feat(workflows): create test local signing workflow for macOS with certificate setup and notarization
This commit is contained in:
parent
70e17b52ec
commit
ca648fa871
@ -1,9 +1,9 @@
|
||||
name: Test Local Signing
|
||||
|
||||
on:
|
||||
workflow_dispatch: # Manuel tetikleme
|
||||
workflow_dispatch: # Manual trigger
|
||||
push:
|
||||
branches: [ozgur/build]
|
||||
branches: [test/signing]
|
||||
|
||||
jobs:
|
||||
test-local-signing:
|
||||
@ -12,66 +12,57 @@ jobs:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Create Test Certificate
|
||||
- name: Setup Certificate
|
||||
env:
|
||||
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
|
||||
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
||||
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
||||
run: |
|
||||
echo "🔑 Creating test certificate and keychain..."
|
||||
echo "🔑 Setting up certificate and keychain..."
|
||||
|
||||
# Test için gerekli dizinleri oluştur
|
||||
# Create working directory
|
||||
CERT_DIR="$HOME/certificates"
|
||||
mkdir -p "$CERT_DIR"
|
||||
cd "$CERT_DIR"
|
||||
|
||||
# Test keychain oluştur
|
||||
KEYCHAIN_PATH="$CERT_DIR/test.keychain"
|
||||
KEYCHAIN_PASSWORD="test123"
|
||||
# Decode certificate
|
||||
echo "📜 Decoding certificate..."
|
||||
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
|
||||
|
||||
# Check certificate info
|
||||
echo "🔍 Certificate info:"
|
||||
file certificate.p12
|
||||
|
||||
# Create keychain
|
||||
KEYCHAIN_PATH="$CERT_DIR/build.keychain"
|
||||
KEYCHAIN_PASSWORD="temporary$(date +%s)"
|
||||
|
||||
echo "🔐 Creating keychain: $KEYCHAIN_PATH"
|
||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
security default-keychain -s "$KEYCHAIN_PATH"
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Test sertifikası oluştur
|
||||
cd "$CERT_DIR"
|
||||
|
||||
echo "📜 Creating self-signed certificate..."
|
||||
CERT_NAME="Test LuckyWorld Developer"
|
||||
openssl req -x509 -newkey rsa:2048 \
|
||||
-keyout test_key.pem \
|
||||
-out test_cert.pem \
|
||||
-days 365 \
|
||||
-nodes \
|
||||
-subj "/CN=$CERT_NAME"
|
||||
|
||||
echo "🔐 Converting to P12 format..."
|
||||
CERT_PASSWORD="test123"
|
||||
openssl pkcs12 -export \
|
||||
-out test_cert.p12 \
|
||||
-inkey test_key.pem \
|
||||
-in test_cert.pem \
|
||||
-password pass:$CERT_PASSWORD
|
||||
|
||||
echo "📋 Creating base64 version for reference..."
|
||||
cat test_cert.p12 | base64 > test_cert_base64.txt
|
||||
|
||||
echo "🔄 Importing certificate to keychain..."
|
||||
security import test_cert.p12 \
|
||||
# Import certificate
|
||||
echo "📥 Importing certificate..."
|
||||
security import certificate.p12 \
|
||||
-k "$KEYCHAIN_PATH" \
|
||||
-P "$CERT_PASSWORD" \
|
||||
-P "$CERTIFICATE_PASSWORD" \
|
||||
-T /usr/bin/codesign
|
||||
|
||||
# Keychain'i codesign için hazırla
|
||||
# Configure keychain settings
|
||||
security set-key-partition-list \
|
||||
-S apple-tool:,apple: \
|
||||
-s \
|
||||
-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
# Environment variables kaydet
|
||||
# Save environment variables
|
||||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||
echo "CERT_NAME=$CERT_NAME" >> "$GITHUB_ENV"
|
||||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||
echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
|
||||
echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
|
||||
|
||||
echo "✅ Certificate setup complete"
|
||||
|
||||
# Debug: Sertifika bilgilerini göster
|
||||
echo "🔍 Checking codesigning identities..."
|
||||
# Check certificate status
|
||||
echo "✅ Checking codesigning identities..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
shell: bash
|
||||
|
||||
@ -80,16 +71,15 @@ jobs:
|
||||
echo "🔍 Verifying certificate in keychain..."
