fix(ci/release): gate iOS signing on matching identity, not find-identity -v
apple / swift (push) Successful in 1m16s
ci / rust (push) Successful in 1m22s
ci / web (push) Successful in 27s
ci / docs-site (push) Successful in 28s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 5s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 6s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 6s
deb / build-publish (push) Successful in 3m2s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m55s
docker / deploy-docs (push) Successful in 6s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m19s
apple / swift (push) Successful in 1m16s
ci / rust (push) Successful in 1m22s
ci / web (push) Successful in 27s
ci / docs-site (push) Successful in 28s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 5s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 6s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 6s
deb / build-publish (push) Successful in 3m2s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m55s
docker / deploy-docs (push) Successful in 6s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m19s
The Apple Distribution identity has its key + intermediate + valid dates (it's in 'Matching identities') but stayed out of 'Valid identities only' — a trust strictness (most likely a pending online revocation check on an hour-old cert) that codesign/xcodebuild do NOT enforce. Gate the iOS step on the MATCHING list so the archive actually attempts signing, and print 'security verify-cert -p codeSign' in the import step so the exact trust verdict shows if it still balks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -149,9 +149,13 @@ jobs:
|
|||||||
# identities — WITHOUT failing this step, so the macOS release still proceeds.
|
# identities — WITHOUT failing this step, so the macOS release still proceeds.
|
||||||
if [ -n "$IOS_P12_B64" ] \
|
if [ -n "$IOS_P12_B64" ] \
|
||||||
&& ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then
|
&& ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then
|
||||||
echo "::warning::IOS_DIST_CERT_P12_B64 set but no VALID 'Apple Distribution' identity — likely the .p12 has no private key (export the IDENTITY, key included), or an untrusted/expired chain."
|
echo "::warning::IOS_DIST_CERT_P12_B64 set but no VALID 'Apple Distribution' identity — but it may still be usable (see trust verdict below); codesign is less strict than find-identity -v."
|
||||||
echo "all codesigning identities (incl. invalid):"
|
echo "all codesigning identities (incl. invalid):"
|
||||||
security find-identity -p codesigning "$KEYCHAIN" || true
|
security find-identity -p codesigning "$KEYCHAIN" || true
|
||||||
|
echo "--- trust verdict for the Apple Distribution leaf (codeSign policy) ---"
|
||||||
|
security find-certificate -c "Apple Distribution" -p "$KEYCHAIN" > "$RUNNER_TEMP/appledist.pem" 2>/dev/null || true
|
||||||
|
security verify-cert -p codeSign -c "$RUNNER_TEMP/appledist.pem" -k "$KEYCHAIN" 2>&1 || true
|
||||||
|
rm -f "$RUNNER_TEMP/appledist.pem"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
- name: Stage App Store Connect API key
|
- name: Stage App Store Connect API key
|
||||||
@@ -268,10 +272,12 @@ jobs:
|
|||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
# App Store signing uses the Apple Distribution identity imported above from
|
# App Store signing uses the Apple Distribution identity imported above from
|
||||||
# IOS_DIST_CERT_P12_B64. Skip cleanly until that secret exists; re-assert the
|
# IOS_DIST_CERT_P12_B64. Gate on the MATCHING list (find-identity without -v), NOT
|
||||||
# throwaway keychain on the search list + as default so automatic signing finds it
|
# the valid-only list: a freshly-minted cert with its key + intermediate present can
|
||||||
# (the search list doesn't reliably carry across steps on this runner).
|
# be excluded from -v by a pending online revocation/trust check that codesign does
|
||||||
if ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then
|
# NOT enforce — so -v would skip a perfectly signable identity. Re-assert the
|
||||||
|
# throwaway keychain (search list + default) so automatic signing finds it.
|
||||||
|
if ! security find-identity -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then
|
||||||
echo "::warning::no Apple Distribution identity present — set IOS_DIST_CERT_P12_B64. Skipping iOS/TestFlight."
|
echo "::warning::no Apple Distribution identity present — set IOS_DIST_CERT_P12_B64. Skipping iOS/TestFlight."
|
||||||
exit 0
|
exit 0
|
||||||
fi
|
fi
|
||||||
|
|||||||
Reference in New Issue
Block a user