resolve codesign identity from default keychain
custom release / build-custom-release (push) Failing after 9s
custom release / build-custom-release (push) Failing after 9s
This commit is contained in:
@@ -58,6 +58,7 @@ jobs:
|
||||
keychain_path="$RUNNER_TEMP/syncthing-release-signing.keychain-db"
|
||||
keychain_password="$(openssl rand -hex 24)"
|
||||
certificate_path="$RUNNER_TEMP/developer-id-application.p12"
|
||||
previous_default_keychain="$(security default-keychain -d user 2>/dev/null | sed 's/[ "]//g' || true)"
|
||||
|
||||
if [ -z "$DEVELOPER_ID_APPLICATION_P12_BASE64" ]; then
|
||||
echo "DEVELOPER_ID_APPLICATION_P12_BASE64 secret is required" >&2
|
||||
@@ -70,9 +71,11 @@ jobs:
|
||||
security unlock-keychain -p "$keychain_password" "$keychain_path"
|
||||
security import "$certificate_path" -k "$keychain_path" -P "$DEVELOPER_ID_APPLICATION_P12_PASSWORD" -A -T /usr/bin/codesign -T /usr/bin/security
|
||||
security list-keychains -d user -s "$keychain_path" $(security list-keychains -d user | sed 's/[ "]//g')
|
||||
security default-keychain -d user -s "$keychain_path"
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$keychain_password" "$keychain_path"
|
||||
identity_output="$(security find-identity -v -p codesigning "$keychain_path")"
|
||||
printf '%s\n' "$identity_output"
|
||||
security find-identity -v -p codesigning
|
||||
codesign_identity_sha1="$(printf '%s\n' "$identity_output" | awk '/"Developer ID Application:/ { print $2; exit }')"
|
||||
codesign_identity="$(printf '%s\n' "$identity_output" | sed -n 's/.*"\(Developer ID Application:[^"]*\)".*/\1/p' | head -n 1)"
|
||||
if [ -z "$codesign_identity" ]; then
|
||||
@@ -82,12 +85,13 @@ jobs:
|
||||
|
||||
probe_binary="$RUNNER_TEMP/codesign-probe"
|
||||
cp /usr/bin/true "$probe_binary"
|
||||
codesign --force --dryrun --sign "$codesign_identity" --keychain "$keychain_path" --options runtime --timestamp "$probe_binary"
|
||||
codesign --force --dryrun --sign "$codesign_identity" --options runtime --timestamp "$probe_binary"
|
||||
|
||||
echo "CUSTOM_RELEASE_CODESIGN_IDENTITY=$codesign_identity" >> "$GITHUB_ENV"
|
||||
echo "CUSTOM_RELEASE_CODESIGN_IDENTITY_SHA1=$codesign_identity_sha1" >> "$GITHUB_ENV"
|
||||
echo "CUSTOM_RELEASE_KEYCHAIN_PATH=$keychain_path" >> "$GITHUB_ENV"
|
||||
echo "CUSTOM_RELEASE_KEYCHAIN_PASSWORD=$keychain_password" >> "$GITHUB_ENV"
|
||||
echo "CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN=$previous_default_keychain" >> "$GITHUB_ENV"
|
||||
env:
|
||||
DEVELOPER_ID_APPLICATION_P12_BASE64: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_BASE64 }}
|
||||
DEVELOPER_ID_APPLICATION_P12_PASSWORD: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_PASSWORD }}
|
||||
@@ -108,6 +112,9 @@ jobs:
|
||||
- name: Delete temporary keychain
|
||||
if: always()
|
||||
run: |
|
||||
if [ -n "${CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN:-}" ] && [ -e "$CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN" ]; then
|
||||
security default-keychain -d user -s "$CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN" || true
|
||||
fi
|
||||
if [ -n "${CUSTOM_RELEASE_KEYCHAIN_PATH:-}" ]; then
|
||||
security delete-keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH" || true
|
||||
fi
|
||||
|
||||
@@ -47,6 +47,21 @@ setup() {
|
||||
run rg -n 'security find-identity -v -p codesigning "\$keychain_path"' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'security default-keychain -d user -s "\$keychain_path"' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'previous_default_keychain=' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN=\$previous_default_keychain' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'security default-keychain -d user -s "\$CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN"' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'security find-identity -v -p codesigning$' "$WORKFLOW" "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'codesign_identity_sha1=' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
@@ -62,7 +77,7 @@ setup() {
|
||||
run rg -n 'CUSTOM_RELEASE_KEYCHAIN_PASSWORD=\$keychain_password' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'codesign --force --dryrun --sign "\$codesign_identity" --keychain "\$keychain_path" --options runtime --timestamp "\$probe_binary"' "$WORKFLOW"
|
||||
run rg -n 'codesign --force --dryrun --sign "\$codesign_identity" --options runtime --timestamp "\$probe_binary"' "$WORKFLOW"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY: "Developer ID Application' "$WORKFLOW"
|
||||
@@ -94,7 +109,7 @@ setup() {
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
run rg -n -- '--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
[ "$status" -ne 0 ]
|
||||
|
||||
run rg -n 'codesign_args\+=\(--options runtime --timestamp\)' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
@@ -107,9 +122,8 @@ setup() {
|
||||
|
||||
run awk '
|
||||
/codesign_args=\(--force --sign "\$codesign_identity"\)/ { sign = NR }
|
||||
/codesign_args\+=\(--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"\)/ { keychain = NR }
|
||||
/codesign_args\+=\(--options runtime --timestamp\)/ { options = NR }
|
||||
END { exit !(sign && keychain && options && sign < keychain && keychain < options) }
|
||||
END { exit !(sign && options && sign < options) }
|
||||
' "$RELEASE_SCRIPT"
|
||||
[ "$status" -eq 0 ]
|
||||
|
||||
|
||||
@@ -308,7 +308,7 @@ sign_and_validate_darwin_binary() {
|
||||
security unlock-keychain -p "$CUSTOM_RELEASE_KEYCHAIN_PASSWORD" "$CUSTOM_RELEASE_KEYCHAIN_PATH"
|
||||
fi
|
||||
security find-identity -v -p codesigning "$CUSTOM_RELEASE_KEYCHAIN_PATH"
|
||||
codesign_args+=(--keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH")
|
||||
security find-identity -v -p codesigning
|
||||
fi
|
||||
codesign_args+=(--options runtime --timestamp)
|
||||
codesign "${codesign_args[@]}" "$binary"
|
||||
|
||||
Reference in New Issue
Block a user