From ef13c0fa97f11635de109d7533e4c62b6f5ab8bf Mon Sep 17 00:00:00 2001 From: enricobuehler Date: Sat, 13 Jun 2026 16:14:12 +0000 Subject: [PATCH] fix(ci/release): self-diagnosing iOS cert import + non-fatal validity gate MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The iOS Apple Distribution cert imported (1 identity imported) but never appeared in find-identity -v, and the iOS step then silently skipped. Make the import step explain itself without exposing secrets or blocking the macOS release: print secret byte-lengths + decoded p12 size + import rc, strip stray whitespace/newlines before base64 -d, and after the partition-list warn (not fail) with the likely cause + an incl-invalid identity list when the iOS secret is set but yields no valid Apple Distribution identity. The shared import step must not hard-fail on an iOS-cert problem — that would also block the proven macOS DMG path. Co-Authored-By: Claude Opus 4.8 (1M context) --- .gitea/workflows/release.yml | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index eab9878..b2258fa 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -111,18 +111,36 @@ jobs: -T /usr/bin/codesign -T /usr/bin/security rm -f "$RUNNER_TEMP/devid.p12" # iOS App Store distribution identity (optional — imported only when the secret is - # set; the iOS/TestFlight job stays best-effort until it is). The WWDR intermediates - # fetched above also chain this Apple Distribution cert. + # set; the iOS/TestFlight job stays best-effort). Self-diagnosing: prints secret + # byte-lengths + decoded p12 size + import rc (never the secret value) so a bad iOS + # cert is explained in-log. Does NOT fail this shared step on an iOS-cert problem — + # that would also block the macOS release; the gate below only warns. Apple + # Distribution chains through WWDR G3, fetched above (G6 is not used for it). + echo "cert-secret lengths: ios_b64=${#IOS_P12_B64} devid_b64=${#P12_B64}" if [ -n "$IOS_P12_B64" ]; then - printf '%s' "$IOS_P12_B64" | base64 -d > "$RUNNER_TEMP/ios-dist.p12" + printf '%s' "$IOS_P12_B64" | tr -d '\r\n ' | base64 -d > "$RUNNER_TEMP/ios-dist.p12" \ + || echo "::warning::IOS_DIST_CERT_P12_B64 is not valid base64" + echo "ios_p12_bytes=$(wc -c < "$RUNNER_TEMP/ios-dist.p12" 2>/dev/null || echo 0)" + set +e security import "$RUNNER_TEMP/ios-dist.p12" -k "$KEYCHAIN" -P "$IOS_P12_PASSWORD" \ -T /usr/bin/codesign -T /usr/bin/security + echo "ios_import_rc=$?" + set -e rm -f "$RUNNER_TEMP/ios-dist.p12" fi security set-key-partition-list -S apple-tool:,apple:,codesign: \ -s -k "$KEYCHAIN_PASS" "$KEYCHAIN" >/dev/null security list-keychains -d user -s "$KEYCHAIN" login.keychain-db security find-identity -v -p codesigning "$KEYCHAIN" + # Non-fatal explainer: if the iOS secret was set but produced no VALID Apple + # Distribution identity, name the likely reason and list ALL (incl. invalid) + # identities — WITHOUT failing this step, so the macOS release still proceeds. + if [ -n "$IOS_P12_B64" ] \ + && ! security find-identity -v -p codesigning "$KEYCHAIN" | grep -q "Apple Distribution"; then + echo "::warning::IOS_DIST_CERT_P12_B64 set but no VALID 'Apple Distribution' identity — likely the .p12 has no private key (export the IDENTITY, key included), or an untrusted/expired chain." + echo "all codesigning identities (incl. invalid):" + security find-identity -p codesigning "$KEYCHAIN" || true + fi - name: Stage App Store Connect API key env: