Ozgur Ersoy
44bba086a6
Some checks failed
Test Local Signing / test-local-signing (push) Failing after 10s
216 lines
8.6 KiB
YAML
216 lines
8.6 KiB
YAML
name: Test Local Signing
|
||
|
||
on:
|
||
workflow_dispatch: # Manual trigger
|
||
push:
|
||
branches: [ozgur/build]
|
||
|
||
jobs:
|
||
test-local-signing:
|
||
runs-on: macos
|
||
steps:
|
||
- name: Checkout repository
|
||
uses: actions/checkout@v3
|
||
|
||
- name: Create Test Entitlements
|
||
run: |
|
||
echo "📝 Creating entitlements file..."
|
||
cat > LuckyWorld.entitlements << EOF
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||
<plist version="1.0">
|
||
<dict>
|
||
<key>com.apple.security.cs.allow-jit</key>
|
||
<true/>
|
||
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||
<true/>
|
||
<key>com.apple.security.cs.disable-library-validation</key>
|
||
<true/>
|
||
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
||
<true/>
|
||
<key>com.apple.security.device.audio-input</key>
|
||
<true/>
|
||
<key>com.apple.security.device.camera</key>
|
||
<true/>
|
||
</dict>
|
||
</plist>
|
||
EOF
|
||
|
||
echo "✅ Created entitlements file"
|
||
cat LuckyWorld.entitlements
|
||
shell: bash
|
||
|
||
- name: Create Test App Bundle
|
||
run: |
|
||
echo "📦 Creating test app bundle..."
|
||
|
||
# Create test app bundle structure
|
||
TEST_APP_DIR="TestApp.app"
|
||
mkdir -p "$TEST_APP_DIR/Contents/MacOS"
|
||
|
||
# Create a simple test executable
|
||
echo '#!/bin/bash
|
||
echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
|
||
chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
|
||
|
||
# Create Info.plist
|
||
cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
|
||
<?xml version="1.0" encoding="UTF-8"?>
|
||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||
<plist version="1.0">
|
||
<dict>
|
||
<key>CFBundleExecutable</key>
|
||
<string>TestApp</string>
|
||
<key>CFBundleIdentifier</key>
|
||
<string>com.luckyworld.testapp</string>
|
||
<key>CFBundleName</key>
|
||
<string>TestApp</string>
|
||
<key>CFBundlePackageType</key>
|
||
<string>APPL</string>
|
||
<key>CFBundleShortVersionString</key>
|
||
<string>1.0</string>
|
||
<key>LSMinimumSystemVersion</key>
|
||
<string>10.10</string>
|
||
</dict>
|
||
</plist>
|
||
EOF
|
||
|
||
echo "✅ Created test app bundle"
|
||
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
|
||
|
||
# Verify app bundle exists
|
||
if [ ! -d "$TEST_APP_DIR" ]; then
|
||
echo "❌ Error: App bundle not found at $TEST_APP_DIR"
|
||
exit 1
|
||
fi
|
||
|
||
echo "🔍 App bundle contents:"
|
||
ls -la "$TEST_APP_DIR"
|
||
shell: bash
|
||
|
||
- name: Setup Certificate
|
||
run: |
|
||
echo "🔐 Setting up certificate..."
|
||
|
||
# Create keychain
|
||
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
|
||
KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
|
||
|
||
# Delete existing keychain if it exists
|
||
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
|
||
|
||
# Create new keychain
|
||
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
|
||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||
|
||
# List the keychains before modifying
|
||
echo "Keychains before:"
|
||
security list-keychains
|
||
|
||
# Set the new keychain as the default and add it to the search list
|
||
security default-keychain -s "$KEYCHAIN_PATH"
|
||
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
|
||
|
||
# List the keychains after modifying
|
||
echo "Keychains after:"
|
||
security list-keychains
|
||
|
||
# Import developer certificate with specific parameters for code signing
|
||
echo "🔑 Importing developer certificate..."
|
||
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
|
||
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -A -t cert -f pkcs12 -T /usr/bin/codesign
|
||
|
||
# Set partition list to allow codesign to access without password
|
||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||
|
||
# Check what's in the keychain
|
||
echo "🔍 Listing all certificates in keychain..."
|
||
security find-certificate -a "$KEYCHAIN_PATH"
|
||
|
||
# Verify code signing identities
|
||
echo "🔍 Verifying code signing identities..."
|
||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||
|
||
# Make sure keychain is unlocked, set timeout to 1 hour
|
||
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
|
||
|
||
# Store keychain variables for later steps
|
||
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
|
||
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
|
||
|
||
# Cleanup
|
||
rm -f certificate.p12
|
||
shell: bash
|
||
|
||
- name: Sign App Bundle
|
||
run: |
|
||
echo "<22><> Signing app bundle with ad-hoc method..."
|
||
|
||
# Sign the app bundle with ad-hoc identity (- = ad-hoc signing)
|
||
codesign --force --verbose --deep --options runtime --entitlements LuckyWorld.entitlements --sign - TestApp.app
|
||
|
||
# Verify signing
|
||
echo "🔍 Verifying signature..."
|
||
codesign -vvv --deep --strict TestApp.app
|
||
|
||
# Check entitlements
|
||
echo "🔍 Checking entitlements..."
|
||
codesign -d --entitlements - TestApp.app
|
||
shell: bash
|
||
|
||
- name: Debug Identity Issues
|
||
run: |
|
||
echo "🔍 Debugging certificate issues..."
|
||
|
||
# Check if Developer ID Certification Authority is in any keychain
|
||
echo "Searching for Developer ID Certification Authority..."
|
||
security find-certificate -a -c "Developer ID Certification Authority" /Library/Keychains/System.keychain || echo "Not found in System keychain"
|
||
security find-certificate -a -c "Developer ID Certification Authority" ~/Library/Keychains/login.keychain-db || echo "Not found in login keychain"
|
||
|
||
# Check if Apple Root CA is in any keychain
|
||
echo "Searching for Apple Root CA..."
|
||
security find-certificate -a -c "Apple Root CA" /Library/Keychains/System.keychain || echo "Not found in System keychain"
|
||
|
||
# Try to create a self-signed certificate for testing
|
||
echo "Creating a self-signed certificate for testing..."
|
||
openssl req -x509 -newkey rsa:2048 -keyout test-key.pem -out test-cert.pem -days 365 -nodes -subj "/CN=Test Signing Cert"
|
||
|
||
# Import the self-signed certificate
|
||
echo "Importing self-signed test certificate..."
|
||
security import test-cert.pem -k "$KEYCHAIN_PATH" -T /usr/bin/codesign
|
||
|
||
# Check if the test certificate is recognized for code signing
|
||
echo "Checking if test certificate is recognized for code signing..."
|
||
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
|
||
shell: bash
|
||
|
||
- name: Notarize App
|
||
run: |
|
||
echo "📤 Notarizing app..."
|
||
|
||
# Create zip for notarization
|
||
ditto -c -k --keepParent TestApp.app TestApp.zip
|
||
|
||
# Submit for notarization
|
||
xcrun notarytool submit TestApp.zip \
|
||
--apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
|
||
--password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
|
||
--team-id "${{ secrets.APPLE_TEAM_ID }}" \
|
||
--wait
|
||
|
||
# Staple the notarization ticket
|
||
xcrun stapler staple TestApp.app
|
||
|
||
# Verify notarization
|
||
spctl --assess --verbose --type exec TestApp.app
|
||
shell: bash
|
||
|
||
- name: Cleanup
|
||
if: always()
|
||
run: |
|
||
echo "🧹 Cleaning up..."
|
||
rm -rf TestApp.app TestApp.zip || true
|
||
security delete-keychain "$KEYCHAIN_PATH" || true
|
||
echo "✅ Cleanup complete"
|
||
shell: bash |