify certificate password in secrets"
echo "- Confirm Apple Developer Team ID is correct"
# Create README file to accompany the zip
cat > "PackagedReleases/README-TEST-BUILD.txt" << EOF
# LuckyWorld macOS Test Build
This build is signed with an ad-hoc signature for TESTING PURPOSES ONLY.
IMPORTANT:
- This app will NOT pass Gatekeeper on macOS
- It is NOT suitable for distribution to users
- Use the production signing script for creating distributable builds
For production builds, follow the instructions in code_signing_requirements.md
EOF
echo "✅ Created README for test build"
shell: bash
# Step 7: Upload test artifact
# Step 9: Upload test artifact
- name: Upload Test Build Artifact
uses: actions/upload-artifact@v3
if: success()
@ -301,7 +430,7 @@ jobs:
path: PackagedReleases/LuckyWorld-macOS-UNSIGNED-TEST.zip
retention-days: 7
# Step 8: Cleanup
# Step 10: Cleanup
- name: Cleanup
if: always()
run: |