|
||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||
|
||||
# Detaylı sertifika bilgilerini göster
|
||||
echo "📋 Certificate details:"
|
||||
security find-certificate -a -c "$CERT_NAME" -p "$KEYCHAIN_PATH" | \
|
||||
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \
|
||||
openssl x509 -text | \
|
||||
grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:"
|
||||
shell: bash
|
||||
|
||||
- name: Create Test Entitlements
|
||||
run: |
|
||||
echo "📝 Creating test entitlements file..."
|
||||
echo "📝 Creating entitlements file..."
|
||||
cat > LuckyWorld.entitlements << EOF
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
@ -119,16 +109,16 @@ jobs:
|
||||
run: |
|
||||
echo "📦 Creating test app bundle..."
|
||||
|
||||
# Test app bundle oluştur
|
||||
# Create test app bundle structure
|
||||
TEST_APP_DIR="TestApp.app"
|
||||
mkdir -p "$TEST_APP_DIR/Contents/MacOS"
|
||||
|
||||
# Basit bir test executable oluştur
|
||||
# Create a simple test executable
|
||||
echo '#!/bin/bash
|
||||
echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
|
||||
chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
|
||||
|
||||
# Info.plist oluştur
|
||||
# Create Info.plist
|
||||
cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
@ -158,12 +148,16 @@ jobs:
|
||||
run: |
|
||||
echo "🔏 Testing code signing..."
|
||||
|
||||
# Keychain'i hazırla
|
||||
security unlock-keychain -p "test123" "$KEYCHAIN_PATH"
|
||||
# Prepare keychain
|
||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||
|
||||
echo "📝 Signing app bundle with test certificate..."
|
||||
# Find signing identity
|
||||
SIGNING_IDENTITY="Developer ID Application: $APPLE_TEAM_ID"
|
||||
echo "Using signing identity: $SIGNING_IDENTITY"
|
||||
|
||||
echo "📝 Signing app bundle..."
|
||||
/usr/bin/codesign --force --deep --verbose \
|
||||
--sign "$CERT_NAME" \
|
||||
--sign "$SIGNING_IDENTITY" \
|
||||
--entitlements "LuckyWorld.entitlements" \
|
||||
"$APP_PATH"
|
||||
|
||||
@ -175,8 +169,37 @@ jobs:
|
||||
echo "📋 Checking entitlements..."
|
||||
codesign -d --entitlements :- "$APP_PATH"
|
||||
|
||||
echo "🔒 Testing Gatekeeper assessment (will fail, this is expected)..."
|
||||
spctl --assess --type exec "$APP_PATH" || true
|
||||
echo "🔒 Testing Gatekeeper assessment..."
|
||||
spctl --assess --type exec "$APP_PATH"
|
||||
shell: bash
|
||||
|
||||
- name: Test Notarization
|
||||
env:
|
||||
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
|
||||
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
|
||||
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
|
||||
run: |
|
||||
if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then
|
||||
echo "🔐 Testing notarization..."
|
||||
|
||||
# Create API key file
|
||||
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
|
||||
|
||||
# Zip test app
|
||||
ditto -c -k --keepParent "$APP_PATH" "TestApp.zip"
|
||||
|
||||
# Test notarization
|
||||
xcrun notarytool submit "TestApp.zip" \
|
||||
--key "api_key.p8" \
|
||||
--key-id "$API_KEY_ID" \
|
||||
--issuer "$API_KEY_ISSUER_ID" \
|
||||
--wait
|
||||
|
||||
# Cleanup
|
||||
rm -f api_key.p8 TestApp.zip
|
||||
else
|
||||
echo "⚠️ Notarization secrets not found, skipping notarization test"
|
||||
fi
|
||||
shell: bash
|
||||
|
||||
- name: Cleanup
|
||||
@ -184,10 +207,10 @@ jobs:
|
||||
run: |
|
||||
echo "🧹 Cleaning up..."
|
||||
|
||||
# Keychain temizle
|
||||
# Clean up keychain
|
||||
security delete-keychain "$KEYCHAIN_PATH" || true
|
||||
|
||||
# Test dosyalarını temizle
|
||||
# Clean up test files
|
||||
rm -rf "$HOME/certificates" || true
|
||||
rm -rf TestApp.app || true
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user