unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity

fix(ci/release): sign the macOS archive with Developer ID, not auto dev signing
ci / web (push) Successful in 26s
Details
apple / swift (push) Successful in 1m15s
Details
ci / rust (push) Successful in 1m25s
Details
ci / docs-site (push) Successful in 29s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 7s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 6s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 6s
Details
deb / build-publish (push) Successful in 2m42s
Details
docker / deploy-docs (push) Successful in 20s
Details
rpm / build-publish (push) Successful in 5m6s
Details

Browse Source 
The cert import now yields a valid 'Developer ID Application' identity, but
the macOS `xcodebuild archive` step still inherited the project's automatic
'Apple Development' signing via -allowProvisioningUpdates. That made Xcode try
to mint an Apple Development cert (install fails in the CI keychain,
DVTSecErrorDomain -61 'Write permissions error') and locate a 'Mac App
Development' provisioning profile for io.unom.punktfunk (none exists) —
** ARCHIVE FAILED ** before signing even happened.

A Developer ID DMG needs neither: pin CODE_SIGN_STYLE=Manual + the Developer ID
identity + no profile, mirroring what the export step already does. The app is
non-sandboxed and its only entitlement (keychain-access-groups, team-prefixed)
is authorized by the Developer ID team, so no provisioning profile is required.
ENABLE_HARDENED_RUNTIME=YES is already set, so notarization stays happy.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-13 13:46:00 +00:00
parent 7f18b3dcd0
commit 3c617f655e
1 changed files with 13 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/release.yml
+13 -4
View File
@@ -122,15 +122,24 @@ jobs:
- name: Archive macOS - name: Archive macOS
run: | run: |
# Manual Developer ID signing — same reasoning as the export step below. With
# -allowProvisioningUpdates the archive runs AUTOMATIC signing, which tries to mint
# an Apple Development cert + a "Mac App Development" profile for io.unom.punktfunk:
# installing that cert into the CI keychain fails (DVTSecErrorDomain -61 "Write
# permissions error") and no such profile exists — a Developer ID DMG needs
# neither. Pin the Developer ID identity and no profile: the app is non-sandboxed
# and its lone entitlement (keychain-access-groups, team-prefixed) is authorized by
# the Developer ID team itself, so no provisioning profile is required. The ASC key
# is still staged above for notarytool + the iOS App Store archive.
DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \ DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
-project "$PROJECT" -scheme Punktfunk \ -project "$PROJECT" -scheme Punktfunk \
-destination 'generic/platform=macOS' \ -destination 'generic/platform=macOS' \
-archivePath "$RUNNER_TEMP/Punktfunk-macos.xcarchive" \ -archivePath "$RUNNER_TEMP/Punktfunk-macos.xcarchive" \
MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \ MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
-allowProvisioningUpdates \ CODE_SIGN_STYLE=Manual \
-authenticationKeyPath "$RUNNER_TEMP/asc.p8" \ CODE_SIGN_IDENTITY="Developer ID Application" \
-authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \ DEVELOPMENT_TEAM="$TEAM_ID" \
-authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}" PROVISIONING_PROFILE_SPECIFIER=""
- name: Export macOS (Developer ID) - name: Export macOS (Developer ID)
run: | run: |