sign releases with imported keychain identity

.gitea/workflows/custom-release.yml

@@ -71,7 +71,15 @@ jobs:
           security import "$certificate_path" -k "$keychain_path" -P "$DEVELOPER_ID_APPLICATION_P12_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
           security list-keychains -d user -s "$keychain_path" $(security list-keychains -d user | sed 's/[ "]//g')
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$keychain_password" "$keychain_path"
+          identity_output="$(security find-identity -v -p codesigning "$keychain_path")"
+          printf '%s\n' "$identity_output"
+          codesign_identity="$(printf '%s\n' "$identity_output" | awk '/"Developer ID Application:/ { print $2; exit }')"
+          if [ -z "$codesign_identity" ]; then
+            echo "Developer ID Application signing identity is required in DEVELOPER_ID_APPLICATION_P12_BASE64" >&2
+            exit 1
+          fi
 
+          echo "CUSTOM_RELEASE_CODESIGN_IDENTITY=$codesign_identity" >> "$GITHUB_ENV"
           echo "CUSTOM_RELEASE_KEYCHAIN_PATH=$keychain_path" >> "$GITHUB_ENV"
         env:
           DEVELOPER_ID_APPLICATION_P12_BASE64: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_BASE64 }}
@@ -86,7 +94,6 @@ jobs:
           CUSTOM_RELEASE_PUSH_BRANCH: "0"
           CUSTOM_RELEASE_REMOTE: origin
           CUSTOM_RELEASE_BUILDS: "darwin/arm64/zip/1 linux/amd64/tar/0 linux/arm64/tar/0"
-          CUSTOM_RELEASE_CODESIGN_IDENTITY: "Developer ID Application: Felix Foertsch (NG5W75WE8U)"
           CUSTOM_RELEASE_CODESIGN_TEAM_ID: "NG5W75WE8U"
           CUSTOM_RELEASE_CREATE_GITEA_RELEASE: "1"
           CUSTOM_RELEASE_TEA_REPO: felixfoertsch/syncthing

scripts/tests/test-custom-release-macos-runner.bats

@@ -41,6 +41,15 @@ setup() {
 	run rg -n 'security import .* -P "\$DEVELOPER_ID_APPLICATION_P12_PASSWORD"' "$WORKFLOW"
 	[ "$status" -eq 0 ]
 
+	run rg -n 'security find-identity -v -p codesigning "\$keychain_path"' "$WORKFLOW"
+	[ "$status" -eq 0 ]
+
+	run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY=\$codesign_identity' "$WORKFLOW"
+	[ "$status" -eq 0 ]
+
+	run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY: "Developer ID Application' "$WORKFLOW"
+	[ "$status" -ne 0 ]
+
 	run rg -n 'security create-keychain' "$WORKFLOW"
 	[ "$status" -eq 0 ]
 
@@ -63,7 +72,10 @@ setup() {
 }
 
 @test "custom release signs darwin assets with hardened runtime and timestamp" {
-	run rg -n 'codesign .*--options runtime .*--timestamp' "$RELEASE_SCRIPT"
+	run rg -n 'codesign_args=.*--options runtime --timestamp' "$RELEASE_SCRIPT"
+	[ "$status" -eq 0 ]
+
+	run rg -n -- '--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
 	[ "$status" -eq 0 ]
 
 	run rg -n 'Developer ID Application' "$WORKFLOW" "$RELEASE_SCRIPT"

scripts/update-custom-release.sh

@@ -298,10 +298,15 @@ sign_and_validate_darwin_binary() {
 	local binary="$1"
 	local version_output
 	local codesign_details
+	local codesign_args
 
 	[[ -n "$codesign_identity" ]] || die "CUSTOM_RELEASE_CODESIGN_IDENTITY is required for darwin builds"
 
-	codesign --force --sign "$codesign_identity" --options runtime --timestamp "$binary"
+	codesign_args=(--force --sign "$codesign_identity" --options runtime --timestamp)
+	if [[ -n "${CUSTOM_RELEASE_KEYCHAIN_PATH:-}" ]]; then
+		codesign_args+=(--keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH")
+	fi
+	codesign "${codesign_args[@]}" "$binary"
 
 	version_output="$("$binary" --version)"
 	if [[ "$version_output" == *modernc-sqlite* ]]; then