Files
geo/apps/desktop-client/scripts/ci-import-cert.sh
T
root a9af6c634c
Backend CI / Backend (push) Successful in 13m6s
Deployment Config CI / Deployment Config (push) Successful in 17s
Frontend CI / Frontend (push) Successful in 2m24s
chore(desktop-client): add macOS code-signing and notarization scaffolding
- Move the build config out of package.json into electron-builder.yml so
  the mac block can carry hardenedRuntime, entitlements, universal arch,
  and usage-description Info.plist keys. Drop identity:null (which
  forces unsigned builds) and let CSC_NAME or the keychain decide.
- Add entitlements plist files and three helper scripts: sign-setup.sh
  (one-time keychain prep with notarytool store-credentials),
  sign-mac.sh (sign + notarize + staple, supports keychain or CI env
  vars), and ci-import-cert.sh (CI keychain bootstrap).
- Ignore .env.signing so local credentials don't sneak into the repo,
  and pin @emnapi/{core,runtime} as devDependencies so universal builds
  resolve them deterministically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-01 16:02:14 +08:00

64 lines
2.5 KiB
Bash
Executable File
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
#!/usr/bin/env bash
# CI 专用:把 base64 编码的 .p12 证书导入到一个临时钥匙串
# 仅在 CI 环境调用,本地不要跑(会污染你的登录钥匙串体验)
#
# 必需环境变量:
# CSC_LINK - base64 编码的 .p12 文件内容
# CSC_KEY_PASSWORD - .p12 文件的密码
# KEYCHAIN_PASSWORD - 临时钥匙串自身的密码(任意字符串,例如 secrets.GITHUB_TOKEN 截断都行)
#
# 副作用:创建 ~/Library/Keychains/build.keychain-db,已加入搜索路径并解锁
# 销毁:脚本注册了 trap,进程退出时自动 delete-keychain
set -euo pipefail
: "${CSC_LINK:?CI 必须提供 CSC_LINK (base64 .p12)}"
: "${CSC_KEY_PASSWORD:?CI 必须提供 CSC_KEY_PASSWORD}"
: "${KEYCHAIN_PASSWORD:?CI 必须提供 KEYCHAIN_PASSWORD(用于临时钥匙串自身)}"
KEYCHAIN_NAME="build.keychain"
CERT_PATH="$RUNNER_TEMP/build_certificate.p12"
[ -z "${RUNNER_TEMP:-}" ] && CERT_PATH="/tmp/build_certificate.p12"
# 1. 解码证书到临时文件
echo "$CSC_LINK" | base64 --decode > "$CERT_PATH"
# 2. 创建临时钥匙串
security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
security set-keychain-settings -lut 21600 "$KEYCHAIN_NAME" # 6 小时不锁
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME"
# 3. 导入 .p12(允许 codesign 和 productsign 不弹密码框)
security import "$CERT_PATH" \
-P "$CSC_KEY_PASSWORD" \
-A -t cert -f pkcs12 \
-k "$KEYCHAIN_NAME"
# 4. 关键:允许 codesign 不交互访问私钥
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_NAME" >/dev/null
# 5. 把临时钥匙串加进搜索路径(放第一位,登录钥匙串保留作 fallback)
security list-keychain -d user -s "$KEYCHAIN_NAME" $(security list-keychain -d user | tr -d '"')
# 6. 立即清理证书文件
rm -f "$CERT_PATH"
# 7. 输出实际可用的 identity 名(让 sign-mac.sh 拿到精确的 CSC_NAME
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_NAME" \
| grep "Developer ID Application" | head -n1 \
| sed -E 's/.*"(Developer ID Application: [^"]+)".*/\1/')
if [ -z "$IDENTITY" ]; then
echo "✗ 导入后未在临时钥匙串里找到 Developer ID Application" >&2
exit 1
fi
echo "✓ 已导入证书到临时钥匙串: $KEYCHAIN_NAME"
echo "✓ Identity: $IDENTITY"
# 在 GitHub Actions 里把 CSC_NAME 写入后续步骤的 env
if [ -n "${GITHUB_ENV:-}" ]; then
echo "CSC_NAME=$IDENTITY" >> "$GITHUB_ENV"
echo "✓ 已写入 \$GITHUB_ENVCSC_NAME"
fi