Tools/Notes
1
0
Fork 0
mirror of https://github.com/TriliumNext/Notes.git synced 2025-07-27 18:12:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(deps): macos signing is so complicated, had to fix making keychains searchable for v5

Browse Source
This commit is contained in:
perf3ct 2025-04-17 21:07:22 +00:00
parent 4ddc67701c
commit bbe697cc3e
No known key found for this signature in database
GPG Key ID: 569C4EEC436F5232
1 changed files with 20 additions and 27 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
.github/actions/build-electron/action.yml vendored
View File

@ -21,32 +21,39 @@ runs:
# Certificate setup # Certificate setup
- name: Import Apple certificates - name: Import Apple certificates
if: inputs.os == 'macos' if: inputs.os == 'macos'
uses: apple-actions/import-codesign-certs@v5 uses: apple-actions/import-codesign-certs@v3
with: with:
p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }} p12-file-base64: ${{ env.APPLE_APP_CERTIFICATE_BASE64 }}
p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }} p12-password: ${{ env.APPLE_APP_CERTIFICATE_PASSWORD }}
keychain: build-app keychain: build-app-${{ github.run_id }}
keychain-password: ${{ github.run_id }} keychain-password: ${{ github.run_id }}
- name: Install Installer certificate - name: Install Installer certificate
if: inputs.os == 'macos' if: inputs.os == 'macos'
uses: apple-actions/import-codesign-certs@v5 uses: apple-actions/import-codesign-certs@v3
with: with:
p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }} p12-file-base64: ${{ env.APPLE_INSTALLER_CERTIFICATE_BASE64 }}
p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }} p12-password: ${{ env.APPLE_INSTALLER_CERTIFICATE_PASSWORD }}
keychain: build-installer keychain: build-installer-${{ github.run_id }}
keychain-password: ${{ github.run_id }} keychain-password: ${{ github.run_id }}
# We need to create a separate keychain for the installer certificate
create-keychain: true
- name: Verify certificates - name: Verify certificates
if: inputs.os == 'macos' if: inputs.os == 'macos'
shell: ${{ inputs.shell }} shell: ${{ inputs.shell }}
run: | run: |
echo "Available signing identities in build-app keychain:" echo "Available signing identities in app keychain:"
security find-identity -v -p codesigning build-app.keychain security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain
echo "Available signing identities in build-installer keychain:"
security find-identity -v -p codesigning build-installer.keychain echo "Available signing identities in installer keychain:"
security find-identity -v -p codesigning build-installer-${{ github.run_id }}.keychain
# Make the keychains searchable
security list-keychains -d user -s build-app-${{ github.run_id }}.keychain build-installer-${{ github.run_id }}.keychain $(security list-keychains -d user | tr -d '"')
security default-keychain -s build-app-${{ github.run_id }}.keychain
security unlock-keychain -p ${{ github.run_id }} build-app-${{ github.run_id }}.keychain
security unlock-keychain -p ${{ github.run_id }} build-installer-${{ github.run_id }}.keychain
security set-keychain-settings -t 3600 -l build-app-${{ github.run_id }}.keychain
security set-keychain-settings -t 3600 -l build-installer-${{ github.run_id }}.keychain
- name: Set up Python and other macOS dependencies - name: Set up Python and other macOS dependencies
if: ${{ inputs.os == 'macos' }} if: ${{ inputs.os == 'macos' }}
@ -95,14 +102,10 @@ runs:
dmg_file=$(find ./dist -name "*.dmg" -print -quit) dmg_file=$(find ./dist -name "*.dmg" -print -quit)
if [ -n "$dmg_file" ]; then if [ -n "$dmg_file" ]; then
echo "Found DMG: $dmg_file" echo "Found DMG: $dmg_file"
# Try to get a signing identity from both keychains # Get the first valid signing identity from the keychain
SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/') SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-app-${{ github.run_id }}.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
if [ -z "$SIGNING_IDENTITY" ]; then if [ -z "$SIGNING_IDENTITY" ]; then
echo "No valid Developer ID Application certificate found in build-app keychain, trying build-installer keychain" echo "Error: No valid Developer ID Application certificate found in keychain"
SIGNING_IDENTITY=$(security find-identity -v -p codesigning build-installer.keychain | grep "Developer ID Application" | head -1 | sed -E 's/.*"([^"]+)".*/\1/')
fi
if [ -z "$SIGNING_IDENTITY" ]; then
echo "Error: No valid Developer ID Application certificate found in any keychain"
exit 1 exit 1
fi fi
echo "Using signing identity: $SIGNING_IDENTITY" echo "Using signing identity: $SIGNING_IDENTITY"
@ -112,16 +115,6 @@ runs:
xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
# Staple the notarization ticket # Staple the notarization ticket
xcrun stapler staple "$dmg_file" xcrun stapler staple "$dmg_file"
else
echo "No DMG found to sign"
fi
echo "Using signing identity: $SIGNING_IDENTITY"
# Sign the DMG
codesign --force --sign "$SIGNING_IDENTITY" --options runtime --timestamp "$dmg_file"
# Notarize the DMG
xcrun notarytool submit "$dmg_file" --apple-id "$APPLE_ID" --password "$APPLE_ID_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait
# Staple the notarization ticket
xcrun stapler staple "$dmg_file"
else else
echo "No DMG found to sign" echo "No DMG found to sign"
fi fi