fix(actions): enhance macOS notarization workflow by improving API key handling with PEM format checks and detailed logging for error scenarios
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 33m43s
Some checks failed
Test macOS Build Action / test-macos-build (push) Failing after 33m43s
This commit is contained in:
parent
79ddd3ff12
commit
dd01055e1e
@ -250,7 +250,7 @@ jobs:
|
||||
|
||||
# Create API key file - properly decode from base64
|
||||
API_KEY_FILE="$WORK_DIR/api_key.p8"
|
||||
debug_log "Decoding API key from base64 to: $API_KEY_FILE"
|
||||
debug_log "Creating API key file at: $API_KEY_FILE"
|
||||
|
||||
# Check if NOTARY_API_KEY_PATH is provided
|
||||
if [[ -z "${{ secrets.NOTARY_API_KEY_PATH }}" ]]; then
|
||||
@ -258,8 +258,30 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Explicitly decode from base64 as instructed
|
||||
echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 -d > "$API_KEY_FILE" 2>/dev/null
|
||||
# First try using the secret directly (assuming it's a PEM key directly)
|
||||
echo "${{ secrets.NOTARY_API_KEY_PATH }}" > "$API_KEY_FILE"
|
||||
|
||||
# Check if it's already in PEM format
|
||||
if grep -q "BEGIN PRIVATE KEY" "$API_KEY_FILE"; then
|
||||
debug_log "Secret is already in PEM format, using directly"
|
||||
else
|
||||
debug_log "Secret is not in PEM format, trying to decode as base64"
|
||||
# Try base64 decoding
|
||||
echo "${{ secrets.NOTARY_API_KEY_PATH }}" | base64 -D > "$API_KEY_FILE.decoded" 2>/dev/null || true
|
||||
|
||||
# Check if decoded content is PEM
|
||||
if [[ -s "$API_KEY_FILE.decoded" ]] && grep -q "BEGIN PRIVATE KEY" "$API_KEY_FILE.decoded"; then
|
||||
debug_log "Successfully decoded secret from base64 to PEM"
|
||||
mv "$API_KEY_FILE.decoded" "$API_KEY_FILE"
|
||||
else
|
||||
debug_log "ERROR: Secret is neither PEM nor valid base64-encoded PEM"
|
||||
debug_log "Secret starts with: $(head -c 20 "$API_KEY_FILE" | xxd -p)"
|
||||
if [[ -f "$API_KEY_FILE.decoded" ]]; then
|
||||
debug_log "Decoded content starts with: $(head -c 20 "$API_KEY_FILE.decoded" | xxd -p)"
|
||||
fi
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
# Verify API key file exists and has content
|
||||
if [[ ! -f "$API_KEY_FILE" ]]; then
|
||||
@ -268,14 +290,7 @@ jobs:
|
||||
fi
|
||||
|
||||
if [[ ! -s "$API_KEY_FILE" ]]; then
|
||||
debug_log "ERROR: API key file is empty after base64 decoding"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Verify key format
|
||||
if ! grep -q "BEGIN PRIVATE KEY" "$API_KEY_FILE"; then
|
||||
debug_log "ERROR: API key is not in PEM format (missing BEGIN PRIVATE KEY)"
|
||||
debug_log "First 10 bytes of API key file: $(hexdump -n 10 -ve '1/1 "%.2x"' "$API_KEY_FILE")"
|
||||
debug_log "ERROR: API key file is empty"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user