Skip to content

Commit

Permalink
double-check that the signing identity is present in a keychain
Browse files Browse the repository at this point in the history
  • Loading branch information
@filleduchaos
filleduchaos committed Sep 10, 2024
1 parent 5268169 commit c4e2c05
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 7 deletions.
3 changes: 2 additions & 1 deletion .github/prebuild.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import extract from "extract-zip";

const exec = promisify(execCb);
const signId = env.APPLE_SIGNING_IDENTITY || "-";
const keychain = env.APPLE_KEYCHAIN ? `--keychain ${env.APPLE_KEYCHAIN}` : "";

const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
Expand All @@ -28,7 +29,7 @@ async function symlinkSharedLibsMacOS(nativeDeps) {
.filter((entry) => entry.isFile() && entry.name.endsWith(".dylib"))
.map((entry) =>
exec(
`codesign -s "${signId}" -f "${path.join(
`codesign ${keychain} -s "${signId}" -f "${path.join(
entry.path,
entry.name
)}"`
Expand Down
37 changes: 31 additions & 6 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,29 +33,54 @@ jobs:
- name: Create API Key File
run: echo "${{ secrets.APPLE_API_KEY_FILE }}" > api.p8

- name: Ensure signing identity
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
CERTIFICATE_PATH=${{ runner.temp }}/certificate.p12
KEYCHAIN_PATH=${{ runner.temp }}/build.keychain
echo -n "$APPLE_CERTIFICATE" | base64 --decode -o $CERTIFICATE_PATH
# Maybe set password in secrets?? This gets cleaned up at the beginning and end of each job though.
security create-keychain -p "" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security default-keychain -s $KEYCHAIN_PATH
security unlock-keychain -p "" $KEYCHAIN_PATH
security import $CERTIFICATE_PATH -P "$APPLE_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Verify certificate
run: security find-identity -v -p codesigning ${{ runner.temp }}/build.keychain

- name: Rust setup
uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: stable
cache: true

- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 8.10.5

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "20"

- name: Setup pnpm
uses: pnpm/action-setup@v4
with:
version: 8.10.5

- name: Install dependencies
run: cd apps/desktop-solid && pnpm install

- name: Create .env file in root
run: |
echo "appVersion=${{ steps.read_version.outputs.value }}" >> .env
echo "CAP_DESKTOP_SENTRY_URL=https://efd3156d9c0a8a49bee3ee675bec80d8@o4506859771527168.ingest.us.sentry.io/4506859844403200" >> .env
echo "NEXT_PUBLIC_URL=${{ secrets.NEXT_PUBLIC_URL }}" > .env
echo "NEXTAUTH_URL=${NEXT_PUBLIC_URL}" > .env
echo "VITE_SERVER_URL=${NEXT_PUBLIC_URL}" > .env
- name: Copy .env to apps/desktop-solid
run: cp .env apps/desktop-solid/.env
Expand Down Expand Up @@ -85,7 +110,7 @@ jobs:
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
APPLE_API_KEY_PATH: api.p8

APPLE_KEYCHAIN: ${{ runner.temp }}/build.keychain
TAURI_PRIVATE_SIGNING_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_KEY_SIGNING_PASSWORD: ${{ secrets.TAURI_KEY_SIGNING_PASSWORD }}

Expand Down

0 comments on commit c4e2c05

Please sign in to comment.