17 Commits

Author	SHA1	Message	Date
enricobuehler	b547b9d92f	fix(ci/release): quit Xcode.app so it stops pruning the iOS profile ... Root cause of 'No profile matching Punktfunk App Store Distribution': the GUI Xcode.app was running on the runner and actively manages ~/Library/Developer/Xcode/UserData/Provisioning Profiles, pruning our manually-installed App Store profile from the exact dir xcodebuild reads, right before signing (the legacy ~/Library/MobileDevice copy survives but Xcode 26's xcodebuild doesn't read it). Quit Xcode.app at the top of the iOS signing block; xcodebuild runs independently and headless CI doesn't need the GUI app. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:25:33 +00:00
enricobuehler	2976daf2e3	diag(ci/release): dump provisioning-profile dirs around the iOS archive ... iOS manual signing fails 'No profile matching Punktfunk App Store Distribution' despite the profile being installed (content verified: right name/team/iOS/app-id). The profile is in ~/Library/MobileDevice but Xcode 26 reads ~/Library/Developer/Xcode/UserData/Provisioning Profiles, which is empty. Print both dirs before the archive and again at failure to confirm whether Xcode regenerates/prunes the UserData copy during the build. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:23:16 +00:00
enricobuehler	46572b4a25	fix(ci/release): robust iOS provisioning-profile extraction + diagnostics ... The profile-name/UUID read used 'security cms -D ... || true' which masked a failed decode, then PlistBuddy printed 'Error Reading File' to stdout and that got captured as the UUID, producing a garbage cp path. Now: check the extracted plist is non-empty, fall back to 'openssl smime' if 'security cms' fails, validate the UUID is actually hex+dashes, and print the decoded byte count + decoder stderr + first bytes so a bad IOS_PROFILE_B64 is obvious in-log. Still non-fatal (skips iOS, never blocks the macOS release). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 19:05:35 +00:00
enricobuehler	0fc3012954	feat(ci/release): iOS App Store manual distribution signing + profile ... Automatic signing during the iOS archive resolved to App *Development* (wanted an Apple Development cert + tried to revoke the account's orphaned one, and no dev profile) — wrong for App Store. Switch to MANUAL distribution signing: import an App Store provisioning profile from IOS_PROFILE_B64, read its Name/UUID, install it, and archive with CODE_SIGN_STYLE=Manual + Apple Distribution + that profile; export with manual signingStyle + provisioningProfiles map. Step self-skips until IOS_PROFILE_B64 is set. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 17:09:46 +00:00
enricobuehler	6aa57ffd7b	fix(ci/release): gate iOS signing on matching identity, not find-identity -v ... The Apple Distribution identity has its key + intermediate + valid dates (it's in 'Matching identities') but stayed out of 'Valid identities only' — a trust strictness (most likely a pending online revocation check on an hour-old cert) that codesign/xcodebuild do NOT enforce. Gate the iOS step on the MATCHING list so the archive actually attempts signing, and print 'security verify-cert -p codeSign' in the import step so the exact trust verdict shows if it still balks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 16:30:57 +00:00
enricobuehler	eb5d282936	fix(ci/release): retry Apple intermediate fetch + chain/clock diagnostic ... The iOS Apple Distribution identity imported WITH its private key (it's a 'Matching identity') but was dropped from find-identity -v — i.e. an untrusted chain: the WWDR G3 intermediate it chains through didn't land, while Developer ID's DeveloperIDG2CA did. The fetch was a single 'curl || warn' with no retry, so a transient miss silently breaks iOS only. Retry each intermediate 3x, and print the runner UTC date + whether the WWDR intermediate is present, to separate a chain miss from the cert's notBefore being ahead of the runner clock. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 16:22:32 +00:00
enricobuehler	ef13c0fa97	fix(ci/release): self-diagnosing iOS cert import + non-fatal validity gate ... The iOS Apple Distribution cert imported (1 identity imported) but never appeared in find-identity -v, and the iOS step then silently skipped. Make the import step explain itself without exposing secrets or blocking the macOS release: print secret byte-lengths + decoded p12 size + import rc, strip stray whitespace/newlines before base64 -d, and after the partition-list warn (not fail) with the likely cause + an incl-invalid identity list when the iOS secret is set but yields no valid Apple Distribution identity. The shared import step must not hard-fail on an iOS-cert problem — that would also block the proven macOS DMG path. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 16:14:12 +00:00
enricobuehler	afed2206ab	feat(ci/release): wire iOS App Store signing via an Apple Distribution secret ... Prepares the iOS/TestFlight path. The runner has the iOS 26.5 SDK but no signing identities, so import an Apple Distribution cert+key from IOS_DIST_CERT_P12_B64 / IOS_DIST_CERT_PASSWORD into the same throwaway keychain (the WWDR intermediates already fetched chain it). The iOS archive uses automatic signing (-allowProvisioningUpdates + the ASC key creates/downloads the App Store profile against the present cert, so no keychain-write that would hit the macOS -61). Re-assert the keychain on the search list like the macOS sign step. Until the secret is set the step self-skips with a warning, so it stays green. Still needs an App Store Connect app record for io.unom.punktfunk to upload. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 15:09:56 +00:00
enricobuehler	39a49da567	fix(ci/release): skip iOS archive cleanly when the iOS SDK is absent ... The macOS Developer ID DMG path is green (signed + notarized + stapled). The iOS/TestFlight step (already best-effort + continue-on-error) was failing on this runner with 'iOS 26.5 is not installed' — the iOS platform SDK is a separate Xcode component that isn't installed. Guard the step on `xcodebuild -showsdks | grep iphoneos` and exit 0 with a warning when it's missing, so runs are unambiguously green. Install on the runner with `xcodebuild -downloadPlatform iOS` when iOS goes live. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 14:51:09 +00:00
