|
24 | 24 | APPLE_CERTIFICATE_PASSWORD: codex-test-password |
25 | 25 | # SHA-1 fingerprint of the test certificate; codesign accepts this format. |
26 | 26 | APPLE_CODESIGN_IDENTITY: 4E7E4C6F30634C3C9E308723F109FE7C83C061ED |
27 | | - CODESIGN_TEST: true |
| 27 | + CODESIGN_DEBUG: false |
28 | 28 |
|
29 | 29 | jobs: |
30 | 30 | tag-check: |
@@ -75,18 +75,18 @@ jobs: |
75 | 75 | target: aarch64-apple-darwin |
76 | 76 | - runner: macos-14 |
77 | 77 | target: x86_64-apple-darwin |
78 | | - - runner: ubuntu-24.04 |
79 | | - target: x86_64-unknown-linux-musl |
80 | | - - runner: ubuntu-24.04 |
81 | | - target: x86_64-unknown-linux-gnu |
82 | | - - runner: ubuntu-24.04-arm |
83 | | - target: aarch64-unknown-linux-musl |
84 | | - - runner: ubuntu-24.04-arm |
85 | | - target: aarch64-unknown-linux-gnu |
86 | | - - runner: windows-latest |
87 | | - target: x86_64-pc-windows-msvc |
88 | | - - runner: windows-11-arm |
89 | | - target: aarch64-pc-windows-msvc |
| 78 | + # - runner: ubuntu-24.04 |
| 79 | + # target: x86_64-unknown-linux-musl |
| 80 | + # - runner: ubuntu-24.04 |
| 81 | + # target: x86_64-unknown-linux-gnu |
| 82 | + # - runner: ubuntu-24.04-arm |
| 83 | + # target: aarch64-unknown-linux-musl |
| 84 | + # - runner: ubuntu-24.04-arm |
| 85 | + # target: aarch64-unknown-linux-gnu |
| 86 | + # - runner: windows-latest |
| 87 | + # target: x86_64-pc-windows-msvc |
| 88 | + # - runner: windows-11-arm |
| 89 | + # target: aarch64-pc-windows-msvc |
90 | 90 |
|
91 | 91 | steps: |
92 | 92 | - uses: actions/checkout@v5 |
@@ -135,31 +135,39 @@ jobs: |
135 | 135 | exit 1 |
136 | 136 | fi |
137 | 137 |
|
138 | | - cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12" |
139 | | - echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path" |
| 138 | + # TODO: we will be directly using the p12 from github secrets |
| 139 | + # cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12" |
| 140 | + # echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path" |
140 | 141 |
|
141 | 142 | keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db" |
142 | 143 | security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path" |
143 | 144 | security set-keychain-settings -lut 21600 "$keychain_path" |
144 | 145 | security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path" |
145 | 146 |
|
146 | 147 | keychain_args=() |
| 148 | +
|
147 | 149 | while IFS= read -r keychain; do |
148 | 150 | [[ -n "$keychain" ]] && keychain_args+=("$keychain") |
149 | 151 | done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g') |
| 152 | +
|
150 | 153 | if ((${#keychain_args[@]} > 0)); then |
151 | 154 | security list-keychains -s "$keychain_path" "${keychain_args[@]}" |
152 | 155 | else |
153 | 156 | security list-keychains -s "$keychain_path" |
154 | 157 | fi |
| 158 | +
|
155 | 159 | security default-keychain -s "$keychain_path" |
156 | 160 | security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security |
157 | 161 | security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" |
158 | 162 |
|
159 | | - echo "::group::Imported signing identities" |
160 | | - security find-identity -v -p codesigning "$keychain_path" || true |
161 | | - security find-certificate -a -Z "$keychain_path" || true |
162 | | - echo "::endgroup::" |
| 163 | + if [[ "${CODESIGN_DEBUG:-}" == "true" ]]; then |
| 164 | + echo "::group::Imported signing identities" |
| 165 | + # TODO: we will need to grab the identity from this and then use it in the next step |
| 166 | + # TODO: WE DEFINITELY NEED TO GET RID OF THOSE |
| 167 | + security find-identity -v -p codesigning "$keychain_path" || true |
| 168 | + security find-certificate -a -Z "$keychain_path" || true |
| 169 | + echo "::endgroup::" |
| 170 | + fi |
163 | 171 |
|
164 | 172 | rm -f "$cert_path" |
165 | 173 |
|
@@ -187,12 +195,7 @@ jobs: |
187 | 195 |
|
188 | 196 | for binary in codex codex-responses-api-proxy; do |
189 | 197 | path="target/${{ matrix.target }}/release/${binary}" |
190 | | - if [[ "${CODESIGN_TEST:-}" == "true" ]]; then |
191 | | - echo "Ad-hoc signing $path (test mode)" |
192 | | - codesign --force --sign - "$path" |
193 | | - else |
194 | | - codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path" |
195 | | - fi |
| 198 | + codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path" |
196 | 199 | codesign --verify --deep --strict "$path" |
197 | 200 | done |
198 | 201 |
|
|
0 commit comments