Skip to content

Commit 6ee127f

Browse files
jordanstephensjordanstephens
authored
avoid reusing keychains between builds (#1441)
1 parent 90f1904 commit 6ee127f

File tree

1 file changed

+21
-4
lines changed

1 file changed

+21
-4
lines changed

src/bin/codesign.sh

Lines changed: 21 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -23,17 +23,24 @@ fi
2323
if [ -n "$RUNNER_TEMP" ]; then
2424
# assume MACOS_P12_BASE64, KEYCHAIN_PASSWORD, MACOS_P12_PASSWORD are set in the env
2525

26-
# create variables
27-
TMP_CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
28-
TMP_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
26+
# create variables with unique names to avoid conflicts
27+
UNIQUE_ID=$(date +%s)-$$-$(od -An -N4 -tx4 < /dev/urandom | tr -d ' ')
28+
TMP_CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate_${UNIQUE_ID}.p12
29+
TMP_KEYCHAIN_PATH=$RUNNER_TEMP/app-signing-${UNIQUE_ID}.keychain-db
30+
31+
# Clean up any existing certificates in default keychain that might conflict
32+
security delete-identity -c "$MACOS_CERTIFICATE_NAME" 2>/dev/null || true
2933

3034
# import certificate and provisioning profile from secrets
3135
echo $MACOS_P12_BASE64 | base64 --decode > "$TMP_CERTIFICATE_PATH"
3236

3337
# We need to create a new keychain, otherwise using the certificate will prompt
3438
# with a UI dialog asking for the certificate password, which we can't
3539
# use in a headless CI environment
36-
security create-keychain -p "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH" || true
40+
41+
# Create new keychain (should be unique, but remove if exists just in case)
42+
security delete-keychain "$TMP_KEYCHAIN_PATH" 2>/dev/null || true
43+
security create-keychain -p "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH"
3744
# security set-keychain-settings -lut 21600 "$TMP_KEYCHAIN_PATH"
3845
# security default-keychain -s "$TMP_KEYCHAIN_PATH"
3946
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH"
@@ -43,6 +50,16 @@ if [ -n "$RUNNER_TEMP" ]; then
4350
security list-keychain -d user -s "$TMP_KEYCHAIN_PATH"
4451

4552
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$TMP_KEYCHAIN_PATH"
53+
54+
# Clean up the certificate file
55+
rm -f "$TMP_CERTIFICATE_PATH"
56+
57+
# Set up cleanup trap
58+
cleanup() {
59+
echo "Cleaning up keychain..."
60+
security delete-keychain "$TMP_KEYCHAIN_PATH" 2>/dev/null || true
61+
}
62+
trap cleanup EXIT
4663
fi
4764

4865
# We finally codesign our app bundle. Add '--options runtime' for the Hardened runtime option (required for notarization)

0 commit comments

Comments
 (0)