enricobuehler	e64aefa25c	fix(ci/release): scope codesign to the throwaway keychain (--keychain) ... codesign --sign 'Developer ID Application' reported 'no identity found' even though the import step's find-identity saw it: the bare lookup relies on the default keychain search list, which doesn't reliably carry the throwaway keychain across steps on this runner. Re-assert the search list + default keychain in the signing step and pass --keychain "$KEYCHAIN" so the identity search is scoped to it (it stays unlocked with a codesign-allowed partition list from the import step, so no password is needed). Adds a find-identity diagnostic right before signing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 14:43:33 +00:00
enricobuehler	4d93eb24ff	fix(ci/release): archive unsigned + codesign Developer ID directly ... xcodebuild's archive gate demands a provisioning profile for the app's keychain-access-groups entitlement (the 'Keychain Sharing' capability) under both automatic AND manual signing — even though a Developer ID app honours that team-prefixed entitlement at runtime with no profile. So manual signing just traded the -61 keychain error for 'requires a provisioning profile'. Sidestep the gate: archive with CODE_SIGNING_ALLOWED=NO, then codesign the app bundle directly with the Developer ID identity, hardened runtime and a secure timestamp, applying the entitlements via --entitlements (with $(AppIdentifierPrefix) resolved to the team prefix, which codesign won't expand). Safe because the bundle is a single statically-linked binary — static PunktfunkCore.xcframework, SPM static products, macOS 14 target, no Embed-Frameworks phase — so there is no nested code to sign inside-out. No Apple Developer portal profile or new secret needed. iOS App Store path unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 14:35:16 +00:00
enricobuehler	3c617f655e	fix(ci/release): sign the macOS archive with Developer ID, not auto dev signing ... The cert import now yields a valid 'Developer ID Application' identity, but the macOS `xcodebuild archive` step still inherited the project's automatic 'Apple Development' signing via -allowProvisioningUpdates. That made Xcode try to mint an Apple Development cert (install fails in the CI keychain, DVTSecErrorDomain -61 'Write permissions error') and locate a 'Mac App Development' provisioning profile for io.unom.punktfunk (none exists) — ** ARCHIVE FAILED ** before signing even happened. A Developer ID DMG needs neither: pin CODE_SIGN_STYLE=Manual + the Developer ID identity + no profile, mirroring what the export step already does. The app is non-sandboxed and its only entitlement (keychain-access-groups, team-prefixed) is authorized by the Developer ID team, so no provisioning profile is required. ENABLE_HARDENED_RUNTIME=YES is already set, so notarization stays happy. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 13:46:00 +00:00
enricobuehler	9758751a4d	ci(release): make the throwaway keychain the default keychain ... exportArchive's signing lookup consults the default keychain; search list membership alone leaves the (valid) identity invisible to it. Restored to login.keychain in cleanup. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-12 16:06:04 +00:00
enricobuehler	343cb544d9	ci(release): manual Developer ID export — cloud signing has no fallback ... With -allowProvisioningUpdates, exportArchive prefers cloud-managed Developer ID signing; the App-Manager API key can't ("Cloud signing permission error") and the valid local identity is never tried. signingStyle=manual + explicit signingCertificate, cloud flags off this step (archive keeps them for profile fetch). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-12 16:01:12 +00:00
enricobuehler	6b49279c32	ci(release): stage Apple intermediate CAs in the signing keychain ... Fresh boxes lack the Developer ID / WWDR intermediates; without the issuing chain the imported identity is invalid and xcodebuild says "No signing certificate Developer ID Application found". Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-12 15:55:09 +00:00
enricobuehler	02bcf41803	ci(release): TestFlight upload best-effort until the ASC app record exists ... Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-12 14:39:19 +00:00
enricobuehler	57e7f9fe25	feat(release): production Apple builds — notarized macOS dmg + iOS TestFlight ... release.yml (v* tags / dispatch, macos-arm64 runner): universal mac + iOS xcframework -> xcodebuild archive -> Developer ID export -> notarytool + staple -> dmg on the Gitea release; iOS archive uploads to TestFlight (app-store-connect/upload). Per-run throwaway keychain; ASC API key authenticates notarization, upload, and automatic-signing profile fetch. macOS App Store lane deferred (needs App Sandbox); tvOS deferred (tier-3 Rust targets). All app targets now share bundle ID io.unom.punktfunk — ONE App Store listing with universal purchase (decided pre-submission; effectively unchangeable after). ITSAppUsesNonExemptEncryption=false declared (standard-algorithm AES-GCM, exempt). build-xcframework.sh resolves Apple toolchains itself: cargo's HOST artifacts (proc-macros, build scripts) are loaded by the running OS, and a newer-than-OS beta Xcode ld emits LINKEDIT layouts dyld rejects ("mis-aligned LINKEDIT string pool" -> misleading E0463) — so prefer a non-beta Xcode for everything, fall back to CLT for mac-only slices (env untouched: an explicit DEVELOPER_DIR=<CLT> trips xcrun's license check), refuse iOS/tvOS without a real Xcode (CLT has no iOS SDK). The runner plist no longer injects DEVELOPER_DIR for the same reason. punktfunk_Logo.icon: dropped the Xcode-27-beta-only Icon Composer features (refractivity, specular-location) — 26.5's actool crashes on them, and store builds must use release Xcode. Visual delta is the refraction/specular nuance only; re-author when 27 ships. Validated on home-mac-mini-1 with Xcode 26.5: mac+iOS xcframework slices, unified bundle IDs, signing-free app build. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>	2026-06-12 14:34:45 +00:00