fix(ci/release): scope codesign to the throwaway keychain (--keychain)
ci / web (push) Successful in 26s
ci / docs-site (push) Successful in 31s
apple / swift (push) Successful in 1m18s
ci / rust (push) Successful in 1m25s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 6s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 6s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 5s
deb / build-publish (push) Successful in 3m2s
docker / deploy-docs (push) Successful in 17s
rpm / build-publish (push) Successful in 4m21s
ci / web (push) Successful in 26s
ci / docs-site (push) Successful in 31s
apple / swift (push) Successful in 1m18s
ci / rust (push) Successful in 1m25s
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 6s
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 6s
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 5s
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 5s
deb / build-publish (push) Successful in 3m2s
docker / deploy-docs (push) Successful in 17s
rpm / build-publish (push) Successful in 4m21s
codesign --sign 'Developer ID Application' reported 'no identity found' even though the import step's find-identity saw it: the bare lookup relies on the default keychain search list, which doesn't reliably carry the throwaway keychain across steps on this runner. Re-assert the search list + default keychain in the signing step and pass --keychain "$KEYCHAIN" so the identity search is scoped to it (it stays unlocked with a codesign-allowed partition list from the import step, so no password is needed). Adds a find-identity diagnostic right before signing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -147,6 +147,16 @@ jobs:
|
||||
RESOLVED="$RUNNER_TEMP/Punktfunk.entitlements"
|
||||
sed "s/\$(AppIdentifierPrefix)/${TEAM_ID}./g" \
|
||||
clients/apple/Config/Punktfunk.entitlements > "$RESOLVED"
|
||||
# codesign must be pointed at the throwaway keychain explicitly: on this runner the
|
||||
# default keychain search list does not reliably carry across steps, so a bare
|
||||
# --sign "Developer ID Application" reports "no identity found" even though the
|
||||
# import step found it there. Re-assert the search list + default keychain in THIS
|
||||
# step's context (no password needed — it stays unlocked with a codesign-allowed
|
||||
# partition list from the import step) AND scope codesign to it with --keychain.
|
||||
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
|
||||
security default-keychain -d user -s "$KEYCHAIN"
|
||||
echo "signing identity keychain: $KEYCHAIN"
|
||||
security find-identity -v -p codesigning "$KEYCHAIN"
|
||||
# Inside-out: sign any nested Mach-O first (defensive — the static build normally
|
||||
# has none), then the app bundle with the resolved entitlements + hardened runtime +
|
||||
# secure timestamp, which is what notarization requires.
|
||||
@@ -154,10 +164,12 @@ jobs:
|
||||
find "$APP/Contents/Frameworks" -depth \( -name '*.framework' -o -name '*.dylib' \) \
|
||||
-print0 | while IFS= read -r -d '' f; do
|
||||
codesign --force --options runtime --timestamp \
|
||||
--keychain "$KEYCHAIN" \
|
||||
--sign "Developer ID Application" "$f"
|
||||
done
|
||||
fi
|
||||
codesign --force --options runtime --timestamp \
|
||||
--keychain "$KEYCHAIN" \
|
||||
--entitlements "$RESOLVED" \
|
||||
--sign "Developer ID Application" "$APP"
|
||||
codesign --verify --strict --verbose=2 "$APP"
|
||||
|
||||
Reference in New Issue
Block a user