diff --git a/.gitea/workflows/test-local-signing.yml b/.gitea/workflows/test-local-signing.yml index b59f1605..9afbacd5 100644 --- a/.gitea/workflows/test-local-signing.yml +++ b/.gitea/workflows/test-local-signing.yml @@ -92,9 +92,20 @@ jobs: run: | echo "๐Ÿ” Setting up certificate..." + # Decode certificate to file + echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 + + # Check certificate format + echo "๐Ÿ“‘ Certificate format check:" + file certificate.p12 + + # Check system keychain for existing identities first + echo "๐Ÿ” Checking system keychain for existing identities..." + security find-identity -v -p codesigning + # Create keychain KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db" - KEYCHAIN_PASSWORD="$(openssl rand -base64 12)" + KEYCHAIN_PASSWORD="temporary" # Delete existing keychain if it exists security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true @@ -104,51 +115,95 @@ jobs: security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH" security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # List the keychains before modifying - echo "Keychains before:" - security list-keychains - - # Set the new keychain as the default and add it to the search list - security default-keychain -s "$KEYCHAIN_PATH" + # Add to search list security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"') + security default-keychain -s "$KEYCHAIN_PATH" - # List the keychains after modifying - echo "Keychains after:" - security list-keychains + # Try multiple import approaches for p12 + echo "๐Ÿ”‘ Attempting import with standard parameters..." + security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign - # Import developer certificate with specific parameters for code signing - echo "๐Ÿ”‘ Importing developer certificate..." - echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 - security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -A -t cert -f pkcs12 -T /usr/bin/codesign + echo "๐Ÿ”‘ Attempting import with explicit key usage flags..." + security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -x - # Set partition list to allow codesign to access without password + echo "๐Ÿ”‘ Attempting import with allow-all flag..." + security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -A + + # Set partition list security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" - # Check what's in the keychain + # Check all certificates echo "๐Ÿ” Listing all certificates in keychain..." security find-certificate -a "$KEYCHAIN_PATH" + # Check specific certificate details + echo "๐Ÿ” Certificate details (if found):" + security find-certificate -a -c "Developer ID Application" "$KEYCHAIN_PATH" -p | openssl x509 -text -noout || echo "Certificate not found by name" + # Verify code signing identities echo "๐Ÿ” Verifying code signing identities..." security find-identity -v -p codesigning "$KEYCHAIN_PATH" - # Make sure keychain is unlocked, set timeout to 1 hour - security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + # Try listing codesigning identities from all keychains + echo "๐Ÿ” Listing all codesigning identities from all keychains..." + security find-identity -v -p codesigning # Store keychain variables for later steps echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV" echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV" - # Cleanup - rm -f certificate.p12 + # Keep the p12 file for debugging + mkdir -p debug + cp certificate.p12 debug/ + shell: bash + + - name: Alternate Approach if no identity found + run: | + if [ "$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -c "valid identities found")" = "0" ]; then + echo "โš ๏ธ No valid identities found in created keychain. Trying system keychain..." + + # Check if there are any signing identities in system + if [ "$(security find-identity -v -p codesigning | grep -c "valid identities found")" != "0" ]; then + echo "โœ… Found code signing identities in system keychain!" + security find-identity -v -p codesigning + + # Use the system keychain for signing + echo "SYS_IDENTITY=yes" >> "$GITHUB_ENV" + else + echo "โŒ No valid code signing identities found anywhere" + echo "๐Ÿงช Debug info:" + echo "Certificate content (p12):" + openssl pkcs12 -in debug/certificate.p12 -info -nodes -nokeys -passin pass:"${{ secrets.MACOS_CERTIFICATE_PWD }}" || echo "Could not inspect p12 file" + fi + fi shell: bash - name: Sign App Bundle run: | - echo "๏ฟฝ๏ฟฝ Signing app bundle with ad-hoc method..." + echo "๐Ÿ” Signing app bundle..." - # Sign the app bundle with ad-hoc identity (- = ad-hoc signing) - codesign --force --verbose --deep --options runtime --entitlements LuckyWorld.entitlements --sign - TestApp.app + if [ "${SYS_IDENTITY:-}" = "yes" ]; then + # Use system identity + echo "Using system keychain identity" + IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') + else + # Use our keychain + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" + echo "Using custom keychain identity" + IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}') + fi + + if [ -z "$IDENTITY" ]; then + echo "โŒ Error: No valid code signing identity found" + echo "Skipping signing..." + exit 1 + fi + + echo "Using identity: $IDENTITY" + + # Sign the app bundle with verbose output + echo "Signing app bundle..." + codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app # Verify signing echo "๐Ÿ” Verifying signature..." @@ -159,32 +214,6 @@ jobs: codesign -d --entitlements - TestApp.app shell: bash - - name: Debug Identity Issues - run: | - echo "๐Ÿ” Debugging certificate issues..." - - # Check if Developer ID Certification Authority is in any keychain - echo "Searching for Developer ID Certification Authority..." - security find-certificate -a -c "Developer ID Certification Authority" /Library/Keychains/System.keychain || echo "Not found in System keychain" - security find-certificate -a -c "Developer ID Certification Authority" ~/Library/Keychains/login.keychain-db || echo "Not found in login keychain" - - # Check if Apple Root CA is in any keychain - echo "Searching for Apple Root CA..." - security find-certificate -a -c "Apple Root CA" /Library/Keychains/System.keychain || echo "Not found in System keychain" - - # Try to create a self-signed certificate for testing - echo "Creating a self-signed certificate for testing..." - openssl req -x509 -newkey rsa:2048 -keyout test-key.pem -out test-cert.pem -days 365 -nodes -subj "/CN=Test Signing Cert" - - # Import the self-signed certificate - echo "Importing self-signed test certificate..." - security import test-cert.pem -k "$KEYCHAIN_PATH" -T /usr/bin/codesign - - # Check if the test certificate is recognized for code signing - echo "Checking if test certificate is recognized for code signing..." - security find-identity -v -p codesigning "$KEYCHAIN_PATH" - shell: bash - - name: Notarize App run: | echo "๐Ÿ“ค Notarizing app..."