fixing signing keychains to use on disk paths

bacalhau-project · Jun 16, 2022 · f03ed91 · f03ed91
1 parent 38de319
commit f03ed91
Showing 1 changed file with 18 additions and 20 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -121,7 +121,7 @@ jobs:
         if: matrix.target_os == 'darwin'
         run: |-
           sh -c '
-          cat > /tmp/.gon.json << EOF
+          cat > $RUNNER_TEMP/.gon.json << EOF
           {
               "source": ["./bin/${{ matrix.target_os }}_${{ matrix.target_arch }}/bacalhau"],
               "bundle_id": "org.bacalhau",
@@ -151,28 +151,29 @@ jobs:
       - name: Codesign create keychain
         if: ${{ matrix.target_os == 'darwin' }}
         run: |
-          build_keychain_exists=$(security list-keychains | grep "build.keychain" | tr -d '\n' )
-          # Delete keychain if it exists (swallow errors)
-          [ ! -z "$build_keychain_exists" ] && security delete-keychain build.keychain
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+
+          [ -f "$RUNNER_TEMP/app-signing.keychain-db"] && security delete-keychain $RUNNER_TEMP/app-signing.keychain-db 
 
           # Reusing MACOS_CERTIFICATE_PWD for both the build.keychain password and the cert password for convenience.
           # Doesn't seem like this would be an issue.
-          echo $MACOS_CERTIFICATE > /tmp/macos_certificate
-          base64 -i /tmp/macos_certificate --decode > /tmp/certificate.p12
-          security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
-          security default-keychain -s build.keychain
+          echo -n "$MACOS_CERTIFICATE" | base64 --decode --output $CERTIFICATE_PATH
 
-      - name: Codesign set-key
-        if: matrix.target_os == 'darwin'
-        run: |
-          security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
-          security import /tmp/certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
+          # create temporary keychain
+          security create-keychain -p "$MACOS_CERTIFICATE_PWD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$MACOS_CERTIFICATE_PWD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$MACOS_CERTIFICATE_PWD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD $KEYCHAIN_PATH
 
       - name: Use gon to sign
         if: matrix.target_os == 'darwin'
         run: |
-          gon /tmp/.gon.json
+          gon $RUNNER_TEMP/.gon.json
 
       - name: Build tarball
         run: |
@@ -193,10 +194,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Codesign delete-keychain
+      - name: Clean up keychain and provisioning profile
         if: matrix.target_os == 'darwin'
         run: |
-          build_keychain_exists=$(security list-keychains | grep "build.keychain" | tr -d '\n' )
-
-          # Delete keychain if it exists (swallow errors)
-          [ ! -z "$build_keychain_exists" ] && security delete-keychain build.keychain
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db