diag(ci/release): sign iOS by identity hash + max-verbose codesign
ci / web (push) Successful in 29s
ci / docs-site (push) Successful in 36s
ci / rust (push) Successful in 2m2s
ci / bench (push) Successful in 1m35s
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 5s
apple / swift (push) Successful in 1m20s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 5s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 3s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 4s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 4s
deb / build-publish (push) Successful in 2m2s
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m57s
docker / deploy-docs (push) Successful in 17s
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 5m1s

The throwaway-keychain codesign still fails 'unable to build chain to self-signed
root / errSecInternalComponent' despite cert/chain/key all verifying. Sign by the
Apple Distribution identity's SHA-1 hash (eliminates name-matching ambiguity, a
known cause) and run codesign --verbose=4 + print valid/matching identities at
sign time, to surface the exact failure on the next run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-13 20:29:45 +00:00
parent 596c92f785
commit 822988029c
+8 -2
View File
@@ -336,17 +336,23 @@ jobs:
&& security import "$RUNNER_TEMP/w.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
curl -fsS "https://www.apple.com/appleca/AppleIncRootCertificate.cer" -o "$RUNNER_TEMP/r.cer" \
&& security import "$RUNNER_TEMP/r.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
# Sign by the identity's SHA-1 HASH (not the name) — name matching is a known cause
# of "unable to build chain / errSecInternalComponent". Diagnostics: show valid vs
# matching identities at sign time, and run codesign at max verbosity.
IOS_ID=$(security find-identity -p codesigning "$KEYCHAIN" | awk '/Apple Distribution/{print $2; exit}')
echo "iOS signing identity hash: ${IOS_ID:-NONE}"
echo "--- valid identities ---"; security find-identity -v -p codesigning "$KEYCHAIN" || true
# Inside-out: sign any nested Mach-O first (the static build usually has none), then
# the app with the profile's entitlements + the Apple Distribution identity.
if [ -d "$APP/Frameworks" ]; then
find "$APP/Frameworks" -depth \( -name '*.framework' -o -name '*.dylib' \) -print0 \
| while IFS= read -r -d '' f; do
codesign --force --keychain "$KEYCHAIN" --sign "Apple Distribution" "$f"
codesign --force --keychain "$KEYCHAIN" --sign "$IOS_ID" "$f"
done
fi
codesign --force --keychain "$KEYCHAIN" \
--entitlements "$RUNNER_TEMP/ios-entitlements.plist" \
--sign "Apple Distribution" "$APP"
--sign "$IOS_ID" --verbose=4 "$APP"
codesign --verify --strict --verbose=2 "$APP"
# Package the .ipa.
rm -rf "$RUNNER_TEMP/Payload" "$RUNNER_TEMP/Punktfunk.ipa"