diff --git a/.gitea/workflows/custom-release.yml b/.gitea/workflows/custom-release.yml index 2304a5c22..a71989474 100644 --- a/.gitea/workflows/custom-release.yml +++ b/.gitea/workflows/custom-release.yml @@ -55,7 +55,9 @@ jobs: - name: Import Developer ID certificate run: | set -euo pipefail - keychain_path="$RUNNER_TEMP/syncthing-release-signing.keychain-db" + keychain_dir="$HOME/Library/Keychains" + mkdir -p "$keychain_dir" + keychain_path="$keychain_dir/syncthing-release-signing-${GITHUB_RUN_ID:-$$}.keychain-db" keychain_password="$(openssl rand -hex 24)" certificate_path="$RUNNER_TEMP/developer-id-application.p12" previous_default_keychain="$(security default-keychain -d user 2>/dev/null | sed 's/[ "]//g' || true)" @@ -66,12 +68,14 @@ jobs: fi printf '%s' "$DEVELOPER_ID_APPLICATION_P12_BASE64" | base64 -D > "$certificate_path" + rm -f "$keychain_path" security create-keychain -p "$keychain_password" "$keychain_path" security set-keychain-settings -lut 21600 "$keychain_path" security unlock-keychain -p "$keychain_password" "$keychain_path" security import "$certificate_path" -k "$keychain_path" -P "$DEVELOPER_ID_APPLICATION_P12_PASSWORD" -A -T /usr/bin/codesign -T /usr/bin/security security list-keychains -d user -s "$keychain_path" $(security list-keychains -d user | sed 's/[ "]//g') security default-keychain -d user -s "$keychain_path" + security list-keychains -d user security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$keychain_password" "$keychain_path" identity_output="$(security find-identity -v -p codesigning "$keychain_path")" printf '%s\n' "$identity_output" diff --git a/scripts/tests/test-custom-release-macos-runner.bats b/scripts/tests/test-custom-release-macos-runner.bats index f07d867fe..353d82276 100644 --- a/scripts/tests/test-custom-release-macos-runner.bats +++ b/scripts/tests/test-custom-release-macos-runner.bats @@ -86,6 +86,15 @@ setup() { run rg -n 'security create-keychain' "$WORKFLOW" [ "$status" -eq 0 ] + run rg -n 'keychain_dir="\$HOME/Library/Keychains"' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'rm -f "\$keychain_path"' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'security list-keychains -d user$' "$WORKFLOW" + [ "$status" -eq 0 ] + run rg -n 'security import' "$WORKFLOW" [ "$status" -eq 0 ]