From f103cddd7753233b85ef5e28f9a584eb801abc76 Mon Sep 17 00:00:00 2001 From: renaud gaudin Date: Thu, 12 May 2022 13:48:03 +0000 Subject: [PATCH 1/2] Trust codesign using the certificate When build_release_nightly calls codesign to sign libzim.7.dylib, it appears to be hanging forever. What's most likely happening is that Keychain Access is prompting a password request without any possibility to answer, given this is running on the CI. It's unclear whether Keychain Access wants to confirm codesign can access the certificate or if it is trying to unlock another (System) keychain to find the certificate or key. This addresses the former. --- .github/scripts/common.py | 2 ++ .github/workflows/releaseNigthly.yml | 16 +++++++++------- 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/scripts/common.py b/.github/scripts/common.py index d3e7b1b..fb7200e 100644 --- a/.github/scripts/common.py +++ b/.github/scripts/common.py @@ -483,6 +483,8 @@ def notarize_macos_build(project): for filepath in filepaths: subprocess.check_call(["/usr/bin/codesign", "--force", "--sign", os.getenv("SIGNING_IDENTITY", "no-signing-ident"), + "--keychain", + os.getenv("KEYCHAIN", "no-keychain-path"), str(filepath), "--deep", "--timestamp"], env=os.environ) # create a zip of the dylibs and upload for notarization diff --git a/.github/workflows/releaseNigthly.yml b/.github/workflows/releaseNigthly.yml index b870b91..7e67718 100644 --- a/.github/workflows/releaseNigthly.yml +++ b/.github/workflows/releaseNigthly.yml @@ -174,6 +174,7 @@ jobs: SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }} ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }} + KEYCHAIN: /Users/runner/build.keychain-db steps: - name: Checkout code uses: actions/checkout@v1 @@ -197,15 +198,16 @@ jobs: shell: bash run: | echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE - security create-keychain -p mysecretpassword build.keychain - security default-keychain -s build.keychain - security unlock-keychain -p mysecretpassword build.keychain - security import $CERTIFICATE -k build.keychain -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A + security create-keychain -p mysecretpassword $KEYCHAIN + security default-keychain -s $KEYCHAIN + security set-keychain-settings $KEYCHAIN + security unlock-keychain -p mysecretpassword $KEYCHAIN + security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign" rm $CERTIFICATE - security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword build.keychain - security find-identity -v + security set-key-partition-list -S apple-tool:,apple: -s -k mysecretpassword $KEYCHAIN + security find-identity -v $KEYCHAIN sudo sntp -sS -t 60 time4.google.com || true - xcrun altool --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" + xcrun altool --keychain $KEYCHAIN --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" - name: Ensure base deps shell: bash run: | From 733a730877be100efbe99d116a482c80b1ec5bd3 Mon Sep 17 00:00:00 2001 From: Matthieu Gautier Date: Tue, 17 May 2022 18:05:43 +0200 Subject: [PATCH 2/2] Do not notarize macos build on CI. We still sign macos build on nigthly and release. --- .github/scripts/build_projects.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/scripts/build_projects.py b/.github/scripts/build_projects.py index 6fd5851..b8adf1b 100755 --- a/.github/scripts/build_projects.py +++ b/.github/scripts/build_projects.py @@ -9,7 +9,6 @@ from common import ( OS_NAME, PLATFORM_TARGET, DESKTOP, - notarize_macos_build, ) if PLATFORM_TARGET.startswith("android_"): @@ -43,5 +42,4 @@ for target in TARGETS: else: if PLATFORM_TARGET == "native_mixed" and OS_NAME == "osx": fix_macos_rpath(target) - notarize_macos_build(target) make_archive(target, make_release=False)