action.yml

name: "MacOS sign app action"
description: "Deep sign macOS .app content"

inputs:
  plist-path:
    description: "The path to the plist file"
    required: false
  app-path:
    description: "The path to the binary to sign"
    required: true
  mac-keychain-pass:
    description: "The password for the keychain"
    required: true
  mac-application-certkey:
    description: "The certificate and key in base64 format"
    required: true
  mac-certkey-pass:
    description: "The password for the certificate and key"
    required: true

runs:
  using: "composite"

  steps:
    - name: Check for Keychain
      id: check_keychain
      shell: bash
      run: |
        if security list-keychains | grep -q "build.keychain"; then
          echo "keychain_exists=true" >> $GITHUB_OUTPUT
        else
          echo "keychain_exists=false" >> $GITHUB_OUTPUT
        fi

    - name: Create keychain
      if: steps.check_keychain.outputs.keychain_exists == 'false'
      shell: bash
      run: |
        security create-keychain -p "${{ inputs.mac-keychain-pass }}" build.keychain
        echo "Keychain created"
        security set-keychain-settings -lut 21600 build.keychain
        echo "Keychain settings set"
        security default-keychain -s build.keychain
        echo "Keychain made default"
        security unlock-keychain -p "${{ inputs.mac-keychain-pass }}" build.keychain  
        echo "Keychain unlocked"

    - name: Import certificates
      shell: bash
      run: |
        echo "${{ inputs.mac-application-certkey }}" | base64 --decode > application_certkey.p12

        security import ./application_certkey.p12 \
          -k build.keychain \
          -f pkcs12 \
          -P "${{ inputs.mac-certkey-pass }}" \
          -T /usr/bin/codesign \
          -T /usr/bin/productsign

    - name: Allow codesign and productsign to use keychain
      shell: bash
      run: |
        security set-key-partition-list \
          -S apple-tool:,apple:,codesign:,productsign: \
          -s \
          -k "${{ inputs.mac-keychain-pass }}" \
          build.keychain

    - name: Sign contents with entitlements
      if: ${{ inputs.plist-path != '' }}
      shell: bash
      run: |
        codesign ${{ inputs.app-path }} \
          --sign "Developer ID Application" \
          --entitlements ${{ inputs.plist-path }} \
          --options runtime \
          --force \
          --timestamp \
          --verbose \
          --deep

    - name: Sign contents without entitlements
      if: ${{ inputs.plist-path == '' }}
      shell: bash
      run: |
        codesign ${{ inputs.app-path }} \
          --sign "Developer ID Application" \
          --options runtime \
          --force \
          --timestamp \
          --verbose \
          --deep

    - name: Verify singature
      shell: bash
      run: |
        codesign ${{ inputs.app-path }} \
          --display \
          --verbose \
          -r-

        codesign ${{ inputs.app-path }} \
          --verify \
          --verbose