ci: trust self-signed certificate

G07cha · Nov 10, 2024 · b46d120 · b46d120
1 parent e1ed2f1
commit b46d120
Showing 1 changed file with 24 additions and 11 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,5 +1,7 @@
 on:
   push:
+    branches:
+      - ci/fix-mac-signing
     tags:
       - '*'
   workflow_dispatch:
@@ -20,10 +22,10 @@ jobs:
         platform:
           - host: macos-latest
             target: aarch64-apple-darwin
-          - host: macos-latest
-            target: x86_64-apple-darwin
-          - host: windows-latest
-            target: x86_64-pc-windows-msvc
+          # - host: macos-latest
+          #   target: x86_64-apple-darwin
+          # - host: windows-latest
+          #   target: x86_64-pc-windows-msvc
 
     runs-on: ${{ matrix.platform.host }}
     steps:
@@ -32,17 +34,28 @@ jobs:
         uses: ./.github/actions/setup-env
       - name: Add target
         run: rustup target add ${{ matrix.platform.target }}
-      - uses: apple-actions/import-codesign-certs@v2
-        if: startsWith(matrix.platform.target, 'aarch64-apple-darwin') || startsWith(matrix.platform.target, 'x86_64-apple-darwin')
-        with:
-          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
-          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-      - name: Verify certificate
+      - name: Import Apple Developer Certificate
         if: startsWith(matrix.platform.target, 'aarch64-apple-darwin') || startsWith(matrix.platform.target, 'x86_64-apple-darwin')
-        run: security find-identity -v -p codesigning ${{ runner.temp }}/build.keychain
+        env:
+          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
+          security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
+
+          echo $APPLE_AUTHORITY_CERTIFICATE | base64 --decode > certificate.der
+          # openssl pkcs12 -in certificate.p12 -password ${APPLE_CERTIFICATE_PASSWORD} -clcerts -nokeys -out certificate.der
+          security add-trusted-cert -d -k build.keychain certificate.der || true
+          security find-identity -v -p codesigning build.keychain
       - name: Create release
         uses: tauri-apps/tauri-action@v0
         with:
+          releaseDraft: true
           includeUpdaterJson: true
           tagName: v__VERSION__
           releaseName: 'v__VERSION__'