From fca91023144385b6d6f1b183f0b0ef5bd5313c1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20F=C3=B6rtsch?= Date: Sun, 24 May 2026 19:55:09 +0200 Subject: [PATCH] resolve codesign identity from default keychain --- .gitea/workflows/custom-release.yml | 9 +++++++- .../test-custom-release-macos-runner.bats | 22 +++++++++++++++---- scripts/update-custom-release.sh | 2 +- 3 files changed, 27 insertions(+), 6 deletions(-) diff --git a/.gitea/workflows/custom-release.yml b/.gitea/workflows/custom-release.yml index 4c0fd3c3b..2304a5c22 100644 --- a/.gitea/workflows/custom-release.yml +++ b/.gitea/workflows/custom-release.yml @@ -58,6 +58,7 @@ jobs: keychain_path="$RUNNER_TEMP/syncthing-release-signing.keychain-db" keychain_password="$(openssl rand -hex 24)" certificate_path="$RUNNER_TEMP/developer-id-application.p12" + previous_default_keychain="$(security default-keychain -d user 2>/dev/null | sed 's/[ "]//g' || true)" if [ -z "$DEVELOPER_ID_APPLICATION_P12_BASE64" ]; then echo "DEVELOPER_ID_APPLICATION_P12_BASE64 secret is required" >&2 @@ -70,9 +71,11 @@ jobs: security unlock-keychain -p "$keychain_password" "$keychain_path" security import "$certificate_path" -k "$keychain_path" -P "$DEVELOPER_ID_APPLICATION_P12_PASSWORD" -A -T /usr/bin/codesign -T /usr/bin/security security list-keychains -d user -s "$keychain_path" $(security list-keychains -d user | sed 's/[ "]//g') + security default-keychain -d user -s "$keychain_path" security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$keychain_password" "$keychain_path" identity_output="$(security find-identity -v -p codesigning "$keychain_path")" printf '%s\n' "$identity_output" + security find-identity -v -p codesigning codesign_identity_sha1="$(printf '%s\n' "$identity_output" | awk '/"Developer ID Application:/ { print $2; exit }')" codesign_identity="$(printf '%s\n' "$identity_output" | sed -n 's/.*"\(Developer ID Application:[^"]*\)".*/\1/p' | head -n 1)" if [ -z "$codesign_identity" ]; then @@ -82,12 +85,13 @@ jobs: probe_binary="$RUNNER_TEMP/codesign-probe" cp /usr/bin/true "$probe_binary" - codesign --force --dryrun --sign "$codesign_identity" --keychain "$keychain_path" --options runtime --timestamp "$probe_binary" + codesign --force --dryrun --sign "$codesign_identity" --options runtime --timestamp "$probe_binary" echo "CUSTOM_RELEASE_CODESIGN_IDENTITY=$codesign_identity" >> "$GITHUB_ENV" echo "CUSTOM_RELEASE_CODESIGN_IDENTITY_SHA1=$codesign_identity_sha1" >> "$GITHUB_ENV" echo "CUSTOM_RELEASE_KEYCHAIN_PATH=$keychain_path" >> "$GITHUB_ENV" echo "CUSTOM_RELEASE_KEYCHAIN_PASSWORD=$keychain_password" >> "$GITHUB_ENV" + echo "CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN=$previous_default_keychain" >> "$GITHUB_ENV" env: DEVELOPER_ID_APPLICATION_P12_BASE64: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_BASE64 }} DEVELOPER_ID_APPLICATION_P12_PASSWORD: ${{ secrets.DEVELOPER_ID_APPLICATION_P12_PASSWORD }} @@ -108,6 +112,9 @@ jobs: - name: Delete temporary keychain if: always() run: | + if [ -n "${CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN:-}" ] && [ -e "$CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN" ]; then + security default-keychain -d user -s "$CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN" || true + fi if [ -n "${CUSTOM_RELEASE_KEYCHAIN_PATH:-}" ]; then security delete-keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH" || true fi diff --git a/scripts/tests/test-custom-release-macos-runner.bats b/scripts/tests/test-custom-release-macos-runner.bats index 31e3390ac..f07d867fe 100644 --- a/scripts/tests/test-custom-release-macos-runner.bats +++ b/scripts/tests/test-custom-release-macos-runner.bats @@ -47,6 +47,21 @@ setup() { run rg -n 'security find-identity -v -p codesigning "\$keychain_path"' "$WORKFLOW" [ "$status" -eq 0 ] + run rg -n 'security default-keychain -d user -s "\$keychain_path"' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'previous_default_keychain=' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN=\$previous_default_keychain' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'security default-keychain -d user -s "\$CUSTOM_RELEASE_PREVIOUS_DEFAULT_KEYCHAIN"' "$WORKFLOW" + [ "$status" -eq 0 ] + + run rg -n 'security find-identity -v -p codesigning$' "$WORKFLOW" "$RELEASE_SCRIPT" + [ "$status" -eq 0 ] + run rg -n 'codesign_identity_sha1=' "$WORKFLOW" [ "$status" -eq 0 ] @@ -62,7 +77,7 @@ setup() { run rg -n 'CUSTOM_RELEASE_KEYCHAIN_PASSWORD=\$keychain_password' "$WORKFLOW" [ "$status" -eq 0 ] - run rg -n 'codesign --force --dryrun --sign "\$codesign_identity" --keychain "\$keychain_path" --options runtime --timestamp "\$probe_binary"' "$WORKFLOW" + run rg -n 'codesign --force --dryrun --sign "\$codesign_identity" --options runtime --timestamp "\$probe_binary"' "$WORKFLOW" [ "$status" -eq 0 ] run rg -n 'CUSTOM_RELEASE_CODESIGN_IDENTITY: "Developer ID Application' "$WORKFLOW" @@ -94,7 +109,7 @@ setup() { [ "$status" -eq 0 ] run rg -n -- '--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"' "$RELEASE_SCRIPT" - [ "$status" -eq 0 ] + [ "$status" -ne 0 ] run rg -n 'codesign_args\+=\(--options runtime --timestamp\)' "$RELEASE_SCRIPT" [ "$status" -eq 0 ] @@ -107,9 +122,8 @@ setup() { run awk ' /codesign_args=\(--force --sign "\$codesign_identity"\)/ { sign = NR } - /codesign_args\+=\(--keychain "\$CUSTOM_RELEASE_KEYCHAIN_PATH"\)/ { keychain = NR } /codesign_args\+=\(--options runtime --timestamp\)/ { options = NR } - END { exit !(sign && keychain && options && sign < keychain && keychain < options) } + END { exit !(sign && options && sign < options) } ' "$RELEASE_SCRIPT" [ "$status" -eq 0 ] diff --git a/scripts/update-custom-release.sh b/scripts/update-custom-release.sh index 60d12488c..20ef4e371 100755 --- a/scripts/update-custom-release.sh +++ b/scripts/update-custom-release.sh @@ -308,7 +308,7 @@ sign_and_validate_darwin_binary() { security unlock-keychain -p "$CUSTOM_RELEASE_KEYCHAIN_PASSWORD" "$CUSTOM_RELEASE_KEYCHAIN_PATH" fi security find-identity -v -p codesigning "$CUSTOM_RELEASE_KEYCHAIN_PATH" - codesign_args+=(--keychain "$CUSTOM_RELEASE_KEYCHAIN_PATH") + security find-identity -v -p codesigning fi codesign_args+=(--options runtime --timestamp) codesign "${codesign_args[@]}" "$binary"