LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity

fix(workflows): enhance local signing workflow with additional certificate checks and improved identity handling
Some checks failed
Test Local Signing / test-local-signing (push) Failing after 8s
Details

Browse Source
This commit is contained in:
Ozgur 2025-04-14 14:39:35 +02:00
parent 44bba086a6
commit fec3149b35
No known key found for this signature in database
GPG Key ID: 66CDF27505A35546
1 changed files with 78 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
.gitea/workflows/test-local-signing.yml
View File

@ -92,9 +92,20 @@ jobs:
run: |
echo "🔐 Setting up certificate..."
# Decode certificate to file
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
# Check certificate format
echo "📑 Certificate format check:"
file certificate.p12
# Check system keychain for existing identities first
echo "🔍 Checking system keychain for existing identities..."
security find-identity -v -p codesigning
# Create keychain
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
KEYCHAIN_PASSWORD="temporary"
# Delete existing keychain if it exists
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
@ -104,51 +115,95 @@ jobs:
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# List the keychains before modifying
echo "Keychains before:"
security list-keychains
# Set the new keychain as the default and add it to the search list
security default-keychain -s "$KEYCHAIN_PATH"
# Add to search list
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
security default-keychain -s "$KEYCHAIN_PATH"
# List the keychains after modifying
echo "Keychains after:"
security list-keychains
# Try multiple import approaches for p12
echo "🔑 Attempting import with standard parameters..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
# Import developer certificate with specific parameters for code signing
echo "🔑 Importing developer certificate..."
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -A -t cert -f pkcs12 -T /usr/bin/codesign
echo "🔑 Attempting import with explicit key usage flags..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -x
# Set partition list to allow codesign to access without password
echo "🔑 Attempting import with allow-all flag..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -A
# Set partition list
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Check what's in the keychain
# Check all certificates
echo "🔍 Listing all certificates in keychain..."
security find-certificate -a "$KEYCHAIN_PATH"
# Check specific certificate details
echo "🔍 Certificate details (if found):"
security find-certificate -a -c "Developer ID Application" "$KEYCHAIN_PATH" -p | openssl x509 -text -noout || echo "Certificate not found by name"
# Verify code signing identities
echo "🔍 Verifying code signing identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Make sure keychain is unlocked, set timeout to 1 hour
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Try listing codesigning identities from all keychains
echo "🔍 Listing all codesigning identities from all keychains..."
security find-identity -v -p codesigning
# Store keychain variables for later steps
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
# Cleanup
rm -f certificate.p12
# Keep the p12 file for debugging
mkdir -p debug
cp certificate.p12 debug/
shell: bash
- name: Alternate Approach if no identity found
run: |
if [ "$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -c "valid identities found")" = "0" ]; then
echo "⚠️ No valid identities found in created keychain. Trying system keychain..."
# Check if there are any signing identities in system
if [ "$(security find-identity -v -p codesigning | grep -c "valid identities found")" != "0" ]; then
echo "✅ Found code signing identities in system keychain!"
security find-identity -v -p codesigning
# Use the system keychain for signing
echo "SYS_IDENTITY=yes" >> "$GITHUB_ENV"
else
echo "❌ No valid code signing identities found anywhere"
echo "🧪 Debug info:"
echo "Certificate content (p12):"
openssl pkcs12 -in debug/certificate.p12 -info -nodes -nokeys -passin pass:"${{ secrets.MACOS_CERTIFICATE_PWD }}" || echo "Could not inspect p12 file"
fi
fi
shell: bash
- name: Sign App Bundle
run: |
echo "<22><> Signing app bundle with ad-hoc method..."
echo "🔏 Signing app bundle..."
# Sign the app bundle with ad-hoc identity (- = ad-hoc signing)
codesign --force --verbose --deep --options runtime --entitlements LuckyWorld.entitlements --sign - TestApp.app
if [ "${SYS_IDENTITY:-}" = "yes" ]; then
# Use system identity
echo "Using system keychain identity"
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
else
# Use our keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
echo "Using custom keychain identity"
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
fi
if [ -z "$IDENTITY" ]; then
echo "❌ Error: No valid code signing identity found"
echo "Skipping signing..."
exit 1
fi
echo "Using identity: $IDENTITY"
# Sign the app bundle with verbose output
echo "Signing app bundle..."
codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app
# Verify signing
echo "🔍 Verifying signature..."
@ -159,32 +214,6 @@ jobs:
codesign -d --entitlements - TestApp.app
shell: bash
- name: Debug Identity Issues
run: |
echo "🔍 Debugging certificate issues..."
# Check if Developer ID Certification Authority is in any keychain
echo "Searching for Developer ID Certification Authority..."
security find-certificate -a -c "Developer ID Certification Authority" /Library/Keychains/System.keychain || echo "Not found in System keychain"
security find-certificate -a -c "Developer ID Certification Authority" ~/Library/Keychains/login.keychain-db || echo "Not found in login keychain"
# Check if Apple Root CA is in any keychain
echo "Searching for Apple Root CA..."
security find-certificate -a -c "Apple Root CA" /Library/Keychains/System.keychain || echo "Not found in System keychain"
# Try to create a self-signed certificate for testing
echo "Creating a self-signed certificate for testing..."
openssl req -x509 -newkey rsa:2048 -keyout test-key.pem -out test-cert.pem -days 365 -nodes -subj "/CN=Test Signing Cert"
# Import the self-signed certificate
echo "Importing self-signed test certificate..."
security import test-cert.pem -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
# Check if the test certificate is recognized for code signing
echo "Checking if test certificate is recognized for code signing..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
shell: bash
- name: Notarize App
run: |
echo "📤 Notarizing app..."