fix(ci/release): retry Apple intermediate fetch + chain/clock diagnostic
The iOS Apple Distribution identity imported WITH its private key (it's a 'Matching identity') but was dropped from find-identity -v — i.e. an untrusted chain: the WWDR G3 intermediate it chains through didn't land, while Developer ID's DeveloperIDG2CA did. The fetch was a single 'curl || warn' with no retry, so a transient miss silently breaks iOS only. Retry each intermediate 3x, and print the runner UTC date + whether the WWDR intermediate is present, to separate a chain miss from the cert's notBefore being ahead of the runner clock. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -96,16 +96,28 @@ jobs:
|
||||
# xcodebuild's signing lookup consults the DEFAULT keychain — being on the
|
||||
# search list alone isn't enough (find-identity sees the cert, export doesn't).
|
||||
security default-keychain -d user -s "$KEYCHAIN"
|
||||
# Apple's intermediates — without the issuing CA in the chain the identity is
|
||||
# "invalid" and xcodebuild reports "No signing certificate ... found" even
|
||||
# though the cert imported fine (fresh boxes don't ship all WWDR/Developer ID
|
||||
# intermediates).
|
||||
# Apple's intermediates — without the issuing CA in the chain the leaf is "invalid"
|
||||
# and dropped from find-identity -v (cert imports fine, just isn't a *valid*
|
||||
# identity). Fresh boxes don't ship all WWDR/Developer ID intermediates. RETRY: a
|
||||
# single transient miss here is exactly what silently broke iOS — Apple Distribution
|
||||
# chains through WWDR G3, while Developer ID (-> DeveloperIDG2CA) kept working.
|
||||
for ca in DeveloperIDG2CA AppleWWDRCAG3 AppleWWDRCAG4; do
|
||||
curl -sf "https://www.apple.com/certificateauthority/$ca.cer" \
|
||||
-o "$RUNNER_TEMP/$ca.cer" \
|
||||
&& security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null \
|
||||
|| echo "::warning::could not stage intermediate $ca"
|
||||
for attempt in 1 2 3; do
|
||||
curl -fsS "https://www.apple.com/certificateauthority/$ca.cer" \
|
||||
-o "$RUNNER_TEMP/$ca.cer" \
|
||||
&& security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 \
|
||||
&& break
|
||||
[ "$attempt" = 3 ] && echo "::warning::could not stage intermediate $ca after 3 tries"
|
||||
sleep 2
|
||||
done
|
||||
done
|
||||
# Chain-vs-clock diagnostic: is the WWDR intermediate (Apple Distribution's issuer)
|
||||
# actually present, and is the runner's clock past the cert's notBefore?
|
||||
echo "runner date (UTC): $(date -u)"
|
||||
security find-certificate -c "Apple Worldwide Developer Relations Certification Authority" \
|
||||
"$KEYCHAIN" >/dev/null 2>&1 \
|
||||
&& echo "WWDR intermediate (Apple Distribution issuer): present in keychain" \
|
||||
|| echo "::warning::WWDR intermediate MISSING — Apple Distribution leaf will be invalid"
|
||||
printf '%s' "$P12_B64" | base64 -d > "$RUNNER_TEMP/devid.p12"
|
||||
security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
|
||||
-T /usr/bin/codesign -T /usr/bin/security
|
||||
|
||||
Reference in New Issue
Block a user