|
|
|
|
@@ -84,11 +84,17 @@ jobs:
|
|
|
|
|
: "${APPSTORE_PROVISIONING_PROFILE_BASE64:?APPSTORE_PROVISIONING_PROFILE_BASE64 secret is required}"
|
|
|
|
|
|
|
|
|
|
keychain_password="$(uuidgen)"
|
|
|
|
|
keychain_name="${SIGNING_KEYCHAIN}.keychain"
|
|
|
|
|
previous_default_keychain="$(security default-keychain -d user | sed 's/[ "]//g' || true)"
|
|
|
|
|
if [[ "${previous_default_keychain}" == *"/${SIGNING_KEYCHAIN}"* || ! -e "${previous_default_keychain}" ]]; then
|
|
|
|
|
previous_default_keychain=""
|
|
|
|
|
fi
|
|
|
|
|
developer_dir="$(xcode-select -p)"
|
|
|
|
|
signing_dir="$(mktemp -d "${RUNNER_TEMP:-${TMPDIR:-/tmp}}/sybil-signing.XXXXXX")"
|
|
|
|
|
mkdir -p "${HOME}/Library/Keychains"
|
|
|
|
|
keychain_dir="$(cd "${HOME}/Library/Keychains" && pwd -P)"
|
|
|
|
|
keychain_path="${keychain_dir}/${SIGNING_KEYCHAIN}-${GITHUB_RUN_ID:-$(uuidgen)}.keychain-db"
|
|
|
|
|
certificate_path="${signing_dir}/appstore-signing.p12"
|
|
|
|
|
wwdr_certificate_path="${signing_dir}/AppleWWDRCAG3.cer"
|
|
|
|
|
profile_path="${signing_dir}/Sybil_AppStore_CI.mobileprovision"
|
|
|
|
|
profile_plist="${signing_dir}/profile.plist"
|
|
|
|
|
old_profile_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
|
|
|
|
|
@@ -97,7 +103,8 @@ jobs:
|
|
|
|
|
|
|
|
|
|
printf '%s' "${APPSTORE_CERTIFICATES_FILE_BASE64}" | base64 --decode > "${certificate_path}"
|
|
|
|
|
printf '%s' "${APPSTORE_PROVISIONING_PROFILE_BASE64}" | base64 --decode > "${profile_path}"
|
|
|
|
|
security cms -D -i "${profile_path}" > "${profile_plist}"
|
|
|
|
|
curl -fsSL https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer -o "${wwdr_certificate_path}"
|
|
|
|
|
openssl smime -inform DER -verify -noverify -in "${profile_path}" -out "${profile_plist}" >/dev/null
|
|
|
|
|
profile_uuid="$(/usr/libexec/PlistBuddy -c 'Print UUID' "${profile_plist}")"
|
|
|
|
|
profile_name="$(/usr/libexec/PlistBuddy -c 'Print Name' "${profile_plist}")"
|
|
|
|
|
old_profile_path="${old_profile_dir}/${profile_uuid}.mobileprovision"
|
|
|
|
|
@@ -109,25 +116,43 @@ jobs:
|
|
|
|
|
cp "${profile_path}" "${old_named_profile_path}"
|
|
|
|
|
cp "${profile_path}" "${xcode_named_profile_path}"
|
|
|
|
|
|
|
|
|
|
security create-keychain -p "${keychain_password}" "${keychain_name}"
|
|
|
|
|
security set-keychain-settings -lut 21600 "${keychain_name}"
|
|
|
|
|
security unlock-keychain -p "${keychain_password}" "${keychain_name}"
|
|
|
|
|
base_keychains=()
|
|
|
|
|
while IFS= read -r existing_keychain; do
|
|
|
|
|
[[ -z "${existing_keychain}" ]] && continue
|
|
|
|
|
[[ "${existing_keychain}" == *"/${SIGNING_KEYCHAIN}"* ]] && continue
|
|
|
|
|
[[ ! -e "${existing_keychain}" ]] && continue
|
|
|
|
|
base_keychains+=("${existing_keychain}")
|
|
|
|
|
