name: Test Local Signing
on:
workflow_dispatch: # Manual trigger
push:
branches: [ozgur/build]
jobs:
test-local-signing:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Create Test Entitlements
run: |
echo "๐ Creating entitlements file..."
cat > LuckyWorld.entitlements << EOF
com.apple.security.cs.allow-jit
com.apple.security.cs.allow-unsigned-executable-memory
com.apple.security.cs.disable-library-validation
com.apple.security.cs.allow-dyld-environment-variables
com.apple.security.device.audio-input
com.apple.security.device.camera
EOF
echo "โ
Created entitlements file"
cat LuckyWorld.entitlements
shell: bash
- name: Create Test App Bundle
run: |
echo "๐ฆ Creating test app bundle..."
# Create test app bundle structure
TEST_APP_DIR="TestApp.app"
mkdir -p "$TEST_APP_DIR/Contents/MacOS"
# Create a simple test executable
echo '#!/bin/bash
echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
# Create Info.plist
cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
CFBundleExecutable
TestApp
CFBundleIdentifier
com.luckyworld.testapp
CFBundleName
TestApp
CFBundlePackageType
APPL
CFBundleShortVersionString
1.0
LSMinimumSystemVersion
10.10
EOF
echo "โ
Created test app bundle"
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
# Verify app bundle exists
if [ ! -d "$TEST_APP_DIR" ]; then
echo "โ Error: App bundle not found at $TEST_APP_DIR"
exit 1
fi
echo "๐ App bundle contents:"
ls -la "$TEST_APP_DIR"
shell: bash
- name: Setup Certificate
run: |
echo "๐ Setting up certificate..."
# Create keychain
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
# Delete existing keychain if it exists
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
# Create new keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# List the keychains before modifying
echo "Keychains before:"
security list-keychains
# Set the new keychain as the default and add it to the search list
security default-keychain -s "$KEYCHAIN_PATH"
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
# List the keychains after modifying
echo "Keychains after:"
security list-keychains
# Import developer certificate with specific parameters for code signing
echo "๐ Importing developer certificate..."
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -A -t cert -f pkcs12 -T /usr/bin/codesign
# Set partition list to allow codesign to access without password
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Check what's in the keychain
echo "๐ Listing all certificates in keychain..."
security find-certificate -a "$KEYCHAIN_PATH"
# Verify code signing identities
echo "๐ Verifying code signing identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Make sure keychain is unlocked, set timeout to 1 hour
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Store keychain variables for later steps
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
# Cleanup
rm -f certificate.p12
shell: bash
- name: Sign App Bundle
run: |
echo "๏ฟฝ๏ฟฝ Signing app bundle with ad-hoc method..."
# Sign the app bundle with ad-hoc identity (- = ad-hoc signing)
codesign --force --verbose --deep --options runtime --entitlements LuckyWorld.entitlements --sign - TestApp.app
# Verify signing
echo "๐ Verifying signature..."
codesign -vvv --deep --strict TestApp.app
# Check entitlements
echo "๐ Checking entitlements..."
codesign -d --entitlements - TestApp.app
shell: bash
- name: Debug Identity Issues
run: |
echo "๐ Debugging certificate issues..."
# Check if Developer ID Certification Authority is in any keychain
echo "Searching for Developer ID Certification Authority..."
security find-certificate -a -c "Developer ID Certification Authority" /Library/Keychains/System.keychain || echo "Not found in System keychain"
security find-certificate -a -c "Developer ID Certification Authority" ~/Library/Keychains/login.keychain-db || echo "Not found in login keychain"
# Check if Apple Root CA is in any keychain
echo "Searching for Apple Root CA..."
security find-certificate -a -c "Apple Root CA" /Library/Keychains/System.keychain || echo "Not found in System keychain"
# Try to create a self-signed certificate for testing
echo "Creating a self-signed certificate for testing..."
openssl req -x509 -newkey rsa:2048 -keyout test-key.pem -out test-cert.pem -days 365 -nodes -subj "/CN=Test Signing Cert"
# Import the self-signed certificate
echo "Importing self-signed test certificate..."
security import test-cert.pem -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
# Check if the test certificate is recognized for code signing
echo "Checking if test certificate is recognized for code signing..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
shell: bash
- name: Notarize App
run: |
echo "๐ค Notarizing app..."
# Create zip for notarization
ditto -c -k --keepParent TestApp.app TestApp.zip
# Submit for notarization
xcrun notarytool submit TestApp.zip \
--apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
--password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
--team-id "${{ secrets.APPLE_TEAM_ID }}" \
--wait
# Staple the notarization ticket
xcrun stapler staple TestApp.app
# Verify notarization
spctl --assess --verbose --type exec TestApp.app
shell: bash
- name: Cleanup
if: always()
run: |
echo "๐งน Cleaning up..."
rm -rf TestApp.app TestApp.zip || true
security delete-keychain "$KEYCHAIN_PATH" || true
echo "โ
Cleanup complete"
shell: bash