From cda7f54a482b5edb6492962e44d5e95b2913e273 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20F=C3=B6rtsch?= <mail@felixfoertsch.de>
Date: Sun, 24 May 2026 19:12:59 +0200
Subject: [PATCH] unlock imported signing keychain during release

---
 .gitea/workflows/custom-release.yml                 | 1 +
 scripts/tests/test-custom-release-macos-runner.bats | 9 +++++++++
 scripts/update-custom-release.sh                    | 4 ++++
 3 files changed, 14 insertions(+)

diff --git a/.gitea/workflows/custom-release.yml b/.gitea/workflows/custom-release.yml
index febabf7ae..053290e1b 100644
--- a/.gitea/workflows/custom-release.yml
+++ b/.gitea/workflows/custom-release.yml
@@ -81,6 +81,7 @@ jobs:
 
           echo "CUSTOM_RELEASE_CODESIGN_IDENTITY=$codesign_identity" >> "$GITHUB_ENV"
           echo "CUSTOM_RELEASE_KEYCHAIN_PATH=$keychain_path" >> "$GITHUB_ENV"
+          echo "CUSTOM_RELEASE_KEYCHAIN_PASSWORD=$keychain_password" >> "$GITHUB_ENV"
         env:
           DEVELOPER_ID_APPLICATION_P12_BASE64: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_BASE64 }}
           DEVELOPER_ID_APPLICATION_P12_PASSWORD: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_PASSWORD }}
diff --git a/scripts/tests/test-custom-release-macos-runner.bats b/scripts/tests/test-custom-release-macos-runner.bats
index 05ac9eb41..e22bff42c 100644
--- a/scripts/tests/test-custom-release-macos-runner.bats
+++ b/scripts/tests/test-custom-release-macos-runner.bats
@@ -47,6 +47,9 @@ setup() {
 	run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY=\$codesign_identity' "$WORKFLOW"
 	[ "$status" -eq 0 ]
 
+	run rg -n 'CUSTOM_RELEASE_KEYCHAIN_PASSWORD=\$keychain_password' "$WORKFLOW"
+	[ "$status" -eq 0 ]
+
 	run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY: "Developer ID Application' "$WORKFLOW"
 	[ "$status" -ne 0 ]
 
@@ -78,6 +81,12 @@ setup() {
 	run rg -n -- '--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
 	[ "$status" -eq 0 ]
 
+	run rg -n 'security unlock-keychain -p "\$CUSTOM_RELEASE_KEYCHAIN_PASSWORD" "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
+	[ "$status" -eq 0 ]
+
+	run rg -n 'security find-identity -v -p codesigning "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
+	[ "$status" -eq 0 ]
+
 	run rg -n 'Developer ID Application' "$WORKFLOW" "$RELEASE_SCRIPT"
 	[ "$status" -eq 0 ]
 
diff --git a/scripts/update-custom-release.sh b/scripts/update-custom-release.sh
index d1e607c12..1f8f04ccf 100755
--- a/scripts/update-custom-release.sh
+++ b/scripts/update-custom-release.sh
@@ -304,6 +304,10 @@ sign_and_validate_darwin_binary() {
 
 	codesign_args=(--force --sign "$codesign_identity" --options runtime --timestamp)
 	if [[ -n "${CUSTOM_RELEASE_KEYCHAIN_PATH:-}" ]]; then
+		if [[ -n "${CUSTOM_RELEASE_KEYCHAIN_PASSWORD:-}" ]]; then
+			security unlock-keychain -p "$CUSTOM_RELEASE_KEYCHAIN_PASSWORD" "$CUSTOM_RELEASE_KEYCHAIN_PATH"
+		fi
+		security find-identity -v -p codesigning "$CUSTOM_RELEASE_KEYCHAIN_PATH"
 		codesign_args+=(--keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH")
 	fi
 	codesign "${codesign_args[@]}" "$binary"