fix(ci/release): re-set key partition list + stage full chain before iOS codesign

iOS codesign still failed with 'unable to build chain to self-signed root /
errSecInternalComponent' after the keychain re-assert. verify-cert proves the
chain is trusted, so this is the private-key ACL (errSecInternalComponent is
classically that) and/or codesign not finding the chain certs in the identity's
keychain. Right before the iOS codesign: re-run set-key-partition-list (re-grant
codesign access to the key) and import the WWDR G3 intermediate + Apple Root CA
into the throwaway keychain so the full leaf->WWDR->root chain is present there.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-13 20:22:27 +00:00
parent 50f2590750
commit e7ae45e148
+9
View File
@@ -327,6 +327,15 @@ jobs:
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" 2>/dev/null || true
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
security default-keychain -d user -s "$KEYCHAIN"
# Re-establish codesign's access to the private key (errSecInternalComponent at
# sign time is classically a key-ACL problem) + stage the WWDR intermediate and
# Apple Root so the whole chain is in the identity's keychain for the chain build.
security set-key-partition-list -S apple-tool:,apple:,codesign: \
-s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null 2>&1 || true
curl -fsS "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer" -o "$RUNNER_TEMP/w.cer" \
&& security import "$RUNNER_TEMP/w.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
curl -fsS "https://www.apple.com/appleca/AppleIncRootCertificate.cer" -o "$RUNNER_TEMP/r.cer" \
&& security import "$RUNNER_TEMP/r.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 || true
# Inside-out: sign any nested Mach-O first (the static build usually has none), then
# the app with the profile's entitlements + the Apple Distribution identity.
if [ -d "$APP/Frameworks" ]; then