macosgithub-actionscode-signingfastlaneproductsign

GitHub Actions: productsign hangs


I am having an issue with GitHub Actions. When I call productsign the job just hangs. When searching the internet it seems that the job tries to ask the user for a password but I do not get any errors or feedback from the logs. The job just hangs for ever. When run on my own computer everything works as expected and the .pkg is signed.

My step in the workflow is as follows

  - name: Build & Sign Installer
    run: |
      export LC_ALL=en_US.UTF-8
      export LANG=en_US.UTF-8
      (cd fastlane && ./decrypt_secret.sh)
      carthage update --use-xcframeworks --platform macOS
      bundle exec fastlane set_release_version
      bundle exec fastlane mac install_certificates
      bundle exec fastlane mac build_main_app
      bundle exec fastlane mac build_updater
      bundle exec fastlane mac build_installer
      (cd installer && productsign --sign <identity> app-1.0.0.pkg app-1.0.0-signed.pkg)

I have tried a lot of different solutions, but nothing works

  1. security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
  2. security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -T /usr/bin/productsign
  3. Setting partition list using security set-key-partition-list
  4. creating a new keychain / unlocking keychain
  5. Switched to use the --sign param on productbuild (also hangs when --sign added)
  6. Manually imported the certificate without fastlane match at all
  7. I think any other solution found on google

Any ideas? Is this a bug in GitHub Actions?


Solution

  • Ok, we finally figured it out. The solution is to create tmp keychain, set its as default and configure some attributes. This makes sure codesign and productsign can access it without being prompted for a password.

    Setup Tmp Keychain

    # default again user login keychain
    security list-keychains -d user -s login.keychain
    
    # Create temp keychain
    security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
    
    # Append temp keychain to the user domain
    security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
    
    # Remove relock timeout
    security set-keychain-settings "$MY_KEYCHAIN"
    
    # Unlock keychain
    security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"
    
    # Add certificate to keychain
    security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"
    
    # Enable codesigning from a non user interactive shell
    security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN
    

    Clean up Keychain

    # Delete temporary keychain
    security delete-keychain "$MY_KEYCHAIN"
    
    # default again user login keychain
    security list-keychains -d user -s login.keychain