LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity
LuckyWorld/.gitea/workflows/test-local-signing.yml
Ozgur Ersoy 4125cb2ff4
Some checks failed
Test Local Signing / test-local-signing (push) Failing after 8s
Details
fix(workflows): update Apple certificate import commands to include format flags in local signing workflow
2025-04-14 14:21:31 +02:00

256 lines
9.7 KiB
YAML
Raw Blame History

name: Test Local Signing
on:
workflow_dispatch: # Manual trigger
push:
branches: [ozgur/build]
jobs:
test-local-signing:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Setup Certificate
env:
CERTIFICATE_BASE64: ${{ secrets.MACOS_CERTIFICATE }}
CERTIFICATE_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
run: |
echo "🔑 Setting up certificate and keychain..."
# Create working directory
CERT_DIR="$HOME/certificates"
mkdir -p "$CERT_DIR"
cd "$CERT_DIR"
# Decode certificate
echo "📜 Decoding certificate..."
echo "$CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Check certificate info
echo "🔍 Certificate info:"
file certificate.p12
# Create keychain with a fixed password
KEYCHAIN_PATH="$CERT_DIR/build.keychain-db"
KEYCHAIN_PASSWORD="keychainpassword"
echo "🔐 Creating keychain: $KEYCHAIN_PATH"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Configure keychain settings
security set-keychain-settings -t 3600 -l "$KEYCHAIN_PATH"
# Add to keychain list and make it default
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
security default-keychain -s "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Download and import Apple root certificates
echo "📥 Downloading Apple root certificates..."
curl -O https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
curl -O https://www.apple.com/certificateauthority/DeveloperIDG2.cer
echo "🔐 Importing Apple root certificates..."
security import AppleWWDRCAG3.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der
security import DeveloperIDG2.cer -k "$KEYCHAIN_PATH" -T /usr/bin/codesign -f der
# Import certificate with all access rights
echo "📥 Importing developer certificate..."
security import certificate.p12 \
-k "$KEYCHAIN_PATH" \
-P "$CERTIFICATE_PASSWORD" \
-T "/usr/bin/codesign" \
-T "/usr/bin/security" \
-T "/usr/bin/xcrun" \
-f pkcs12
# Update keychain partition list
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s \
-k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Allow codesign to access the keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Verify certificate access
echo "🔍 Verifying certificate access..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Save environment variables
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
echo "APPLE_TEAM_ID=$APPLE_TEAM_ID" >> "$GITHUB_ENV"
echo "WORKSPACE_DIR=$(pwd)" >> "$GITHUB_ENV"
# Check certificate status and get identity
echo "✅ Checking codesigning identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Extract the identity hash for signing
IDENTITY_HASH=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk '{print $2}')
if [ -n "$IDENTITY_HASH" ]; then
echo "Found identity hash: $IDENTITY_HASH"
echo "IDENTITY_HASH=$IDENTITY_HASH" >> "$GITHUB_ENV"
else
echo "No valid identity hash found"
echo "🔍 Debugging certificate access..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH"
exit 1
fi
shell: bash
- name: Verify Certificate
run: |
echo "🔍 Verifying certificate in keychain..."
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
echo "📋 Certificate details:"
security find-certificate -a -c "Developer ID Application" -p "$KEYCHAIN_PATH" | \
openssl x509 -text | \
grep -E "Subject:|Issuer:|Not Before:|Not After:|Serial Number:"
shell: bash
- name: Create Test Entitlements
run: |
echo "📝 Creating entitlements file..."
cat > LuckyWorld.entitlements << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
</dict>
</plist>
EOF
echo "✅ Created entitlements file"
cat LuckyWorld.entitlements
shell: bash
- name: Create Test App Bundle
run: |
echo "📦 Creating test app bundle..."
# Create test app bundle structure
TEST_APP_DIR="TestApp.app"
mkdir -p "$TEST_APP_DIR/Contents/MacOS"
# Create a simple test executable
echo '#!/bin/bash
echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
# Create Info.plist
cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>TestApp</string>
<key>CFBundleIdentifier</key>
<string>com.luckyworld.testapp</string>
<key>CFBundleName</key>
<string>TestApp</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>LSMinimumSystemVersion</key>
<string>10.10</string>
</dict>
</plist>
EOF
echo "✅ Created test app bundle"
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
shell: bash
- name: Test Signing
run: |
echo "🔏 Testing code signing..."
# Prepare keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Use identity hash directly for signing
echo "📝 Signing app bundle with identity hash: $IDENTITY_HASH"
/usr/bin/codesign --force --deep --verbose \
--keychain "$KEYCHAIN_PATH" \
--sign "$IDENTITY_HASH" \
--entitlements "LuckyWorld.entitlements" \
"$APP_PATH"
echo "✅ Signing complete"
echo "🔍 Verifying signature..."
codesign -vv -d "$APP_PATH"
echo "📋 Checking entitlements..."
codesign -d --entitlements :- "$APP_PATH"
echo "🔒 Testing Gatekeeper assessment..."
spctl --assess --type exec "$APP_PATH"
shell: bash
- name: Test Notarization
env:
API_KEY_PATH: ${{ secrets.NOTARY_API_KEY_PATH }}
API_KEY_ID: ${{ secrets.NOTARY_API_KEY_ID }}
API_KEY_ISSUER_ID: ${{ secrets.NOTARY_API_KEY_ISSUER_ID }}
run: |
if [ -n "$API_KEY_PATH" ] && [ -n "$API_KEY_ID" ] && [ -n "$API_KEY_ISSUER_ID" ]; then
echo "🔐 Testing notarization..."
# Create API key file
echo "$API_KEY_PATH" | base64 --decode > api_key.p8
# Zip test app
ditto -c -k --keepParent "$APP_PATH" "TestApp.zip"
# Test notarization
xcrun notarytool submit "TestApp.zip" \
--key "api_key.p8" \
--key-id "$API_KEY_ID" \
--issuer "$API_KEY_ISSUER_ID" \
--wait
# Cleanup
rm -f api_key.p8 TestApp.zip
else
echo "⚠️ Notarization secrets not found, skipping notarization test"
fi
shell: bash
- name: Cleanup
if: always()
run: |
echo "🧹 Cleaning up..."
# Clean up keychain
security delete-keychain "$KEYCHAIN_PATH" || true
# Clean up test files
rm -rf "$HOME/certificates" || true
rm -rf TestApp.app || true
echo "✅ Cleanup complete"
shell: bash
Reference in New Issue View Git Blame Copy Permalink