From ca648fa87102a1c4ebb58a8f6f0688d9456060db Mon Sep 17 00:00:00 2001 From: Ozgur Ersoy Date: Mon, 14 Apr 2025 14:11:32 +0200 Subject: [PATCH] feat(workflows): create test local signing workflow for macOS with certificate setup and notarization --- ...l-signing-2.yml => test-local-signing.yml} | 133 ++++++++++-------- 1 file changed, 78 insertions(+), 55 deletions(-) rename .gitea/workflows/{test-local-signing-2.yml => test-local-signing.yml} (59%) diff --git a/.gitea/workflows/test-local-signing-2.yml b/.gitea/workflows/test-local-signing.yml similarity index 59% rename from .gitea/workflows/test-local-signing-2.yml rename to .gitea/workflows/test-local-signing.yml index 11ea73e1..4fc1920b 100644 --- a/.gitea/workflows/test-local-signing-2.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -1,9 +1,9 @@ name: Test Local Signing on: - workflow_dispatch: # Manuel tetikleme + workflow_dispatch: # Manual trigger push: - branches: [ozgur/build] + branches: [test/signing] jobs: test-local-signing: @@ -12,66 +12,57 @@ jobs: - name: Checkout repository uses: actions/checkout@v3 - - name: Create Test Certificate + - name: Setup Certificate + env: + CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }} + CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | - echo "🔑 Creating test certificate and keychain..." + echo "🔑 Setting up certificate and keychain..." - # Test için gerekli dizinleri oluştur + # Create working directory CERT_DIR="$HOME/certificates" mkdir -p "$CERT_DIR" + cd "$CERT_DIR" - # Test keychain oluştur - KEYCHAIN_PATH="$CERT_DIR/test.keychain" - KEYCHAIN_PASSWORD="test123" + # Decode certificate + echo "📜 Decoding certificate..." + echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12 + # Check certificate info + echo "🔍 Certificate info:" + file certificate.p12 + + # Create keychain + KEYCHAIN_PATH="$CERT_DIR/build.keychain" + KEYCHAIN_PASSWORD="temporary$(date +%s)" + + echo "🔐 Creating keychain: $KEYCHAIN_PATH" security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" security default-keychain -s "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Test sertifikası oluştur - cd "$CERT_DIR" - - echo "📜 Creating self-signed certificate..." - CERT_NAME="Test LuckyWorld Developer" - openssl req -x509 -newkey rsa:2048 \ - -keyout test_key.pem \ - -out test_cert.pem \ - -days 365 \ - -nodes \ - -subj "/CN=$CERT_NAME" - - echo "🔐 Converting to P12 format..." - CERT_PASSWORD="test123" - openssl pkcs12 -export \ - -out test_cert.p12 \ - -inkey test_key.pem \ - -in test_cert.pem \ - -password pass:$CERT_PASSWORD - - echo "📋 Creating base64 version for reference..." - cat test_cert.p12 | base64 > test_cert_base64.txt - - echo "🔄 Importing certificate to keychain..." - security import test_cert.p12 \ + # Import certificate + echo "📥 Importing certificate..." + security import certificate.p12 \ -k "$KEYCHAIN_PATH" \ - -P "$CERT_PASSWORD" \ + -P "$CERTIFICATE_PASSWORD" \ -T /usr/bin/codesign - # Keychain'i codesign için hazırla + # Configure keychain settings security set-key-partition-list \ -S apple-tool:,apple: \ -s \ -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Environment variables kaydet + # Save environment variables echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" - echo "CERT_NAME=$CERT_NAME" >> "$GITHUB_ENV" + echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" + echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV" echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV" - echo "✅ Certificate setup complete" - - # Debug: Sertifika bilgilerini göster - echo "🔍 Checking codesigning identities..." + # Check certificate status + echo "✅ Checking codesigning identities..." security find-identity -v -p codesigning "$KEYCHAIN_PATH" shell: bash @@ -80,16 +71,15 @@ jobs: echo "🔍 Verifying certificate in keychain..." security find-identity -v -p codesigning "$KEYCHAIN_PATH" - # Detaylı sertifika bilgilerini göster echo "📋 Certificate details:" - security find-certificate -a -c "$CERT_NAME" -p "$KEYCHAIN_PATH" | \ + security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \ openssl x509 -text | \ grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:" shell: bash - name: Create Test Entitlements run: | - echo "📝 Creating test entitlements file..." + echo "📝 Creating entitlements file..." cat > LuckyWorld.entitlements << EOF @@ -119,16 +109,16 @@ jobs: run: | echo "📦 Creating test app bundle..." - # Test app bundle oluştur + # Create test app bundle structure TEST_APP_DIR="TestApp.app" mkdir -p "$TEST_APP_DIR/Contents/MacOS" - # Basit bir test executable oluştur + # Create a simple test executable echo '#!/bin/bash echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp" chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp" - # Info.plist oluştur + # Create Info.plist cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF @@ -158,12 +148,16 @@ jobs: run: | echo "🔏 Testing code signing..." - # Keychain'i hazırla - security unlock-keychain -p "test123" "$KEYCHAIN_PATH" + # Prepare keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - echo "📝 Signing app bundle with test certificate..." + # Find signing identity + SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID" + echo "Using signing identity: $SIGNING_IDENTITY" + + echo "📝 Signing app bundle..." /usr/bin/codesign --force --deep --verbose \ - --sign "$CERT_NAME" \ + --sign "$SIGNING_IDENTITY" \ --entitlements "LuckyWorld.entitlements" \ "$APP_PATH" @@ -175,8 +169,37 @@ jobs: echo "📋 Checking entitlements..." codesign -d --entitlements :- "$APP_PATH" - echo "🔒 Testing Gatekeeper assessment (will fail, this is expected)..." - spctl --assess --type exec "$APP_PATH" || true + echo "🔒 Testing Gatekeeper assessment..." + spctl --assess --type exec "$APP_PATH" + shell: bash + + - name: Test Notarization + env: + API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }} + API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }} + API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }} + run: | + if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then + echo "🔐 Testing notarization..." + + # Create API key file + echo "$API_KEY_PATH" | base64 --decode > api_key.p8 + + # Zip test app + ditto -c -k --keepParent "$APP_PATH" "TestApp.zip" + + # Test notarization + xcrun notarytool submit "TestApp.zip" \ + --key "api_key.p8" \ + --key-id "$API_KEY_ID" \ + --issuer "$API_KEY_ISSUER_ID" \ + --wait + + # Cleanup + rm -f api_key.p8 TestApp.zip + else + echo "⚠️ Notarization secrets not found, skipping notarization test" + fi shell: bash - name: Cleanup @@ -184,10 +207,10 @@ jobs: run: | echo "🧹 Cleaning up..." - # Keychain temizle + # Clean up keychain security delete-keychain "$KEYCHAIN_PATH" || true - # Test dosyalarını temizle + # Clean up test files rm -rf "$HOME/certificates" || true rm -rf TestApp.app || true