.gitea/workflows/test-local-signing.yml

@@ -105,13 +105,17 @@ jobs:
           # Decode the certificate to a p12 file
           echo "$CERTIFICATE_BASE64" | base64 --decode > "$CERT_DIR/certificate.p12"
           
-          # Check certificate format
+          # Check certificate format and details
           echo "📑 Certificate format check:"
           file "$CERT_DIR/certificate.p12"
           
+          # Try to get certificate info with openssl
+          echo "📑 Certificate info with OpenSSL:"
+          openssl pkcs12 -info -in "$CERT_DIR/certificate.p12" -nokeys -passin pass:"$CERTIFICATE_PASSWORD" || echo "Failed to read certificate with OpenSSL"
+          
           # Create keychain
           KEYCHAIN_PATH="$CERT_DIR/app-signing.keychain-db"
-          KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
+          KEYCHAIN_PASSWORD="temppassword123"
           
           # Delete existing keychain if it exists
           security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
@@ -125,47 +129,123 @@ jobs:
           security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
           security default-keychain -s "$KEYCHAIN_PATH"
           
-          # Import certificate
-          echo "🔑 Importing developer certificate..."
+          # Try multiple import approaches
+          echo "🔑 Importing developer certificate - attempt 1 (standard)..."
           security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
           
+          echo "🔑 Importing developer certificate - attempt 2 (with flags)..."
+          security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -x -A
+          
+          echo "🔑 Importing developer certificate - attempt 3 (with format)..."
+          security import "$CERT_DIR/certificate.p12" -k "$KEYCHAIN_PATH" -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign -f pkcs12
+          
           # Set partition list for codesign to access keychain
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           
+          # Check all certificates in keychain
+          echo "🔍 Listing all certificates in keychain..."
+          security find-certificate -a "$KEYCHAIN_PATH"
+          
           # Verify certificate
-          echo "🔍 Verifying certificate..."
+          echo "🔍 Verifying code signing identities..."
           security find-identity -v -p codesigning "$KEYCHAIN_PATH"
           
+          # Alternative check for identities
+          echo "🔍 Listing identities with code signing usage..."
+          security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | grep -q "Code Signing" && echo "✅ Certificate has code signing usage" || echo "❌ Certificate does NOT have code signing usage"
+          
+          # Try to use the System keychain as a fallback
+          echo "🔍 Checking system keychain for code signing identities..."
+          SYSTEM_IDENTITIES=$(security find-identity -v -p codesigning)
+          echo "$SYSTEM_IDENTITIES"
+          
+          if echo "$SYSTEM_IDENTITIES" | grep -q "Developer ID Application"; then
+            echo "✅ Found Developer ID Application certificate in system keychain"
+            echo "USE_SYSTEM_CERT=true" >> "$GITHUB_ENV"
+          else
+            echo "❌ No Developer ID Application certificate found in system keychain"
+            echo "USE_SYSTEM_CERT=false" >> "$GITHUB_ENV"
+          fi
+          
           # Store keychain variables for later steps
           echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
           echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
           echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
           
-          # Cleanup
-          rm -f "$CERT_DIR/certificate.p12"
+          # Debug: keep p12 file for inspection
+          echo "💾 Keeping certificate.p12 for debugging"
+        shell: bash
+        
+      - name: Debug Certificate Content
+        if: always()
+        env:
+          CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
+        run: |
+          echo "🔎 Debugging certificate content..."
+          CERT_DIR="$HOME/certificates"
+          
+          # Check if p12 file exists
+          if [ ! -f "$CERT_DIR/certificate.p12" ]; then
+            echo "❌ Certificate file not found"
+            exit 0
+          fi
+          
+          # Try with OpenSSL to extract certificate info
+          echo "Attempting to extract certificate info..."
+          openssl pkcs12 -in "$CERT_DIR/certificate.p12" -info -nokeys -passin pass:"$CERTIFICATE_PASSWORD" > cert_info.txt || echo "Failed to extract info"
+          
+          # Check certificate contents
+          echo "Certificate subject information:"
+          grep "subject" cert_info.txt || echo "No subject information found"
+          
+          echo "Certificate issuer information:"
+          grep "issuer" cert_info.txt || echo "No issuer information found"
+          
+          # Check if it's a Developer ID certificate
+          if grep -q "Developer ID" cert_info.txt; then
+            echo "✅ This appears to be a Developer ID certificate"
+          else
+            echo "❌ This does NOT appear to be a Developer ID certificate"
+          fi
+          
+          # Check if it has a private key
+          echo "Checking for private key..."
+          if openssl pkcs12 -in "$CERT_DIR/certificate.p12" -nocerts -passin pass:"$CERTIFICATE_PASSWORD" -passout pass:temp 2>/dev/null; then
+            echo "✅ Certificate contains a private key"
+          else
+            echo "❌ Certificate does NOT contain a private key or wrong password"
+          fi
         shell: bash
         
       - name: Sign with Developer ID
         run: |
           echo "🔏 Signing app with Developer ID certificate..."
           
+          # Decide which keychain to use
+          if [ "${USE_SYSTEM_CERT:-false}" = "true" ]; then
+            echo "Using system keychain identity"
+            IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
+          else
             # Make sure keychain is unlocked
             security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
-          
-          # Get the Developer ID Application identity
+            echo "Using custom keychain identity"
             IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
-          
-          if [ -z "$IDENTITY" ]; then
-            echo "❌ Error: No valid Developer ID Application identity found"
-            echo "Please check if your certificate is valid and properly imported"
-            exit 1
           fi
           
+          if [ -z "$IDENTITY" ]; then
+            echo "❌ No valid Developer ID Application certificate found"
+            echo "Falling back to ad-hoc signing for testing..."
+            # Use ad-hoc identity as fallback
+            codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign - --timestamp "$APP_PATH"
+            echo "SIGNED=adhoc" >> "$GITHUB_ENV"
+          else
             echo "Using identity: $IDENTITY"
             
             # Sign the app bundle
-          echo "Signing app bundle..."
+            echo "Signing app bundle with Developer ID..."
             codesign --force --deep --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp "$APP_PATH"
+            echo "SIGNED=identity" >> "$GITHUB_ENV"
+          fi
           
           # Verify signing
           echo "🔍 Verifying signature..."