From 38f33d8573dc6885e69a001507efd363860b41dd Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Tue, 25 Mar 2025 02:59:09 +0000
Subject: [PATCH 1/3] chore(deps): update apple-actions/import-codesign-certs
 action to v5

---
 .github/actions/build-electron/action.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml
index 51b022bed..0b8d3ac4e 100644
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -18,7 +18,7 @@ runs:
     # Certificate setup
     - name: Import Apple certificates
       if: inputs.os == 'macos'
-      uses: apple-actions/import-codesign-certs@v3
+      uses: apple-actions/import-codesign-certs@v5
       with:
         p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
         p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
@@ -27,7 +27,7 @@ runs:
 
     - name: Install Installer certificate
       if: inputs.os == 'macos'
-      uses: apple-actions/import-codesign-certs@v3
+      uses: apple-actions/import-codesign-certs@v5
       with:
         p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
         p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}

From 18e6527191104d7fefb279f8edd23c8ac98e13af Mon Sep 17 00:00:00 2001
From: perf3ct <jonfuller2012@gmail.com>
Date: Thu, 17 Apr 2025 20:39:42 +0000
Subject: [PATCH 2/3] fix(deps): attempt to resolve issue created due to
 https://github.com/Apple-Actions/import-codesign-certs/issues/71

---
 .github/actions/build-electron/action.yml | 24 ++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml
index a2f070600..5ca07d519 100644
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -25,7 +25,7 @@ runs:
       with:
         p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
         p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
-        keychain: build
+        keychain: build-app
         keychain-password: ${{ github.run_id }}
 
     - name: Install Installer certificate
@@ -34,17 +34,19 @@ runs:
       with:
         p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
         p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
-        keychain: build
+        keychain: build-installer
         keychain-password: ${{ github.run_id }}
-        # We don't need to create a keychain here because we're using the build keychain that was created in the previous step
-        create-keychain: false
+        # We need to create a separate keychain for the installer certificate
+        create-keychain: true
 
     - name: Verify certificates
       if: inputs.os == 'macos'
       shell: ${{ inputs.shell }}
       run: |
-        echo "Available signing identities:"
-        security find-identity -v -p codesigning build.keychain
+        echo "Available signing identities in build-app keychain:"
+        security find-identity -v -p codesigning build-app.keychain
+        echo "Available signing identities in build-installer keychain:"
+        security find-identity -v -p codesigning build-installer.keychain
 
     - name: Set up Python and other macOS dependencies
       if: ${{ inputs.os == 'macos' }}
@@ -96,10 +98,14 @@ runs:
         dmg_file=$(find ./dist -name "*.dmg" -print -quit)
         if [ -n "$dmg_file" ]; then
           echo "Found DMG: $dmg_file"
-          # Get the first valid signing identity from the keychain
-          SIGNING_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+          # Try to get a signing identity from both keychains
+          SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
           if [ -z "$SIGNING_IDENTITY" ]; then
-            echo "Error: No valid Developer ID Application certificate found in keychain"
+            echo "No valid Developer ID Application certificate found in build-app keychain, trying build-installer keychain"
+            SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-installer.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+          fi
+          if [ -z "$SIGNING_IDENTITY" ]; then
+            echo "Error: No valid Developer ID Application certificate found in any keychain"
             exit 1
           fi
           echo "Using signing identity: $SIGNING_IDENTITY"

From bbe697cc3e9b966580fa4407bb990bb74a6345f6 Mon Sep 17 00:00:00 2001
From: perf3ct <jonfuller2012@gmail.com>
Date: Thu, 17 Apr 2025 21:07:22 +0000
Subject: [PATCH 3/3] fix(deps): macos signing is so complicated, had to fix
 making keychains searchable for v5

---
 .github/actions/build-electron/action.yml | 47 ++++++++++-------------
 1 file changed, 20 insertions(+), 27 deletions(-)

diff --git a/.github/actions/build-electron/action.yml b/.github/actions/build-electron/action.yml
index 7878db865..2fd8d1a7d 100644
--- a/.github/actions/build-electron/action.yml
+++ b/.github/actions/build-electron/action.yml
@@ -21,32 +21,39 @@ runs:
     # Certificate setup
     - name: Import Apple certificates
       if: inputs.os == 'macos'
-      uses: apple-actions/import-codesign-certs@v5
+      uses: apple-actions/import-codesign-certs@v3
       with:
         p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
         p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
-        keychain: build-app
+        keychain: build-app-${{ github.run_id }}
         keychain-password: ${{ github.run_id }}
 
     - name: Install Installer certificate
       if: inputs.os == 'macos'
-      uses: apple-actions/import-codesign-certs@v5
+      uses: apple-actions/import-codesign-certs@v3
       with:
         p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
         p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
-        keychain: build-installer
+        keychain: build-installer-${{ github.run_id }}
         keychain-password: ${{ github.run_id }}
-        # We need to create a separate keychain for the installer certificate
-        create-keychain: true
 
     - name: Verify certificates
       if: inputs.os == 'macos'
       shell: ${{ inputs.shell }}
       run: |
-        echo "Available signing identities in build-app keychain:"
-        security find-identity -v -p codesigning build-app.keychain
-        echo "Available signing identities in build-installer keychain:"
-        security find-identity -v -p codesigning build-installer.keychain
+        echo "Available signing identities in app keychain:"
+        security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain
+
+        echo "Available signing identities in installer keychain:"
+        security find-identity -v -p codesigning build-installer-${{ github.run_id }}.keychain
+
+        # Make the keychains searchable
+        security list-keychains -d user -s build-app-${{ github.run_id }}.keychain build-installer-${{ github.run_id }}.keychain $(security list-keychains -d user | tr -d '"')
+        security default-keychain -s build-app-${{ github.run_id }}.keychain
+        security unlock-keychain -p ${{ github.run_id }} build-app-${{ github.run_id }}.keychain
+        security unlock-keychain -p ${{ github.run_id }} build-installer-${{ github.run_id }}.keychain
+        security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain
+        security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain
 
     - name: Set up Python and other macOS dependencies
       if: ${{ inputs.os == 'macos' }}
@@ -95,14 +102,10 @@ runs:
         dmg_file=$(find ./dist -name "*.dmg" -print -quit)
         if [ -n "$dmg_file" ]; then
           echo "Found DMG: $dmg_file"
-          # Try to get a signing identity from both keychains
-          SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
+          # Get the first valid signing identity from the keychain
+          SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
           if [ -z "$SIGNING_IDENTITY" ]; then
-            echo "No valid Developer ID Application certificate found in build-app keychain, trying build-installer keychain"
-            SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-installer.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
-          fi
-          if [ -z "$SIGNING_IDENTITY" ]; then
-            echo "Error: No valid Developer ID Application certificate found in any keychain"
+            echo "Error: No valid Developer ID Application certificate found in keychain"
             exit 1
           fi
           echo "Using signing identity: $SIGNING_IDENTITY"
@@ -112,16 +115,6 @@ runs:
           xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
           # Staple the notarization ticket
           xcrun stapler staple "$dmg_file"
-        else
-          echo "No DMG found to sign"
-          fi
-          echo "Using signing identity: $SIGNING_IDENTITY"
-          # Sign the DMG
-          codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file"
-          # Notarize the DMG
-          xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
-          # Staple the notarization ticket
-          xcrun stapler staple "$dmg_file"
         else
           echo "No DMG found to sign"
         fi