I’m following the instructions for signing on macOS. It works great locally, although I’m running into a failure when trying to set it up on CI. The exact error I get is this

Execution failed for task ':desktop:packageDmg'.
Process 'command '/usr/bin/codesign'' finished with non-zero exit value 1

Ad when I add --debug I see

error: The specified item could not be found in the keychain.

Is there some additional item that might need to be in the keychain that’s missing in the CI environment, but might already be present in my desktop environment?

please check https://felixrieseberg.com/codesigning-electron-apps-in-ci/

Thank you that helps, although the documentation has some gaps. It is easier to right click on the certificate in XCode, rather than exporting from Keychain Access (finding the private key in Keychain Access can be hard on one’s development machine, especially if the keychain has 1000+ items like mine). Export XCode is much easier. Anyway, this is what I ended up with:

- name: Setup Secrets
  timeout-minutes: 1
  env:
      DEVELOPER_ID_CERTIFICATE_BASE_64: ${{ secrets.DEVELOPER_ID_CERTIFICATE_BASE_64 }}
      DEVELOPER_ID_CERTIFICATE_PASSWORD: ${{ secrets.DEVELOPER_ID_CERTIFICATE_PASSWORD }}
      KEYCHAIN_FILENAME: inflection.keychain
      KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
      NOTARIZATION_USER: ${{ secrets.APPLE_NOTARIZATION_USER }}
      NOTARIZATION_PASSWORD: ${{ secrets.APPLE_NOTARIZATION_PASSWORD }}
  run: |
       # Get the developer ID key from secure variables
       DEVELOPER_ID_CERTIFICATE_PATH=${HOME}/developer_id.p12
       echo ${DEVELOPER_ID_CERTIFICATE_BASE_64} | base64 --decode > ${DEVELOPER_ID_CERTIFICATE_PATH}

       # Create a new default keychain
       KEYCHAIN_PATH=${HOME}/${KEYCHAIN_FILENAME}
       security create-keychain -p ${KEYCHAIN_PASSWORD} ${KEYCHAIN_PATH}
       security unlock-keychain -p ${KEYCHAIN_PASSWORD} ${KEYCHAIN_PATH}
       security set-keychain-settings -l -u -t 3600 ${KEYCHAIN_PATH}
       security default-keychain -s ${KEYCHAIN_PATH}

       # Add Apple certification authority to the keychain
       security import tools/apple_developer_relations_certification_authority.cer -k ${KEYCHAIN_PATH} -A
       security import tools/apple_developer_id_certification_authority.cer -k ${KEYCHAIN_PATH} -A

       # Add the developer ID key to the new keychain
       security import ${DEVELOPER_ID_CERTIFICATE_PATH} -P ${DEVELOPER_ID_CERTIFICATE_PASSWORD} ${KEYCHAIN_PATH} -A

- name: Build
  timeout-minutes: 12
  run: |
       ./gradlew packageDmg notarizeDmg

The problem is that the gradle build hangs at the signing step, as a keychain password prompt appears. Setting

-A

for

security import

or setting

security set-key-partition-list

should make that a non-issue but something seems to be not quite right. I can reproduce the issue locally in a virtual machine consistently, and the dialog says that codesign needs permission to access the key in the keychain. Any ideas how one might work around that in a CI environment?

@Carter Did you manage to solve that problem?

I don’t think I ever did. I ended up converting that specific project to a web application because my users couldn’t figure out how to download and install a disk image 🙈

security set-keychain-settings -lut 3600 build.keychain

is very important, because the default timeout it 5 minutes and without that the process keeps hanging

Cool, thank you!