fix(distribution): import both Apple Development and Developer ID Application certs

ebreen · ebreen · commit 201c8740abe3 · 2026-02-06T21:29:34.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -27,37 +27,41 @@ jobs:
       - name: Install tools
         run: brew install create-dmg xcodegen
 
-      - name: Import code signing certificate
+      - name: Import code signing certificates
         env:
+          DEV_CERTIFICATE_BASE64: ${{ secrets.DEV_CERTIFICATE_BASE64 }}
+          DEV_P12_PASSWORD: ${{ secrets.DEV_P12_PASSWORD }}
           BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
           P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
         run: |
-          CERTIFICATE_PATH="$RUNNER_TEMP/build_certificate.p12"
           KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
 
-          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o "$CERTIFICATE_PATH"
-
           security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
           security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
 
-          security import "$CERTIFICATE_PATH" -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+          # Import Apple Development cert (used by archive with automatic signing)
+          echo -n "$DEV_CERTIFICATE_BASE64" | base64 --decode -o "$RUNNER_TEMP/dev_certificate.p12"
+          security import "$RUNNER_TEMP/dev_certificate.p12" -P "$DEV_P12_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+
+          # Import Developer ID Application cert (used by exportArchive for distribution)
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o "$RUNNER_TEMP/build_certificate.p12"
+          security import "$RUNNER_TEMP/build_certificate.p12" -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
+
           security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
 
           # Make keychain visible to xcodebuild for both archive and export
           security default-keychain -s "$KEYCHAIN_PATH"
           security list-keychain -d user -s "$KEYCHAIN_PATH" /Library/Keychains/System.keychain
 
-          # Verify the correct certificate type is present
-          echo "Checking for Developer ID Application certificate..."
+          # Verify both certificates are present
+          echo "Installed codesigning identities:"
+          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
           if ! security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -q "Developer ID Application"; then
-            echo "::error::BUILD_CERTIFICATE_BASE64 does not contain a Developer ID Application certificate."
-            echo "Found identities:"
-            security find-identity -v -p codesigning "$KEYCHAIN_PATH"
+            echo "::error::BUILD_CERTIFICATE_BASE64 must contain a Developer ID Application certificate."
             exit 1
           fi
-          security find-identity -v -p codesigning "$KEYCHAIN_PATH"
 
       - name: Install provisioning profiles
         env:
@@ -80,20 +84,28 @@ jobs:
           /usr/libexec/PlistBuddy -c "Set :CFBundleVersion ${{ github.run_number }}" CloudMount/Info.plist
           /usr/libexec/PlistBuddy -c "Set :CFBundleVersion ${{ github.run_number }}" CloudMountExtension/Info.plist
 
+      - name: Decode API key for Xcode
+        env:
+          APP_STORE_CONNECT_KEY_BASE64: ${{ secrets.APP_STORE_CONNECT_KEY_BASE64 }}
+        run: |
+          echo -n "$APP_STORE_CONNECT_KEY_BASE64" | base64 --decode -o "$RUNNER_TEMP/AuthKey.p8"
+
       - name: Archive
         env:
           TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-          SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          API_KEY_ID: ${{ secrets.API_KEY_ID }}
+          API_ISSUER_ID: ${{ secrets.API_ISSUER_ID }}
         run: |
           xcodebuild archive \
             -project CloudMount.xcodeproj \
             -scheme CloudMount \
             -archivePath "$RUNNER_TEMP/CloudMount.xcarchive" \
             -configuration Release \
-            CODE_SIGN_STYLE=Manual \
-            CODE_SIGN_IDENTITY="$SIGNING_IDENTITY" \
-            DEVELOPMENT_TEAM="$TEAM_ID" \
-            PROVISIONING_PROFILE_SPECIFIER=""
+            -allowProvisioningUpdates \
+            -authenticationKeyPath "$RUNNER_TEMP/AuthKey.p8" \
+            -authenticationKeyID "$API_KEY_ID" \
+            -authenticationKeyIssuerID "$API_ISSUER_ID" \
+            DEVELOPMENT_TEAM="$TEAM_ID"
 
       - name: Export archive
         env:
