macOS code signing and notarization #3

Workflow file for this run

.github/workflows/codesign.yml at 109b190

	name: Codesign

	on:
	push:
	branches: [ "main", "next" ]
	pull_request:
	branches: [ "main", "next" ]

	permissions:
	contents: read

	# Testing codesigning on macOS runners
	# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development

	jobs:
	build_with_signing:
	runs-on: macos-latest

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	- name: Install the Apple certificate and provisioning profile
	env:
	BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
	P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
	BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
	KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
	run: \|
	# create variables
	CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
	PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
	KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db

	# import certificate and provisioning profile from secrets
	echo -n "$BUILD_CERTIFICATE_BASE64" \| base64 --decode -o $CERTIFICATE_PATH
	echo -n "$BUILD_PROVISION_PROFILE_BASE64" \| base64 --decode -o $PP_PATH

	# create temporary keychain
	security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
	security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH

	# import certificate to keychain
	security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
	security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
	security list-keychain -d user -s $KEYCHAIN_PATH

	# apply provisioning profile
	mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
	cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
	- name: Fetch PaperAge release
	uses: robinraju/[email protected]
	with:
	repository: "matiaskorhonen/paper-age"
	latest: true
	extract: true
	fileName: paper-age-universal-apple-darwin.tar.gz
	out-file-path: tmp
	- name: Show the contents of the release
	run: ls -la tmp
	- name: Sign the binary
	env:
	CODESIGN_IDENTITY: "7FP48PW9TN"
	IDENTITY: "fi.matias.korhonen.paper-age"
	run: \|
	# sign the binary
	codesign --force --sign "$CODESIGN_IDENTITY" --identifier "$IDENTIFIER" tmp/paper-age
	- name: Upload the signed binary
	uses: actions/upload-artifact@v4
	with:
	name: signed-paper-age
	path: tmp/paper-age
	retention-days: 7
	- name: Clean up keychain and provisioning profile
	if: ${{ always() }}
	run: \|
	security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
	rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

macOS code signing and notarization #3

Workflow file

macOS code signing and notarization #3

Jobs

Run details

Workflow file for this run