WIP: feat(workflows): add new build workflows for Windows, Linux, and macOS, and remove obsolete build scripts #17
@ -96,29 +96,49 @@ jobs:
|
|||||||
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
|
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
|
||||||
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
|
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
|
||||||
|
|
||||||
|
# Delete existing keychain if it exists
|
||||||
|
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
|
||||||
|
|
||||||
|
# Create new keychain
|
||||||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
|
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
|
||||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
# Add to keychain list and make it default
|
# List the keychains before modifying
|
||||||
security list-keychains -s "$KEYCHAIN_PATH" login.keychain
|
echo "Keychains before:"
|
||||||
security default-keychain -s "$KEYCHAIN_PATH"
|
security list-keychains
|
||||||
|
|
||||||
# Import developer certificate
|
# Set the new keychain as the default and add it to the search list
|
||||||
|
security default-keychain -s "$KEYCHAIN_PATH"
|
||||||
|
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
|
||||||
|
|
||||||
|
# List the keychains after modifying
|
||||||
|
echo "Keychains after:"
|
||||||
|
security list-keychains
|
||||||
|
|
||||||
|
# Import developer certificate with specific parameters for code signing
|
||||||
echo "🔑 Importing developer certificate..."
|
echo "🔑 Importing developer certificate..."
|
||||||
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
|
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
|
||||||
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
|
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -A -t cert -f pkcs12 -T /usr/bin/codesign
|
||||||
|
|
||||||
# Set partition list to allow codesign to access without password
|
# Set partition list to allow codesign to access without password
|
||||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
# Verify certificate
|
# Check what's in the keychain
|
||||||
echo "🔍 Verifying certificate..."
|
echo "🔍 Listing all certificates in keychain..."
|
||||||
|
security find-certificate -a "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Verify code signing identities
|
||||||
|
echo "🔍 Verifying code signing identities..."
|
||||||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
# Make keychain available for 1 hour
|
# Make sure keychain is unlocked, set timeout to 1 hour
|
||||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Store keychain variables for later steps
|
||||||
|
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||||||
|
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||||||
|
|
||||||
# Cleanup
|
# Cleanup
|
||||||
rm -f certificate.p12
|
rm -f certificate.p12
|
||||||
shell: bash
|
shell: bash
|
||||||
@ -127,23 +147,26 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
echo "🔏 Signing app bundle..."
|
echo "🔏 Signing app bundle..."
|
||||||
|
|
||||||
# Get the identity name (not hash)
|
|
||||||
IDENTITY_NAME=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | sed -E 's/.*"Developer ID Application: ([^"]*).*/\1/')
|
|
||||||
IDENTITY_FULL="Developer ID Application: $IDENTITY_NAME"
|
|
||||||
|
|
||||||
echo "Found identity: $IDENTITY_FULL"
|
|
||||||
|
|
||||||
if [ -z "$IDENTITY_NAME" ]; then
|
|
||||||
echo "❌ Error: No valid Developer ID Application identity found"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Make sure keychain is unlocked
|
# Make sure keychain is unlocked
|
||||||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
# Sign the app bundle
|
# List all code signing identities again
|
||||||
echo "Signing with identity: $IDENTITY_FULL"
|
echo "Available identities for signing:"
|
||||||
codesign --force --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY_FULL" --timestamp TestApp.app
|
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||||||
|
|
||||||
|
# Get any available signing identity
|
||||||
|
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | head -1 | awk -F '"' '{print $2}')
|
||||||
|
|
||||||
|
if [ -z "$IDENTITY" ]; then
|
||||||
|
echo "❌ Error: No valid code signing identity found"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Using identity: $IDENTITY"
|
||||||
|
|
||||||
|
# Sign the app bundle with verbose output
|
||||||
|
echo "Signing app bundle..."
|
||||||
|
codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app
|
||||||
|
|
||||||
# Verify signing
|
# Verify signing
|
||||||
echo "🔍 Verifying signature..."
|
echo "🔍 Verifying signature..."
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user