unom/punktfunk
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 3 Wiki Activity

fix(ci/release): re-assert keychain before the iOS codesign
apple / swift (push) Successful in 1m16s
Details
ci / web (push) Successful in 29s
Details
ci / docs-site (push) Successful in 36s
Details
ci / rust (push) Successful in 2m7s
Details
ci / bench (push) Successful in 1m33s
Details
docker / build-push (--build-arg FEDORA_VERSION=44, ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora44-rpm) (push) Successful in 4s
Details
docker / build-push (., web/Dockerfile, punktfunk-web) (push) Successful in 3s
Details
docker / build-push (ci, ci/fedora-rpm.Dockerfile, punktfunk-fedora-rpm) (push) Successful in 4s
Details
docker / build-push (ci, ci/rust-ci.Dockerfile, punktfunk-rust-ci) (push) Successful in 3s
Details
docker / build-push (docs-site, docs-site/Dockerfile, punktfunk-docs) (push) Successful in 3s
Details
deb / build-publish (push) Successful in 2m12s
Details
rpm / build-publish (bazzite, punktfunk-fedora-rpm) (push) Successful in 4m51s
Details
docker / deploy-docs (push) Successful in 17s
Details
rpm / build-publish (fedora-44, punktfunk-fedora44-rpm) (push) Successful in 4m37s
Details

Browse Source 
The iOS archive SUCCEEDS now (raw-codesign path), but codesign failed with
'unable to build chain to self-signed root / errSecInternalComponent'. Cause:
xcodebuild archive (run in the same step, just before codesign) resets the user
keychain search list, so codesign can no longer find the WWDR intermediate that
lives only in the throwaway keychain. The macOS sign avoids this by running in a
separate step after its re-assert. Re-assert the search list + default keychain
(and unlock, via KEYCHAIN_PASS now exported to GITHUB_ENV, masked) immediately
before the iOS codesign.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Enrico Bühler
2026-06-13 20:08:56 +00:00
parent 9338a8797d
commit ecfef43040
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/release.yml
+10
View File
@@ -89,7 +89,9 @@ jobs:
run: |
KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db"
KEYCHAIN_PASS="$(uuidgen)"
echo "::add-mask::$KEYCHAIN_PASS"
echo "KEYCHAIN=$KEYCHAIN" >> "$GITHUB_ENV"
echo "KEYCHAIN_PASS=$KEYCHAIN_PASS" >> "$GITHUB_ENV"
security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN"
security set-keychain-settings -lut 7200 "$KEYCHAIN"
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN"
@@ -317,6 +319,14 @@ jobs:
APP=$(ls -d "$RUNNER_TEMP/Punktfunk-ios.xcarchive/Products/Applications/"*.app | head -1)
echo "iOS app bundle: $APP"
cp "$RUNNER_TEMP/appstore.mobileprovision" "$APP/embedded.mobileprovision"
# Re-assert the keychain RIGHT BEFORE signing: the xcodebuild archive above resets the
# user keychain search list, so codesign would otherwise fail to find the WWDR
# intermediate (it lives only in the throwaway keychain) and report "unable to build
# chain to self-signed root / errSecInternalComponent". The macOS sign step avoids
# this by signing in a separate step; the iOS archive+sign share one step. Unlock too.
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" 2>/dev/null || true
security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
security default-keychain -d user -s "$KEYCHAIN"
# Inside-out: sign any nested Mach-O first (the static build usually has none), then
# the app with the profile's entitlements + the Apple Distribution identity.
if [ -d "$APP/Frameworks" ]; then