From 596c92f785e2c547bd40075b4bcba33d7532b1a5 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sat, 13 Jun 2026 20:22:27 +0000
Subject: [PATCH] fix(ci/release): re-set key partition list + stage full chain
 before iOS codesign

iOS codesign still failed with 'unable to build chain to self-signed root /
errSecInternalComponent' after the keychain re-assert. verify-cert proves the
chain is trusted, so this is the private-key ACL (errSecInternalComponent is
classically that) and/or codesign not finding the chain certs in the identity's
keychain. Right before the iOS codesign: re-run set-key-partition-list (re-grant
codesign access to the key) and import the WWDR G3 intermediate + Apple Root CA
into the throwaway keychain so the full leaf->WWDR->root chain is present there.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 81d7a00..f9a68c6 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -327,6 +327,15 @@ jobs:
           security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" 2>/dev/null || true
           security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
           security default-keychain -d user -s "$KEYCHAIN"
+          # Re-establish codesign's access to the private key (errSecInternalComponent at
+          # sign time is classically a key-ACL problem) + stage the WWDR intermediate and
+          # Apple Root so the whole chain is in the identity's keychain for the chain build.
+          security set-key-partition-list -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null 2>&1 || true
+          curl -fsS "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer" -o "$RUNNER_TEMP/w.cer" \
+            && security import "$RUNNER_TEMP/w.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
+          curl -fsS "https://www.apple.com/appleca/AppleIncRootCertificate.cer" -o "$RUNNER_TEMP/r.cer" \
+            && security import "$RUNNER_TEMP/r.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
           # Inside-out: sign any nested Mach-O first (the static build usually has none), then
           # the app with the profile's entitlements + the Apple Distribution identity.
           if [ -d "$APP/Frameworks" ]; then