Trust codesign using the certificate

When build_release_nightly calls codesign to sign libzim.7.dylib, it appears to be hanging forever. What's most likely happening is that Keychain Access is prompting a password request without any possibility to answer, given this is running on the CI. It's unclear whether Keychain Access wants to confirm codesign can access the certificate or if it is trying to unlock another (System) keychain to find the certificate or key. This addresses the former.
2022-05-12 13:48:03 +00:00 · 2022-05-12 13:48:03 +00:00 · f103cddd77
parent 32a6e5b588
commit f103cddd77
2 changed files with 11 additions and 7 deletions
--- a/.github/scripts/common.py
+++ b/.github/scripts/common.py
@ -483,6 +483,8 @@ def notarize_macos_build(project):
    for filepath in filepaths:
        subprocess.check_call(["/usr/bin/codesign", "--force", "--sign",
                               os.getenv("SIGNING_IDENTITY", "no-signing-ident"),
+                               "--keychain",
+                               os.getenv("KEYCHAIN", "no-keychain-path"),
                               str(filepath), "--deep", "--timestamp"], env=os.environ)

    # create a zip of the dylibs and upload for notarization
--- a/.github/workflows/releaseNigthly.yml
+++ b/.github/workflows/releaseNigthly.yml
@ -174,6 +174,7 @@ jobs:
      SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
      ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
      ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }}
+      KEYCHAIN: /Users/runner/build.keychain-db
    steps:
    - name: Checkout code
      uses: actions/checkout@v1
@ -197,15 +198,16 @@ jobs:
      shell: bash
      run: |
        echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE
-        security create-keychain -p mysecretpassword build.keychain
-        security default-keychain -s build.keychain
-        security unlock-keychain -p mysecretpassword build.keychain
-        security import $CERTIFICATE -k build.keychain -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A
+        security create-keychain -p mysecretpassword $KEYCHAIN
+        security default-keychain -s $KEYCHAIN
+        security set-keychain-settings $KEYCHAIN
+        security unlock-keychain -p mysecretpassword $KEYCHAIN
+        security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign"
        rm $CERTIFICATE
-        security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword build.keychain
-        security find-identity -v
+        security set-key-partition-list -S apple-tool:,apple: -s -k mysecretpassword $KEYCHAIN
+        security find-identity -v $KEYCHAIN
        sudo sntp -sS -t 60 time4.google.com || true
-        xcrun altool --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}"
+        xcrun altool --keychain $KEYCHAIN --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}"
    - name: Ensure base deps
      shell: bash
      run: |