From e64aefa25c2727e342cbf030c1dc94e145ccef8a Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sat, 13 Jun 2026 14:43:33 +0000
Subject: [PATCH] fix(ci/release): scope codesign to the throwaway keychain
 (--keychain)

codesign --sign 'Developer ID Application' reported 'no identity found' even
though the import step's find-identity saw it: the bare lookup relies on the
default keychain search list, which doesn't reliably carry the throwaway
keychain across steps on this runner. Re-assert the search list + default
keychain in the signing step and pass --keychain "$KEYCHAIN" so the identity
search is scoped to it (it stays unlocked with a codesign-allowed partition
list from the import step, so no password is needed). Adds a find-identity
diagnostic right before signing.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 07d41ba..5debb67 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -147,6 +147,16 @@ jobs:
           RESOLVED="$RUNNER_TEMP/Punktfunk.entitlements"
           sed "s/\$(AppIdentifierPrefix)/${TEAM_ID}./g" \
             clients/apple/Config/Punktfunk.entitlements > "$RESOLVED"
+          # codesign must be pointed at the throwaway keychain explicitly: on this runner the
+          # default keychain search list does not reliably carry across steps, so a bare
+          # --sign "Developer ID Application" reports "no identity found" even though the
+          # import step found it there. Re-assert the search list + default keychain in THIS
+          # step's context (no password needed — it stays unlocked with a codesign-allowed
+          # partition list from the import step) AND scope codesign to it with --keychain.
+          security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
+          security default-keychain -d user -s "$KEYCHAIN"
+          echo "signing identity keychain: $KEYCHAIN"
+          security find-identity -v -p codesigning "$KEYCHAIN"
           # Inside-out: sign any nested Mach-O first (defensive — the static build normally
           # has none), then the app bundle with the resolved entitlements + hardened runtime +
           # secure timestamp, which is what notarization requires.
@@ -154,10 +164,12 @@ jobs:
             find "$APP/Contents/Frameworks" -depth \( -name '*.framework' -o -name '*.dylib' \) \
               -print0 | while IFS= read -r -d '' f; do
                 codesign --force --options runtime --timestamp \
+                  --keychain "$KEYCHAIN" \
                   --sign "Developer ID Application" "$f"
               done
           fi
           codesign --force --options runtime --timestamp \
+            --keychain "$KEYCHAIN" \
             --entitlements "$RESOLVED" \
             --sign "Developer ID Application" "$APP"
           codesign --verify --strict --verbose=2 "$APP"