From 6b49279c320273db1b3c5b54340b1f37eebef538 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Fri, 12 Jun 2026 15:55:09 +0000
Subject: [PATCH] ci(release): stage Apple intermediate CAs in the signing
 keychain

Fresh boxes lack the Developer ID / WWDR intermediates; without the
issuing chain the imported identity is invalid and xcodebuild says
"No signing certificate Developer ID Application found".

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 9822292..eb34435 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -91,6 +91,16 @@ jobs:
           security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN"
           security set-keychain-settings -lut 7200 "$KEYCHAIN"
           security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN"
+          # Apple's intermediates — without the issuing CA in the chain the identity is
+          # "invalid" and xcodebuild reports "No signing certificate ... found" even
+          # though the cert imported fine (fresh boxes don't ship all WWDR/Developer ID
+          # intermediates).
+          for ca in DeveloperIDG2CA AppleWWDRCAG3 AppleWWDRCAG4; do
+            curl -sf "https://www.apple.com/certificateauthority/$ca.cer" \
+              -o "$RUNNER_TEMP/$ca.cer" \
+              && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null \
+              || echo "::warning::could not stage intermediate $ca"
+          done
           printf '%s' "$P12_B64" | base64 -d > "$RUNNER_TEMP/devid.p12"
           security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
             -T /usr/bin/codesign -T /usr/bin/security