fix(ci): use || RC=$? to prevent set -e suppressing openssl diagnostics

katipally · Copilot · katipally · commit 6db0fb72658a · 2026-05-23T06:58:03.000-07:00
With set -euo pipefail, 'OPENSSL_OUT="$(cmd)"' exits the script
immediately when cmd fails — before the error echo runs. Use the
'|| RC=$?' pattern so set -e is not triggered and the error output
is actually printed to the log.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/ios-testflight.yml b/.github/workflows/ios-testflight.yml
@@ -148,24 +148,25 @@ jobs:
 
           # Normalize via openssl so CryptoKit gets a canonical PEM structure
           # (correct line width, no stray bytes, clean header/footer).
-          # Show the error if it fails — the error message is not secret data.
-          OPENSSL_OUT="$(openssl pkey -in "$RAW_FILE" -out "$KEY_FILE" 2>&1)"
-          OPENSSL_RC=$?
+          # Use || RC=$? to prevent set -e from triggering — we handle the failure.
+          OPENSSL_RC=0
+          OPENSSL_OUT="$(openssl pkey -in "$RAW_FILE" -out "$KEY_FILE" 2>&1)" || OPENSSL_RC=$?
           if [ $OPENSSL_RC -eq 0 ]; then
             echo "Key normalized via openssl pkey"
           else
             echo "openssl pkey failed (rc=${OPENSSL_RC}): ${OPENSSL_OUT}"
-            # Try pkcs8 sub-command as fallback (handles PKCS#8 keys explicitly)
-            OPENSSL_OUT2="$(openssl pkcs8 -nocrypt -in "$RAW_FILE" -out "$KEY_FILE" 2>&1)"
-            if [ $? -eq 0 ]; then
+            # Try pkcs8 sub-command as fallback
+            OPENSSL_RC2=0
+            OPENSSL_OUT2="$(openssl pkcs8 -nocrypt -in "$RAW_FILE" -out "$KEY_FILE" 2>&1)" || OPENSSL_RC2=$?
+            if [ $OPENSSL_RC2 -eq 0 ]; then
               echo "Key normalized via openssl pkcs8"
             else
-              echo "openssl pkcs8 also failed: ${OPENSSL_OUT2}"
+              echo "openssl pkcs8 also failed (rc=${OPENSSL_RC2}): ${OPENSSL_OUT2}"
               cp "$RAW_FILE" "$KEY_FILE"
               echo "Warning: using cleaned raw key without openssl normalization"
             fi
           fi
-          # Print first line (PEM header) for diagnostics — not secret content
+          # Print PEM header for diagnostics (not secret content)
           HEADER=$(head -1 "$RAW_FILE")
           echo "PEM header line: '${HEADER}'"
           rm -f "$RAW_FILE"
