I am having an issue with GitHub Actions. When I call productsign
the job just hangs. When searching the internet it seems that the job tries to ask the user for a password but I do not get any errors or feedback from the logs. The job just hangs for ever. When run on my own computer everything works as expected and the .pkg is signed.
My step in the workflow is as follows
- name: Build & Sign Installer
run: |
export LC_ALL=en_US.UTF-8
export LANG=en_US.UTF-8
(cd fastlane && ./decrypt_secret.sh)
carthage update --use-xcframeworks --platform macOS
bundle exec fastlane set_release_version
bundle exec fastlane mac install_certificates
bundle exec fastlane mac build_main_app
bundle exec fastlane mac build_updater
bundle exec fastlane mac build_installer
(cd installer && productsign --sign <identity> app-1.0.0.pkg app-1.0.0-signed.pkg)
I have tried a lot of different solutions, but nothing works
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -T /usr/bin/productsign
security set-key-partition-list
productbuild
(also hangs when --sign added)fastlane match
at allAny ideas? Is this a bug in GitHub Actions?
Ok, we finally figured it out. The solution is to create tmp keychain, set its as default and configure some attributes. This makes sure codesign
and productsign
can access it without being prompted for a password.
Setup Tmp Keychain
# default again user login keychain
security list-keychains -d user -s login.keychain
# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"
# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"
# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN
Clean up Keychain
# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"
# default again user login keychain
security list-keychains -d user -s login.keychain