Skip to content

Commit d314b25

Browse files
committed
ci(release): fail fast if macOS signing secrets are missing
tauri-action silently produces an unsigned .app when any of APPLE_CERTIFICATE / APPLE_CERTIFICATE_PASSWORD / APPLE_SIGNING_IDENTITY / APPLE_ID / APPLE_PASSWORD / APPLE_TEAM_ID is empty at build time. The 0.10.20 macOS-x64 row apparently shipped under exactly this condition, producing a CS_LINKER_SIGNED-only binary that taskgated rejects with "Code Signature Invalid" the moment dyld_start runs. Add a one-step guard ahead of the tauri-action step that runs only on macOS matrix rows and exits non-zero (with a ::error:: annotation naming the missing variables) if any of the six are unset. Costs ~200ms of CI time, turns this exact failure mode into a loud red X.
1 parent a7457e1 commit d314b25

1 file changed

Lines changed: 31 additions & 0 deletions

File tree

.github/workflows/release-desktop.yml

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -168,6 +168,37 @@ jobs:
168168
conf.bundle.createUpdaterArtifacts = true;
169169
fs.writeFileSync('src-tauri/tauri.conf.json', JSON.stringify(conf, null, 2) + '\n');
170170
171+
# Defensive check: tauri-action silently produces an unsigned macOS
172+
# bundle if any signing/notarization secret is empty at build time.
173+
# When that ships, users see "the application can't be opened" with
174+
# no Gatekeeper dialog because taskgated rejects the binary before
175+
# dyld_start completes (CS_LINKER_SIGNED only, no Developer ID).
176+
# Fail fast here so a misconfigured run is a loud red X instead of
177+
# a broken release.
178+
- name: Require macOS signing secrets on macOS rows
179+
if: runner.os == 'macOS'
180+
shell: bash
181+
env:
182+
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
183+
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
184+
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
185+
APPLE_ID: ${{ secrets.APPLE_ID }}
186+
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
187+
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
188+
run: |
189+
missing=()
190+
[ -z "$APPLE_CERTIFICATE" ] && missing+=("APPLE_CERTIFICATE")
191+
[ -z "$APPLE_CERTIFICATE_PASSWORD" ] && missing+=("APPLE_CERTIFICATE_PASSWORD")
192+
[ -z "$APPLE_SIGNING_IDENTITY" ] && missing+=("APPLE_SIGNING_IDENTITY")
193+
[ -z "$APPLE_ID" ] && missing+=("APPLE_ID")
194+
[ -z "$APPLE_PASSWORD" ] && missing+=("APPLE_PASSWORD")
195+
[ -z "$APPLE_TEAM_ID" ] && missing+=("APPLE_TEAM_ID")
196+
if [ ${#missing[@]} -gt 0 ]; then
197+
echo "::error::Refusing to build unsigned macOS bundle on ${{ matrix.label }}. Missing secrets: ${missing[*]}"
198+
exit 1
199+
fi
200+
echo "All Apple signing/notary secrets present for ${{ matrix.label }}."
201+
171202
- name: Build and release Tauri app
172203
uses: tauri-apps/tauri-action@fce9c6108b31ea247710505d3aaaa893ee6768d4 # v0
173204
env:

0 commit comments

Comments
 (0)