From dae5af77d3486cc1fcfee260bf68558e4b1b3e9a Mon Sep 17 00:00:00 2001
From: Ozgur Ersoy <git@moersoy.com>
Date: Sun, 13 Apr 2025 12:21:15 +0200
Subject: [PATCH] fix(workflows): update macOS build workflow to import
 certificates into custom keychain and ensure trust settings

---
 .gitea/actions/macos-build/action.yml | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/.gitea/actions/macos-build/action.yml b/.gitea/actions/macos-build/action.yml
index 1621494a..c84f9803 100644
--- a/.gitea/actions/macos-build/action.yml
+++ b/.gitea/actions/macos-build/action.yml
@@ -66,10 +66,6 @@ runs:
         curl -s -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
         curl -s -o DeveloperIDG2.cer https://www.apple.com/certificateauthority/DeveloperIDG2.cer
         
-        # Import Apple root certificates
-        security import AppleWWDRCAG3.cer -k /Library/Keychains/System.keychain
-        security import DeveloperIDG2.cer -k /Library/Keychains/System.keychain
-        
         # Decode the base64 certificate
         echo "Setting up certificate..."
         echo $APPLE_CERTIFICATE_BASE64 | base64 --decode > certificate.p12
@@ -81,8 +77,18 @@ runs:
         security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
         security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
         security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+        
+        # Import all certificates to our custom keychain
+        security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
+        security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
         security import certificate.p12 -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
-        security list-keychain -d user -s "$KEYCHAIN_PATH" /Library/Keychains/System.keychain
+        
+        # Set keychain for signing
+        security list-keychain -d user -s "$KEYCHAIN_PATH"
+        security default-keychain -s "$KEYCHAIN_PATH"
+        
+        # Always trust our certificates
+        security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
         
         # Find app bundle
         APP_PATH=$(find Builds -type d -name "*.app" | head -1)