smallsolar
/
kiwix-build
mirror of https://github.com/kiwix/kiwix-build.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Trust codesign using the certificate 

When build_release_nightly calls codesign to sign libzim.7.dylib, it appears to be
hanging forever.
What's most likely happening is that Keychain Access is prompting a password request
without any possibility to answer, given this is running on the CI.

It's unclear whether Keychain Access wants to confirm codesign can access the certificate
or if it is trying to unlock another (System) keychain to find the certificate or key.

This addresses the former.
This commit is contained in:
renaud gaudin 2022-05-12 13:48:03 +00:00
parent 32a6e5b588
commit f103cddd77
2 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/scripts/common.py vendored
View File

@ -483,6 +483,8 @@ def notarize_macos_build(project):
for filepath in filepaths: for filepath in filepaths:
subprocess.check_call(["/usr/bin/codesign", "--force", "--sign", subprocess.check_call(["/usr/bin/codesign", "--force", "--sign",
os.getenv("SIGNING_IDENTITY", "no-signing-ident"), os.getenv("SIGNING_IDENTITY", "no-signing-ident"),
"--keychain",
os.getenv("KEYCHAIN", "no-keychain-path"),
str(filepath), "--deep", "--timestamp"], env=os.environ) str(filepath), "--deep", "--timestamp"], env=os.environ)
# create a zip of the dylibs and upload for notarization # create a zip of the dylibs and upload for notarization

16
.github/workflows/releaseNigthly.yml vendored
View File

@ -174,6 +174,7 @@ jobs:
SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }} SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }} ALTOOL_USERNAME: ${{ secrets.APPLE_SIGNING_ALTOOL_USERNAME }}
ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }} ASC_PROVIDER: ${{ secrets.APPLE_SIGNING_TEAM }}
KEYCHAIN: /Users/runner/build.keychain-db
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v1 uses: actions/checkout@v1
@ -197,15 +198,16 @@ jobs:
shell: bash shell: bash
run: | run: |
echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE echo "${{ secrets.APPLE_SIGNING_CERTIFICATE }}" | base64 --decode -o $CERTIFICATE
security create-keychain -p mysecretpassword build.keychain security create-keychain -p mysecretpassword $KEYCHAIN
security default-keychain -s build.keychain security default-keychain -s $KEYCHAIN
security unlock-keychain -p mysecretpassword build.keychain security set-keychain-settings $KEYCHAIN
security import $CERTIFICATE -k build.keychain -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A security unlock-keychain -p mysecretpassword $KEYCHAIN
security import $CERTIFICATE -k $KEYCHAIN -P "${{ secrets.APPLE_SIGNING_P12_PASSWORD }}" -A -T "/usr/bin/codesign"
rm $CERTIFICATE rm $CERTIFICATE
security set-key-partition-list -S "apple-tool:,apple:" -s -k mysecretpassword build.keychain security set-key-partition-list -S apple-tool:,apple: -s -k mysecretpassword $KEYCHAIN
security find-identity -v security find-identity -v $KEYCHAIN
sudo sntp -sS -t 60 time4.google.com || true sudo sntp -sS -t 60 time4.google.com || true
xcrun altool --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}" xcrun altool --keychain $KEYCHAIN --store-password-in-keychain-item "ALTOOL_PASSWORD" -u "$ALTOOL_USERNAME" -p "${{ secrets.APPLE_SIGNING_ALTOOL_PASSWORD }}"
- name: Ensure base deps - name: Ensure base deps
shell: bash shell: bash
run: | run: |