done < <(security list-keychains -d user | sed 's/[ "]//g')
|
|
|
|
|
|
|
|
|
|
security delete-keychain "${keychain_path}" >/dev/null 2>&1 || true
|
|
|
|
|
rm -f "${keychain_path}"
|
|
|
|
|
security create-keychain -p "${keychain_password}" "${keychain_path}"
|
|
|
|
|
security set-keychain-settings -lut 21600 "${keychain_path}"
|
|
|
|
|
security unlock-keychain -p "${keychain_password}" "${keychain_path}"
|
|
|
|
|
security import "${wwdr_certificate_path}" \
|
|
|
|
|
-k "${keychain_path}" \
|
|
|
|
|
-T /usr/bin/codesign \
|
|
|
|
|
-T /usr/bin/security \
|
|
|
|
|
-T /usr/bin/xcodebuild
|
|
|
|
|
security import "${certificate_path}" \
|
|
|
|
|
-k "${keychain_name}" \
|
|
|
|
|
-f pkcs12 \
|
|
|
|
|
-k "${keychain_path}" \
|
|
|
|
|
-P "${APPSTORE_CERTIFICATES_PASSWORD}" \
|
|
|
|
|
-T /usr/bin/codesign \
|
|
|
|
|
-T /usr/bin/security \
|
|
|
|
|
-T /usr/bin/xcodebuild \
|
|
|
|
|
-T "${developer_dir}/usr/bin/xcodebuild"
|
|
|
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_name}"
|
|
|
|
|
security list-keychains -d user -s "${keychain_name}" $(security list-keychains -d user | sed 's/[ "]//g')
|
|
|
|
|
security default-keychain -d user -s "${keychain_name}"
|
|
|
|
|
security find-identity -v -p codesigning "${keychain_name}"
|
|
|
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${keychain_password}" "${keychain_path}"
|
|
|
|
|
if [[ "${#base_keychains[@]}" -gt 0 ]]; then
|
|
|
|
|
security list-keychains -d user -s "${keychain_path}" "${base_keychains[@]}"
|
|
|
|
|
else
|
|
|
|
|
security list-keychains -d user -s "${keychain_path}"
|
|
|
|
|
fi
|
|
|
|
|
security default-keychain -d user -s "${keychain_path}"
|
|
|
|
|
security find-identity -v -p codesigning "${keychain_path}"
|
|
|
|
|
security find-identity -v -p codesigning
|
|
|
|
|
echo "Installed ${profile_name} (${profile_uuid}) provisioning profile"
|
|
|
|
|
{
|
|
|
|
|
echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_name}"
|
|
|
|
|
echo "SYBIL_SIGNING_KEYCHAIN_PATH=${keychain_path}"
|
|
|
|
|
echo "SYBIL_SIGNING_KEYCHAIN_PASSWORD=${keychain_password}"
|
|
|
|
|
echo "SYBIL_PREVIOUS_DEFAULT_KEYCHAIN=${previous_default_keychain}"
|
|
|
|
|
echo "SYBIL_PROVISIONING_PROFILE_UUID=${profile_uuid}"
|
|
|
|
|
@@ -255,5 +280,6 @@ jobs:
|
|
|
|
|
"${SYBIL_XCODE_PROFILE_PATH:-}" \
|
|
|
|
|
"${SYBIL_OLD_NAMED_PROFILE_PATH:-}" \
|
|
|
|
|
"${SYBIL_XCODE_NAMED_PROFILE_PATH:-}"
|
|
|
|
|
security delete-keychain "${SYBIL_SIGNING_KEYCHAIN_PATH:-${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}.keychain-db}" || true
|
|
|
|
|
rm -f "${HOME}/Library/Keychains/${SIGNING_KEYCHAIN}-"*.keychain-db
|
|
|
|
|
rm -rf "${SYBIL_SIGNING_DIR:-}"
|
|
|
|
|
security delete-keychain "${SIGNING_KEYCHAIN}.keychain" || true
|
|
|
|
|
|
