LuckyWorld/.gitea/workflows/test-local-signing.yml

name: Test Local Signing

on:
  workflow_dispatch:  # Manual trigger
  push:
    branches: [ozgur/build]

jobs:
  test-local-signing:
    runs-on: macos
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        
      - name: Create Test Entitlements
        run: |
          echo "📝 Creating entitlements file..."
          cat > LuckyWorld.entitlements << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>com.apple.security.cs.allow-jit</key>
              <true/>
              <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
              <true/>
              <key>com.apple.security.cs.disable-library-validation</key>
              <true/>
              <key>com.apple.security.cs.allow-dyld-environment-variables</key>
              <true/>
              <key>com.apple.security.device.audio-input</key>
              <true/>
              <key>com.apple.security.device.camera</key>
              <true/>
          </dict>
          </plist>
          EOF
          
          echo "✅ Created entitlements file"
          cat LuckyWorld.entitlements
        shell: bash
        
      - name: Create Test App Bundle
        run: |
          echo "📦 Creating test app bundle..."
          
          # Create test app bundle structure
          TEST_APP_DIR="TestApp.app"
          mkdir -p "$TEST_APP_DIR/Contents/MacOS"
          
          # Create a simple test executable
          echo '#!/bin/bash
          echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
          chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
          
          # Create Info.plist
          cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
          <plist version="1.0">
          <dict>
              <key>CFBundleExecutable</key>
              <string>TestApp</string>
              <key>CFBundleIdentifier</key>
              <string>com.luckyworld.testapp</string>
              <key>CFBundleName</key>
              <string>TestApp</string>
              <key>CFBundlePackageType</key>
              <string>APPL</string>
              <key>CFBundleShortVersionString</key>
              <string>1.0</string>
              <key>LSMinimumSystemVersion</key>
              <string>10.10</string>
          </dict>
          </plist>
          EOF
          
          echo "✅ Created test app bundle"
          echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
          
          # Verify app bundle exists
          if [ ! -d "$TEST_APP_DIR" ]; then
            echo "❌ Error: App bundle not found at $TEST_APP_DIR"
            exit 1
          fi
          
          echo "🔍 App bundle contents:"
          ls -la "$TEST_APP_DIR"
        shell: bash
        
      - name: Setup Certificate
        run: |
          echo "🔐 Setting up certificate..."
          
          # Create keychain
          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
          KEYCHAIN_PASSWORD="$(openssl rand -base64 12)"
          
          # Delete existing keychain if it exists
          security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
          
          # Create new keychain
          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # List the keychains before modifying
          echo "Keychains before:"
          security list-keychains
          
          # Set the new keychain as the default and add it to the search list
          security default-keychain -s "$KEYCHAIN_PATH"
          security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
          
          # List the keychains after modifying
          echo "Keychains after:"
          security list-keychains
          
          # Import developer certificate with specific parameters for code signing
          echo "🔑 Importing developer certificate..."
          echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
          security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -A -t cert -f pkcs12 -T /usr/bin/codesign
          
          # Set partition list to allow codesign to access without password
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Check what's in the keychain
          echo "🔍 Listing all certificates in keychain..."
          security find-certificate -a "$KEYCHAIN_PATH"
          
          # Verify code signing identities
          echo "🔍 Verifying code signing identities..."
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
          
          # Make sure keychain is unlocked, set timeout to 1 hour
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # Store keychain variables for later steps
          echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
          echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
          
          # Cleanup
          rm -f certificate.p12
        shell: bash
        
      - name: Sign App Bundle
        run: |
          echo "🔏 Signing app bundle..."
          
          # Make sure keychain is unlocked
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          
          # List all code signing identities again
          echo "Available identities for signing:"
          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
          
          # Get any available signing identity
          IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | head -1 | awk -F '"' '{print $2}')
          
          if [ -z "$IDENTITY" ]; then
            echo "❌ Error: No valid code signing identity found"
            exit 1
          fi
          
          echo "Using identity: $IDENTITY"
          
          # Sign the app bundle with verbose output
          echo "Signing app bundle..."
          codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app
          
          # Verify signing
          echo "🔍 Verifying signature..."
          codesign -vvv --deep --strict TestApp.app
          
          # Check entitlements
          echo "🔍 Checking entitlements..."
          codesign -d --entitlements - TestApp.app
        shell: bash
        
      - name: Notarize App
        run: |
          echo "📤 Notarizing app..."
          
          # Create zip for notarization
          ditto -c -k --keepParent TestApp.app TestApp.zip
          
          # Submit for notarization
          xcrun notarytool submit TestApp.zip \
            --apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
            --password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
            --team-id "${{ secrets.APPLE_TEAM_ID }}" \
            --wait
          
          # Staple the notarization ticket
          xcrun stapler staple TestApp.app
          
          # Verify notarization
          spctl --assess --verbose --type exec TestApp.app
        shell: bash
        
      - name: Cleanup
        if: always()
        run: |
          echo "🧹 Cleaning up..."
          rm -rf TestApp.app TestApp.zip || true
          security delete-keychain "$KEYCHAIN_PATH" || true
          echo "✅ Cleanup complete"
        shell: bash