LuckyRobots/LuckyWorld
14
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects 1 Releases 13 Wiki Activity
LuckyWorld/.gitea/workflows/test-local-signing.yml
Ozgur Ersoy fec3149b35
Some checks failed
Test Local Signing / test-local-signing (push) Failing after 8s
Details
fix(workflows): enhance local signing workflow with additional certificate checks and improved identity handling
2025-04-14 14:39:35 +02:00

245 lines
9.8 KiB
YAML
Raw Blame History

name: Test Local Signing
on:
workflow_dispatch: # Manual trigger
push:
branches: [ozgur/build]
jobs:
test-local-signing:
runs-on: macos
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Create Test Entitlements
run: |
echo "📝 Creating entitlements file..."
cat > LuckyWorld.entitlements << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.device.audio-input</key>
<true/>
<key>com.apple.security.device.camera</key>
<true/>
</dict>
</plist>
EOF
echo "✅ Created entitlements file"
cat LuckyWorld.entitlements
shell: bash
- name: Create Test App Bundle
run: |
echo "📦 Creating test app bundle..."
# Create test app bundle structure
TEST_APP_DIR="TestApp.app"
mkdir -p "$TEST_APP_DIR/Contents/MacOS"
# Create a simple test executable
echo '#!/bin/bash
echo "Hello from TestApp!"' > "$TEST_APP_DIR/Contents/MacOS/TestApp"
chmod +x "$TEST_APP_DIR/Contents/MacOS/TestApp"
# Create Info.plist
cat > "$TEST_APP_DIR/Contents/Info.plist" << EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleExecutable</key>
<string>TestApp</string>
<key>CFBundleIdentifier</key>
<string>com.luckyworld.testapp</string>
<key>CFBundleName</key>
<string>TestApp</string>
<key>CFBundlePackageType</key>
<string>APPL</string>
<key>CFBundleShortVersionString</key>
<string>1.0</string>
<key>LSMinimumSystemVersion</key>
<string>10.10</string>
</dict>
</plist>
EOF
echo "✅ Created test app bundle"
echo "APP_PATH=$TEST_APP_DIR" >> "$GITHUB_ENV"
# Verify app bundle exists
if [ ! -d "$TEST_APP_DIR" ]; then
echo "❌ Error: App bundle not found at $TEST_APP_DIR"
exit 1
fi
echo "🔍 App bundle contents:"
ls -la "$TEST_APP_DIR"
shell: bash
- name: Setup Certificate
run: |
echo "🔐 Setting up certificate..."
# Decode certificate to file
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
# Check certificate format
echo "📑 Certificate format check:"
file certificate.p12
# Check system keychain for existing identities first
echo "🔍 Checking system keychain for existing identities..."
security find-identity -v -p codesigning
# Create keychain
KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
KEYCHAIN_PASSWORD="temporary"
# Delete existing keychain if it exists
security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
# Create new keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
security set-keychain-settings -t 3600 -u -l "$KEYCHAIN_PATH"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Add to search list
security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | tr -d '"')
security default-keychain -s "$KEYCHAIN_PATH"
# Try multiple import approaches for p12
echo "🔑 Attempting import with standard parameters..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign
echo "🔑 Attempting import with explicit key usage flags..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -x
echo "🔑 Attempting import with allow-all flag..."
security import certificate.p12 -k "$KEYCHAIN_PATH" -P "${{ secrets.MACOS_CERTIFICATE_PWD }}" -T /usr/bin/codesign -A
# Set partition list
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
# Check all certificates
echo "🔍 Listing all certificates in keychain..."
security find-certificate -a "$KEYCHAIN_PATH"
# Check specific certificate details
echo "🔍 Certificate details (if found):"
security find-certificate -a -c "Developer ID Application" "$KEYCHAIN_PATH" -p | openssl x509 -text -noout || echo "Certificate not found by name"
# Verify code signing identities
echo "🔍 Verifying code signing identities..."
security find-identity -v -p codesigning "$KEYCHAIN_PATH"
# Try listing codesigning identities from all keychains
echo "🔍 Listing all codesigning identities from all keychains..."
security find-identity -v -p codesigning
# Store keychain variables for later steps
echo "KEYCHAIN_PATH=$KEYCHAIN_PATH" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> "$GITHUB_ENV"
# Keep the p12 file for debugging
mkdir -p debug
cp certificate.p12 debug/
shell: bash
- name: Alternate Approach if no identity found
run: |
if [ "$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -c "valid identities found")" = "0" ]; then
echo "⚠️ No valid identities found in created keychain. Trying system keychain..."
# Check if there are any signing identities in system
if [ "$(security find-identity -v -p codesigning | grep -c "valid identities found")" != "0" ]; then
echo "✅ Found code signing identities in system keychain!"
security find-identity -v -p codesigning
# Use the system keychain for signing
echo "SYS_IDENTITY=yes" >> "$GITHUB_ENV"
else
echo "❌ No valid code signing identities found anywhere"
echo "🧪 Debug info:"
echo "Certificate content (p12):"
openssl pkcs12 -in debug/certificate.p12 -info -nodes -nokeys -passin pass:"${{ secrets.MACOS_CERTIFICATE_PWD }}" || echo "Could not inspect p12 file"
fi
fi
shell: bash
- name: Sign App Bundle
run: |
echo "🔏 Signing app bundle..."
if [ "${SYS_IDENTITY:-}" = "yes" ]; then
# Use system identity
echo "Using system keychain identity"
IDENTITY=$(security find-identity -v -p codesigning | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
else
# Use our keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
echo "Using custom keychain identity"
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep "Developer ID Application" | head -1 | awk -F '"' '{print $2}')
fi
if [ -z "$IDENTITY" ]; then
echo "❌ Error: No valid code signing identity found"
echo "Skipping signing..."
exit 1
fi
echo "Using identity: $IDENTITY"
# Sign the app bundle with verbose output
echo "Signing app bundle..."
codesign --force --verbose --options runtime --entitlements LuckyWorld.entitlements --sign "$IDENTITY" --timestamp TestApp.app
# Verify signing
echo "🔍 Verifying signature..."
codesign -vvv --deep --strict TestApp.app
# Check entitlements
echo "🔍 Checking entitlements..."
codesign -d --entitlements - TestApp.app
shell: bash
- name: Notarize App
run: |
echo "📤 Notarizing app..."
# Create zip for notarization
ditto -c -k --keepParent TestApp.app TestApp.zip
# Submit for notarization
xcrun notarytool submit TestApp.zip \
--apple-id "${{ secrets.APPLE_NOTARY_USER }}" \
--password "${{ secrets.APPLE_NOTARY_PASSWORD }}" \
--team-id "${{ secrets.APPLE_TEAM_ID }}" \
--wait
# Staple the notarization ticket
xcrun stapler staple TestApp.app
# Verify notarization
spctl --assess --verbose --type exec TestApp.app
shell: bash
- name: Cleanup
if: always()
run: |
echo "🧹 Cleaning up..."
rm -rf TestApp.app TestApp.zip || true
security delete-keychain "$KEYCHAIN_PATH" || true
echo "✅ Cleanup complete"
shell: bash
Reference in New Issue View Git Blame Copy Permalink