From 3c617f655ef4e147431ee1322bd6eda47dc747a7 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sat, 13 Jun 2026 13:46:00 +0000
Subject: [PATCH] fix(ci/release): sign the macOS archive with Developer ID,
 not auto dev signing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The cert import now yields a valid 'Developer ID Application' identity, but
the macOS `xcodebuild archive` step still inherited the project's automatic
'Apple Development' signing via -allowProvisioningUpdates. That made Xcode try
to mint an Apple Development cert (install fails in the CI keychain,
DVTSecErrorDomain -61 'Write permissions error') and locate a 'Mac App
Development' provisioning profile for io.unom.punktfunk (none exists) —
** ARCHIVE FAILED ** before signing even happened.

A Developer ID DMG needs neither: pin CODE_SIGN_STYLE=Manual + the Developer ID
identity + no profile, mirroring what the export step already does. The app is
non-sandboxed and its only entitlement (keychain-access-groups, team-prefixed)
is authorized by the Developer ID team, so no provisioning profile is required.
ENABLE_HARDENED_RUNTIME=YES is already set, so notarization stays happy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 0f1a48d..db228d2 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -122,15 +122,24 @@ jobs:
 
       - name: Archive macOS
         run: |
+          # Manual Developer ID signing — same reasoning as the export step below. With
+          # -allowProvisioningUpdates the archive runs AUTOMATIC signing, which tries to mint
+          # an Apple Development cert + a "Mac App Development" profile for io.unom.punktfunk:
+          # installing that cert into the CI keychain fails (DVTSecErrorDomain -61 "Write
+          # permissions error") and no such profile exists — a Developer ID DMG needs
+          # neither. Pin the Developer ID identity and no profile: the app is non-sandboxed
+          # and its lone entitlement (keychain-access-groups, team-prefixed) is authorized by
+          # the Developer ID team itself, so no provisioning profile is required. The ASC key
+          # is still staged above for notarytool + the iOS App Store archive.
           DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
             -project "$PROJECT" -scheme Punktfunk \
             -destination 'generic/platform=macOS' \
             -archivePath "$RUNNER_TEMP/Punktfunk-macos.xcarchive" \
             MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
-            -allowProvisioningUpdates \
-            -authenticationKeyPath "$RUNNER_TEMP/asc.p8" \
-            -authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \
-            -authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}"
+            CODE_SIGN_STYLE=Manual \
+            CODE_SIGN_IDENTITY="Developer ID Application" \
+            DEVELOPMENT_TEAM="$TEAM_ID" \
+            PROVISIONING_PROFILE_SPECIFIER=""
 
       - name: Export macOS (Developer ID)
         run: |