From 822988029c18078e43a7ba49f801d9e37092ba0a Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sat, 13 Jun 2026 20:29:45 +0000
Subject: [PATCH] diag(ci/release): sign iOS by identity hash + max-verbose
 codesign

The throwaway-keychain codesign still fails 'unable to build chain to self-signed
root / errSecInternalComponent' despite cert/chain/key all verifying. Sign by the
Apple Distribution identity's SHA-1 hash (eliminates name-matching ambiguity, a
known cause) and run codesign --verbose=4 + print valid/matching identities at
sign time, to surface the exact failure on the next run.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index f9a68c6..0fbf44e 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -336,17 +336,23 @@ jobs:
             && security import "$RUNNER_TEMP/w.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
           curl -fsS "https://www.apple.com/appleca/AppleIncRootCertificate.cer" -o "$RUNNER_TEMP/r.cer" \
             && security import "$RUNNER_TEMP/r.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
+          # Sign by the identity's SHA-1 HASH (not the name) — name matching is a known cause
+          # of "unable to build chain / errSecInternalComponent". Diagnostics: show valid vs
+          # matching identities at sign time, and run codesign at max verbosity.
+          IOS_ID=$(security find-identity -p codesigning "$KEYCHAIN" | awk '/Apple Distribution/{print $2; exit}')
+          echo "iOS signing identity hash: ${IOS_ID:-NONE}"
+          echo "--- valid identities ---"; security find-identity -v -p codesigning "$KEYCHAIN" || true
           # Inside-out: sign any nested Mach-O first (the static build usually has none), then
           # the app with the profile's entitlements + the Apple Distribution identity.
           if [ -d "$APP/Frameworks" ]; then
             find "$APP/Frameworks" -depth \( -name '*.framework' -o -name '*.dylib' \) -print0 \
               | while IFS= read -r -d '' f; do
-                  codesign --force --keychain "$KEYCHAIN" --sign "Apple Distribution" "$f"
+                  codesign --force --keychain "$KEYCHAIN" --sign "$IOS_ID" "$f"
                 done
           fi
           codesign --force --keychain "$KEYCHAIN" \
             --entitlements "$RUNNER_TEMP/ios-entitlements.plist" \
-            --sign "Apple Distribution" "$APP"
+            --sign "$IOS_ID" --verbose=4 "$APP"
           codesign --verify --strict --verbose=2 "$APP"
           # Package the .ipa.
           rm -rf "$RUNNER_TEMP/Payload" "$RUNNER_TEMP/Punktfunk.ipa"