macos codesigning

lando · Nov 18, 2024 · 59a4d0c · 59a4d0c
1 parent ef4f225
commit 59a4d0c
Showing 1 changed file with 37 additions and 50 deletions.
diff --git a/action.yml b/action.yml
@@ -248,55 +248,42 @@ runs:
         $bytes = [Convert]::FromBase64String("${{ inputs.certificate-data }}")
         [IO.File]::WriteAllBytes("${{ steps.code-sign-action-internal.outputs.signcert }}", $bytes)
 
-    # - name: Sign on ${{ steps.code-sign-action-internal.outputs.os }} with ${{ steps.code-sign-action-internal.outputs.signtool }}
-    #   shell: bash
-    #   if: runner.os == 'Linux' && !inputs.keylocker-host
-    #   run: |
-    #     echo "::warning:: Currently not supported on Linux!"
-
-    # - name: Sign
-    #   shell: bash
-    #   if: runner.os == 'macOS'
-    #   env:
-    #     FILE: ${{ inputs.file }}
-    #     OPTIONS: ${{ inputs.options }}
-    #     APPLE_CERT_DATA: ${{ inputs.certificate-data }}
-    #     APPLE_CERT_PASSWORD: ${{ inputs.certificate-password }}
-    #     APPLE_TEAM_ID: ${{ inputs.apple-team-id }}
-    #   run: |
-    #     # Setup
-    #     SIGNFILE="$(pwd)/$FILE"
-
-    #     # Throw error if file does not exist
-    #     if [ ! -f "$SIGNFILE" ]; then
-    #       echo "$SIGNFILE does not exist!"
-    #       exit 5
-    #     fi
-
-    #     # Export certs
-    #     echo "$APPLE_CERT_DATA" | base64 --decode > /tmp/certs.p12
+    # signing with codesign on macos
+    - name: Signing with ${{ steps.code-sign-action-internal.outputs.signtool }} (${{ steps.code-sign-action-internal.outputs.os }})
+      shell: bash
+      if: steps.code-sign-action-internal.outputs.signtool == 'codesign'
+      run: |
+        # Setup
+        SIGNFILE="${{ steps.code-sign-action-internal.outputs.file }}"
+        SIGNCERT="${{ steps.code-sign-action-internal.outputs.signcert }}"
+
+        # Throw error if file does not exist
+        if [ ! -f "$SIGNFILE" ]; then
+          echo "$SIGNFILE does not exist!"
+          exit 5
+        fi
 
-    #     # Create keychain
-    #     security create-keychain -p actions macos-build.keychain
-    #     security default-keychain -s macos-build.keychain
-    #     security unlock-keychain -p actions macos-build.keychain
-    #     security set-keychain-settings -t 3600 -u macos-build.keychain
+        # Create keychain
+        security create-keychain -p actions macos-build.keychain
+        security default-keychain -s macos-build.keychain
+        security unlock-keychain -p actions macos-build.keychain
+        security set-keychain-settings -t 3600 -u macos-build.keychain
 
-    #     # Import certs to keychain
-    #     security import /tmp/certs.p12 -k ~/Library/Keychains/macos-build.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
+        # Import certs to keychain
+        security import "$SIGNCERT" -k ~/Library/Keychains/macos-build.keychain -P "${{ inputs.certificate-password }}" -T /usr/bin/codesign -T /usr/bin/productsign
 
-    #     # Key signing
-    #     security set-key-partition-list -S apple-tool:,apple: -s -k actions macos-build.keychain
+        # Key signing
+        security set-key-partition-list -S apple-tool:,apple: -s -k actions macos-build.keychain
 
-    #     # Verify keychain things
-    #     security find-identity -v macos-build.keychain | grep "$APPLE_TEAM_ID" | grep "Developer ID Application"
-    #     security find-identity -v macos-build.keychain | grep "$APPLE_TEAM_ID" | grep "Developer ID Installer"
+        # Verify keychain things
+        security find-identity -v macos-build.keychain | grep "${{ inputs.apple-team-id }}" | grep "Developer ID Application"
+        security find-identity -v macos-build.keychain | grep "${{ inputs.apple-team-id }}" | grep "Developer ID Installer"
 
-    #     # Force the codesignature
-    #     codesign --force $OPTIONS -s "$APPLE_TEAM_ID" "$SIGNFILE"
+        # Force the codesignature
+        codesign --force ${{ inputs.options }} -s "${{ inputs.apple-team-id }}" "$SIGNFILE"
 
-    #     # Verify the code signature
-    #     codesign -v "$SIGNFILE" --verbose
+        # Verify the code signature
+        codesign -v "$SIGNFILE" --verbose
 
     # - name: Set KeyLocker Variables
     #   id: variables
@@ -424,10 +411,10 @@ runs:
     #   shell: bash
     #   run: codesign -vvvv -R="notarized" --check-notarization ${{ inputs.file }}
 
-    # - name: Set outputs
-    #   shell: bash
-    #   id: code-sign-action
-    #   run: |
-    #     echo "::group::Setting outputs"
-    #     echo "file=$(pwd)/${{ inputs.file }}" >> $GITHUB_OUTPUT
-    #     echo "::endgroup::"
+    - name: Set outputs
+      shell: bash
+      id: code-sign-action
+      run: |
+        echo "::group::Setting outputs"
+        echo "file=${{ steps.code-sign-action-internal.outputs.file }}" >> $GITHUB_OUTPUT
+        echo "::endgroup::"