search

Apple-Actions / import-codesign-certs

GitHub Action for Importing Code-signing Certificates into a Keychain
MIT License
186 stars 79 forks source link

Can we please have some docs? #11

Closed bwoodsend closed 4 years ago

bwoodsend commented 4 years ago

Warning in advance - I'm not a native macOS user. The only experience I have of macOS is through Github Actions.

My problem

I have a p12 certificate and I'm able to run the 

uses: apple-actions/import-codesign-certs@v1
with:
  p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
  p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}

block in my build to import it but I still can't actually sign anything. I try to run any of:

codesign --force --timestamp --sign signing_temp ./my_executable_to_sign
codesign --force --timestamp --sign signing_temp.keychain ./my_executable_to_sign
codesign --force --timestamp --sign signing_temp.keychain.db ./my_executable_to_sign
codesign --force --timestamp --sign /Users/runner/Library/Keychains/signing_temp.keychain-db ./my_executable_to_sign

and but I'm always stuck with the same error of:

error: The specified item could not be found in the keychain.

Some debug outputs which I don't know how to interpret

Looking at the build logs from the uses: apple-actions/import-codesign-certs@v1 part I see the command:

/usr/bin/security list-keychains -d user -s signing_temp.keychain login.keychain

is called but nothing is printed below - does that mean that no keychain has been added? In which case import-codesign-certs has not worked?

I've also tried adding some debug commands:

/usr/bin/security list-keychains

gives me

    "/Users/runner/Library/Keychains/signing_temp.keychain-db"
    "/Users/runner/Library/Keychains/login.keychain-db"
    "/Library/Keychains/System.keychain"

Which looks hopeful - something has been added.

But:

security find-identity

gives me

  Matching identities
     0 identities found

  Valid identities only
     0 valid identities found

which I don't know what to make of but it doesn't look good.

Minimal example

I've reduced my problem down to a minimal example repository which I was hoping you could help me with. Maybe once it's working we could turn this repo into demo/tutorial for future users?

The important lines of the example yaml are here and the resultant build log is here.

bwoodsend commented 4 years ago

Update: I've got it working now. There was a second export to p12 option which gave a longer .p12 file. Updating the CERTIFICATES_P12 secret to contain the base64 encoded contents of this longer file. security find-identity now says:

Policy: X.509 Basic
  Matching identities
  1) 7EF52D5FFCBEDB449C7F66F70094D81518261FD2 "Brenainn Woodsend" (CSSMERR_TP_NOT_TRUSTED)
     1 identities found

  Valid identities only
     0 valid identities found

And using:

codesign --force --timestamp --sign 7EF52D5FFCBEDB449C7F66F70094D81518261FD2 ./my_executable_to_sign

got the thing signed. It also looks like my certificate is invalid for some reason [groan] but that's my problem...