Skip to content

Commit 1572b87

Browse files
committed
Fix flaky productsign gate: use INSTALLER env var presence
`security find-identity -v` was intermittently not seeing the imported Developer ID Installer cert on the GitHub Actions macos-latest runner, causing the .pkg to ship unsigned and Apple notary to reject it. Gate the codesign / productsign branches on the env-var presence (which is what the keychain bootstrap already gated on) instead. Also surface notary rejection details on failure via `xcrun notarytool log`.
1 parent 8e068f7 commit 1572b87

1 file changed

Lines changed: 12 additions & 7 deletions

File tree

Installer/build.sh

Lines changed: 12 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -95,13 +95,13 @@ if [ "$PLATFORM" = "macOS" ]; then
9595
cp -R "$PROJECT_ROOT/plugin/Resources/WavetablesFLAC" "$STAGE/resources/Library/Audio/Presets/$VENDOR/$PLUGIN/Wavetables"
9696
find "$STAGE/resources" -name ".DS_Store" -delete
9797

98-
if security find-identity -v -p codesigning | grep -q "$DEV_APP_ID"; then
98+
if [ -n "${APPLICATION:-}" ]; then
9999
codesign -s "$DEV_APP_ID" --options=runtime --timestamp --force -v "$STAGE/vst/$PLUGIN.vst"
100100
codesign -s "$DEV_APP_ID" --options=runtime --timestamp --force -v "$STAGE/vst3/$PLUGIN.vst3"
101101
codesign -s "$DEV_APP_ID" --options=runtime --timestamp --force -v "$STAGE/au/$PLUGIN.component"
102102
codesign -s "$DEV_APP_ID" --options=runtime --timestamp --force -v "$STAGE/clap/$PLUGIN.clap"
103103
else
104-
echo "Skipping codesign — Developer ID Application not in keychain"
104+
echo "Skipping codesign — APPLICATION secret not set"
105105
fi
106106

107107
# Component packages
@@ -148,18 +148,23 @@ if [ "$PLATFORM" = "macOS" ]; then
148148
--version "$VERSION" \
149149
"$PKG_OUT.unsigned"
150150

151-
if security find-identity -v | grep -q "$DEV_INST_ID"; then
151+
if [ -n "${INSTALLER:-}" ]; then
152152
productsign --sign "$DEV_INST_ID" "$PKG_OUT.unsigned" "$PKG_OUT"
153153
rm "$PKG_OUT.unsigned"
154154
else
155-
echo "Skipping productsign — Developer ID Installer not in keychain"
155+
echo "Skipping productsign — INSTALLER secret not set"
156156
mv "$PKG_OUT.unsigned" "$PKG_OUT"
157157
fi
158158

159159
if [ -n "${APPLE_USER:-}" ] && [ -n "${APPLE_PASS:-}" ]; then
160-
xcrun notarytool submit --verbose \
161-
--apple-id "$APPLE_USER" --password "$APPLE_PASS" --team-id "$TEAM_ID" \
162-
--wait --timeout 30m "$PKG_OUT"
160+
SUBMISSION_OUTPUT=$(xcrun notarytool submit --verbose --apple-id "$APPLE_USER" --password "$APPLE_PASS" --team-id "$TEAM_ID" --wait --timeout 30m "$PKG_OUT" 2>&1) || NOTARY_FAILED=1
161+
echo "$SUBMISSION_OUTPUT"
162+
SUBMISSION_ID=$(echo "$SUBMISSION_OUTPUT" | awk "/^ id:/ { print \$2; exit }")
163+
if [ "${NOTARY_FAILED:-0}" = "1" ] && [ -n "$SUBMISSION_ID" ]; then
164+
echo "Notarization failed — fetching log for $SUBMISSION_ID"
165+
xcrun notarytool log "$SUBMISSION_ID" --apple-id "$APPLE_USER" --password "$APPLE_PASS" --team-id "$TEAM_ID" || true
166+
exit 1
167+
fi
163168
xcrun stapler staple "$PKG_OUT"
164169
else
165170
echo "Skipping notarization — APPLE_USER / APPLE_PASS not set"

0 commit comments

Comments
 (0)