From ecfef430409852b011c3426d05e46294a2065172 Mon Sep 17 00:00:00 2001
From: enricobuehler <buehler@unom.io>
Date: Sat, 13 Jun 2026 20:08:56 +0000
Subject: [PATCH] fix(ci/release): re-assert keychain before the iOS codesign

The iOS archive SUCCEEDS now (raw-codesign path), but codesign failed with
'unable to build chain to self-signed root / errSecInternalComponent'. Cause:
xcodebuild archive (run in the same step, just before codesign) resets the user
keychain search list, so codesign can no longer find the WWDR intermediate that
lives only in the throwaway keychain. The macOS sign avoids this by running in a
separate step after its re-assert. Re-assert the search list + default keychain
(and unlock, via KEYCHAIN_PASS now exported to GITHUB_ENV, masked) immediately
before the iOS codesign.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 5775af7..81d7a00 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -89,7 +89,9 @@ jobs:
         run: |
           KEYCHAIN="$RUNNER_TEMP/punktfunk-ci.keychain-db"
           KEYCHAIN_PASS="$(uuidgen)"
+          echo "::add-mask::$KEYCHAIN_PASS"
           echo "KEYCHAIN=$KEYCHAIN" >> "$GITHUB_ENV"
+          echo "KEYCHAIN_PASS=$KEYCHAIN_PASS" >> "$GITHUB_ENV"
           security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN"
           security set-keychain-settings -lut 7200 "$KEYCHAIN"
           security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN"
@@ -317,6 +319,14 @@ jobs:
           APP=$(ls -d "$RUNNER_TEMP/Punktfunk-ios.xcarchive/Products/Applications/"*.app | head -1)
           echo "iOS app bundle: $APP"
           cp "$RUNNER_TEMP/appstore.mobileprovision" "$APP/embedded.mobileprovision"
+          # Re-assert the keychain RIGHT BEFORE signing: the xcodebuild archive above resets the
+          # user keychain search list, so codesign would otherwise fail to find the WWDR
+          # intermediate (it lives only in the throwaway keychain) and report "unable to build
+          # chain to self-signed root / errSecInternalComponent". The macOS sign step avoids
+          # this by signing in a separate step; the iOS archive+sign share one step. Unlock too.
+          security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN" 2>/dev/null || true
+          security list-keychains -d user -s "$KEYCHAIN" login.keychain-db
+          security default-keychain -d user -s "$KEYCHAIN"
           # Inside-out: sign any nested Mach-O first (the static build usually has none), then
           # the app with the profile's entitlements + the Apple Distribution identity.
           if [ -d "$APP/Frameworks" ]; then