fix(ci/release): sign the macOS archive with Developer ID, not auto dev signing
ci / web (push) Successful in 26s
apple / swift (push) Successful in 1m15s
ci / rust (push) Successful in 1m25s
ci / docs-site (push) Successful in 29s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 7s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 6s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 6s
deb / build-publish (push) Successful in 2m42s
docker / deploy-docs (push) Successful in 20s
rpm / build-publish (push) Successful in 5m6s
ci / web (push) Successful in 26s
apple / swift (push) Successful in 1m15s
ci / rust (push) Successful in 1m25s
ci / docs-site (push) Successful in 29s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 7s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 6s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 6s
deb / build-publish (push) Successful in 2m42s
docker / deploy-docs (push) Successful in 20s
rpm / build-publish (push) Successful in 5m6s
The cert import now yields a valid 'Developer ID Application' identity, but the macOS `xcodebuild archive` step still inherited the project's automatic 'Apple Development' signing via -allowProvisioningUpdates. That made Xcode try to mint an Apple Development cert (install fails in the CI keychain, DVTSecErrorDomain -61 'Write permissions error') and locate a 'Mac App Development' provisioning profile for io.unom.punktfunk (none exists) — ** ARCHIVE FAILED ** before signing even happened. A Developer ID DMG needs neither: pin CODE_SIGN_STYLE=Manual + the Developer ID identity + no profile, mirroring what the export step already does. The app is non-sandboxed and its only entitlement (keychain-access-groups, team-prefixed) is authorized by the Developer ID team, so no provisioning profile is required. ENABLE_HARDENED_RUNTIME=YES is already set, so notarization stays happy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -122,15 +122,24 @@ jobs:
|
||||
|
||||
- name: Archive macOS
|
||||
run: |
|
||||
# Manual Developer ID signing — same reasoning as the export step below. With
|
||||
# -allowProvisioningUpdates the archive runs AUTOMATIC signing, which tries to mint
|
||||
# an Apple Development cert + a "Mac App Development" profile for io.unom.punktfunk:
|
||||
# installing that cert into the CI keychain fails (DVTSecErrorDomain -61 "Write
|
||||
# permissions error") and no such profile exists — a Developer ID DMG needs
|
||||
# neither. Pin the Developer ID identity and no profile: the app is non-sandboxed
|
||||
# and its lone entitlement (keychain-access-groups, team-prefixed) is authorized by
|
||||
# the Developer ID team itself, so no provisioning profile is required. The ASC key
|
||||
# is still staged above for notarytool + the iOS App Store archive.
|
||||
DEVELOPER_DIR="$XCODE_DEV_DIR" xcodebuild archive \
|
||||
-project "$PROJECT" -scheme Punktfunk \
|
||||
-destination 'generic/platform=macOS' \
|
||||
-archivePath "$RUNNER_TEMP/Punktfunk-macos.xcarchive" \
|
||||
MARKETING_VERSION="$VERSION" CURRENT_PROJECT_VERSION="$BUILD_NUM" \
|
||||
-allowProvisioningUpdates \
|
||||
-authenticationKeyPath "$RUNNER_TEMP/asc.p8" \
|
||||
-authenticationKeyID "${{ secrets.ASC_API_KEY_ID }}" \
|
||||
-authenticationKeyIssuerID "${{ secrets.ASC_API_ISSUER_ID }}"
|
||||
CODE_SIGN_STYLE=Manual \
|
||||
CODE_SIGN_IDENTITY="Developer ID Application" \
|
||||
DEVELOPMENT_TEAM="$TEAM_ID" \
|
||||
PROVISIONING_PROFILE_SPECIFIER=""
|
||||
|
||||
- name: Export macOS (Developer ID)
|
||||
run: |
|
||||
|
||||
Reference in New Issue
Block a user