diff --git a/action.yml b/action.yml index 48b7df9..34fbf0f 100644 --- a/action.yml +++ b/action.yml @@ -248,55 +248,42 @@ runs: $bytes = [Convert]::FromBase64String("${{ inputs.certificate-data }}") [IO.File]::WriteAllBytes("${{ steps.code-sign-action-internal.outputs.signcert }}", $bytes) - # - name: Sign on ${{ steps.code-sign-action-internal.outputs.os }} with ${{ steps.code-sign-action-internal.outputs.signtool }} - # shell: bash - # if: runner.os == 'Linux' && !inputs.keylocker-host - # run: | - # echo "::warning:: Currently not supported on Linux!" - - # - name: Sign - # shell: bash - # if: runner.os == 'macOS' - # env: - # FILE: ${{ inputs.file }} - # OPTIONS: ${{ inputs.options }} - # APPLE_CERT_DATA: ${{ inputs.certificate-data }} - # APPLE_CERT_PASSWORD: ${{ inputs.certificate-password }} - # APPLE_TEAM_ID: ${{ inputs.apple-team-id }} - # run: | - # # Setup - # SIGNFILE="$(pwd)/$FILE" - - # # Throw error if file does not exist - # if [ ! -f "$SIGNFILE" ]; then - # echo "$SIGNFILE does not exist!" - # exit 5 - # fi - - # # Export certs - # echo "$APPLE_CERT_DATA" | base64 --decode > /tmp/certs.p12 + # signing with codesign on macos + - name: Signing with ${{ steps.code-sign-action-internal.outputs.signtool }} (${{ steps.code-sign-action-internal.outputs.os }}) + shell: bash + if: steps.code-sign-action-internal.outputs.signtool == 'codesign' + run: | + # Setup + SIGNFILE="${{ steps.code-sign-action-internal.outputs.file }}" + SIGNCERT="${{ steps.code-sign-action-internal.outputs.signcert }}" + + # Throw error if file does not exist + if [ ! -f "$SIGNFILE" ]; then + echo "$SIGNFILE does not exist!" + exit 5 + fi - # # Create keychain - # security create-keychain -p actions macos-build.keychain - # security default-keychain -s macos-build.keychain - # security unlock-keychain -p actions macos-build.keychain - # security set-keychain-settings -t 3600 -u macos-build.keychain + # Create keychain + security create-keychain -p actions macos-build.keychain + security default-keychain -s macos-build.keychain + security unlock-keychain -p actions macos-build.keychain + security set-keychain-settings -t 3600 -u macos-build.keychain - # # Import certs to keychain - # security import /tmp/certs.p12 -k ~/Library/Keychains/macos-build.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign + # Import certs to keychain + security import "$SIGNCERT" -k ~/Library/Keychains/macos-build.keychain -P "${{ inputs.certificate-password }}" -T /usr/bin/codesign -T /usr/bin/productsign - # # Key signing - # security set-key-partition-list -S apple-tool:,apple: -s -k actions macos-build.keychain + # Key signing + security set-key-partition-list -S apple-tool:,apple: -s -k actions macos-build.keychain - # # Verify keychain things - # security find-identity -v macos-build.keychain | grep "$APPLE_TEAM_ID" | grep "Developer ID Application" - # security find-identity -v macos-build.keychain | grep "$APPLE_TEAM_ID" | grep "Developer ID Installer" + # Verify keychain things + security find-identity -v macos-build.keychain | grep "${{ inputs.apple-team-id }}" | grep "Developer ID Application" + security find-identity -v macos-build.keychain | grep "${{ inputs.apple-team-id }}" | grep "Developer ID Installer" - # # Force the codesignature - # codesign --force $OPTIONS -s "$APPLE_TEAM_ID" "$SIGNFILE" + # Force the codesignature + codesign --force ${{ inputs.options }} -s "${{ inputs.apple-team-id }}" "$SIGNFILE" - # # Verify the code signature - # codesign -v "$SIGNFILE" --verbose + # Verify the code signature + codesign -v "$SIGNFILE" --verbose # - name: Set KeyLocker Variables # id: variables @@ -424,10 +411,10 @@ runs: # shell: bash # run: codesign -vvvv -R="notarized" --check-notarization ${{ inputs.file }} - # - name: Set outputs - # shell: bash - # id: code-sign-action - # run: | - # echo "::group::Setting outputs" - # echo "file=$(pwd)/${{ inputs.file }}" >> $GITHUB_OUTPUT - # echo "::endgroup::" + - name: Set outputs + shell: bash + id: code-sign-action + run: | + echo "::group::Setting outputs" + echo "file=${{ steps.code-sign-action-internal.outputs.file }}" >> $GITHUB_OUTPUT + echo "::endgroup::"