@@ -343,24 +343,39 @@ jobs:
343343 name : salt-${{ inputs.salt-version }}-onedir-macos-${{ matrix.arch }}.tar.xz
344344 path : artifacts/
345345
346- - name : Prepare Package Signing
346+ - name : Setup Keychain
347347 if : ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
348+ env :
349+ APP_CERT_BASE64 : " ${{ secrets.MAC_SIGN_DEV_APP_CERT_B64 }}"
350+ INS_CERT_BASE64 : " ${{ secrets.MAC_SIGN_DEV_INSTALL_CERT_B64 }}"
351+ SIGNING_PASSWORD : " ${{ secrets.MAC_SIGN_DEV_PASSWORD }}"
352+ KEYCHAIN_NAME : " ${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
348353 run : |
349- echo ${{ secrets.MAC_SIGN_DEV_APP_CERT_B64 }} | base64 --decode > app-cert.p12
350- echo ${{ secrets.MAC_SIGN_DEV_INSTALL_CERT_B64 }} | base64 --decode > install-cert.p12
351- # Create SaltSigning keychain. This will contain the certificates for signing
352- security create-keychain -p "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
353- # Append SaltSigning keychain to the search list
354- security list-keychains -d user -s "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" "$(security list-keychains -d user | sed s/\"//g)"
355- # Unlock the keychain so we can import certs
356- security unlock-keychain -p "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
357- # Developer Application Certificate
358- security import "app-cert.p12" -t agg -k "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" -P "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" -A
359- rm app-cert.p12
360- # Developer Installer Certificate
361- security import "install-cert.p12" -t agg -k "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" -P "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" -A
362- rm install-cert.p12
363- security set-key-partition-list -S apple-tool:,apple: -k "${{ secrets.MAC_SIGN_DEV_PASSWORD }}" "${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}" &> /dev/null
354+ # https://docs.github.com/en/actions/how-tos/deploy/deploy-to-third-party-platforms/sign-xcode-applications#add-a-step-to-your-workflow
355+
356+ # Create variables
357+ APP_CERT_PATH="$RUNNER_TEMP/app_cert.p12"
358+ INS_CERT_PATH="$RUNNER_TEMP/installer_cert.p12"
359+ KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_NAME"
360+
361+ # Decode certificates from secrets
362+ echo -n "$APP_CERT_BASE64" | base64 --decode -o "$APP_CERT_PATH"
363+ echo -n "$INS_CERT_BASE64" | base64 --decode -o "$INS_CERT_PATH"
364+
365+ # Create temporary keychain
366+ security create-keychain -p "$SIGNING_PASSWORD" "$KEYCHAIN_PATH"
367+ security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
368+ security unlock-keychain -p "$SIGNING_PASSWORD" "$KEYCHAIN_PATH"
369+
370+ # Import certificates to keychain
371+ security import "$APP_CERT_PATH" -P "$SIGNING_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
372+ security import "$INS_CERT_PATH" -P "$SIGNING_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
373+ security set-key-partition-list -S apple-tool,apple: -k "$SIGNING_PASSWORD" "$KEYCHAIN_PATH"
374+ security list-keychain -d user -s "$KEYCHAIN_PATH"
375+
376+ # Cleanup certificate files
377+ rm "$APP_CERT_PATH"
378+ rm "$INS_CERT_PATH"
364379
365380name : Build MacOS Package
366381 env :
@@ -382,6 +397,19 @@ jobs:
382397 format('--salt-version {0}', inputs.salt-version)
383398 }}
384399
400+ name : Clean Keychain
401+ if : ${{ steps.check-pkg-sign.outputs.sign-pkgs == 'true' }}
402+ env :
403+ KEYCHAIN_NAME : " ${{ secrets.MAC_SIGN_DEV_KEYCHAIN }}"
404+ run : |
405+ # https://docs.github.com/en/actions/how-tos/deploy/deploy-to-third-party-platforms/sign-xcode-applications#add-a-step-to-your-workflow
406+
407+ # Create Variables
408+ KEYCHAIN_PATH="$RUNNER_TEMP/$KEYCHAIN_NAME"
409+
410+ # Cleanup
411+ security delete-keychain "$KEYCHAIN_PATH"
412+
385413name : Set Artifact Name
386414 id : set-artifact-name
387415 run : |
0 commit comments