fix(ci/release): retry Apple intermediate fetch + chain/clock diagnostic

The iOS Apple Distribution identity imported WITH its private key (it's a
'Matching identity') but was dropped from find-identity -v — i.e. an untrusted
chain: the WWDR G3 intermediate it chains through didn't land, while Developer
ID's DeveloperIDG2CA did. The fetch was a single 'curl || warn' with no retry, so
a transient miss silently breaks iOS only. Retry each intermediate 3x, and print
the runner UTC date + whether the WWDR intermediate is present, to separate a
chain miss from the cert's notBefore being ahead of the runner clock.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -96,16 +96,28 @@ jobs:
           # xcodebuild's signing lookup consults the DEFAULT keychain — being on the
           # search list alone isn't enough (find-identity sees the cert, export doesn't).
           security default-keychain -d user -s "$KEYCHAIN"
-          # Apple's intermediates — without the issuing CA in the chain the identity is
-          # "invalid" and xcodebuild reports "No signing certificate ... found" even
-          # though the cert imported fine (fresh boxes don't ship all WWDR/Developer ID
-          # intermediates).
+          # Apple's intermediates — without the issuing CA in the chain the leaf is "invalid"
+          # and dropped from find-identity -v (cert imports fine, just isn't a *valid*
+          # identity). Fresh boxes don't ship all WWDR/Developer ID intermediates. RETRY: a
+          # single transient miss here is exactly what silently broke iOS — Apple Distribution
+          # chains through WWDR G3, while Developer ID (-> DeveloperIDG2CA) kept working.
           for ca in DeveloperIDG2CA AppleWWDRCAG3 AppleWWDRCAG4; do
-            curl -sf "https://www.apple.com/certificateauthority/$ca.cer" \
+            for attempt in 1 2 3; do
+              curl -fsS "https://www.apple.com/certificateauthority/$ca.cer" \
                 -o "$RUNNER_TEMP/$ca.cer" \
-              && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null \
-              || echo "::warning::could not stage intermediate $ca"
+                && security import "$RUNNER_TEMP/$ca.cer" -k "$KEYCHAIN" -t cert >/dev/null 2>&1 \
+                && break
+              [ "$attempt" = 3 ] && echo "::warning::could not stage intermediate $ca after 3 tries"
+              sleep 2
             done
+          done
+          # Chain-vs-clock diagnostic: is the WWDR intermediate (Apple Distribution's issuer)
+          # actually present, and is the runner's clock past the cert's notBefore?
+          echo "runner date (UTC): $(date -u)"
+          security find-certificate -c "Apple Worldwide Developer Relations Certification Authority" \
+            "$KEYCHAIN" >/dev/null 2>&1 \
+            && echo "WWDR intermediate (Apple Distribution issuer): present in keychain" \
+            || echo "::warning::WWDR intermediate MISSING — Apple Distribution leaf will be invalid"
           printf '%s' "$P12_B64" | base64 -d > "$RUNNER_TEMP/devid.p12"
           security import "$RUNNER_TEMP/devid.p12" -k "$KEYCHAIN" -P "$P12_PASSWORD" \
             -T /usr/bin/codesign -T /usr/bin/security