fix(ci/release): re-set key partition list + stage full chain before iOS codesign
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 6s
ci / web (push) Successful in 28s
ci / docs-site (push) Successful in 31s
apple / swift (push) Successful in 1m18s
ci / rust (push) Successful in 2m6s
ci / bench (push) Successful in 1m37s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
deb / build-publish (push) Successful in 2m15s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m49s
docker / deploy-docs (push) Successful in 18s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m28s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 6s
ci / web (push) Successful in 28s
ci / docs-site (push) Successful in 31s
apple / swift (push) Successful in 1m18s
ci / rust (push) Successful in 2m6s
ci / bench (push) Successful in 1m37s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
deb / build-publish (push) Successful in 2m15s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m49s
docker / deploy-docs (push) Successful in 18s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m28s
iOS codesign still failed with 'unable to build chain to self-signed root / errSecInternalComponent' after the keychain re-assert. verify-cert proves the chain is trusted, so this is the private-key ACL (errSecInternalComponent is classically that) and/or codesign not finding the chain certs in the identity's keychain. Right before the iOS codesign: re-run set-key-partition-list (re-grant codesign access to the key) and import the WWDR G3 intermediate + Apple Root CA into the throwaway keychain so the full leaf->WWDR->root chain is present there. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -327,6 +327,15 @@ jobs:
|
||||
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" 2>/dev/null || true
|
||||
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
||||
security default-keychain -d user -s "$KEYCHAIN"
|
||||
# Re-establish codesign's access to the private key (errSecInternalComponent at
|
||||
# sign time is classically a key-ACL problem) + stage the WWDR intermediate and
|
||||
# Apple Root so the whole chain is in the identity's keychain for the chain build.
|
||||
security set-key-partition-list -S apple-tool:,apple:,codesign: \
|
||||
-s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null 2>&1 || true
|
||||
curl -fsS "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer" -o "$RUNNER_TEMP/w.cer" \
|
||||
&& security import "$RUNNER_TEMP/w.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
|
||||
curl -fsS "https://www.apple.com/appleca/AppleIncRootCertificate.cer" -o "$RUNNER_TEMP/r.cer" \
|
||||
&& security import "$RUNNER_TEMP/r.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
|
||||
# Inside-out: sign any nested Mach-O first (the static build usually has none), then
|
||||
# the app with the profile's entitlements + the Apple Distribution identity.
|
||||
if [ -d "$APP/Frameworks" ]; then
|
||||
|
||||
Reference in New Issue
Block a user