lets see if the cert is for codesign

Author: shijie-oai

.github/workflows/rust-release.yml

@@ -19,15 +19,15 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  APPLE_CERTIFICATE: |-
-    MIIJfgIBAzCCCUQGCSqGSIb3DQEHAaCCCTUEggkxMIIJLTCCA68GCSqGSIb3DQEHBqCCA6AwggOcAgEAMIIDlQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIGTjnk+I5rd4CAggAgIIDaCB8Mi+3NFfBzkmTKPvMP6fB/rYxzB3q2uK6bPEh85KYgEZxMynr8bwqrdfBsdaAQn4Q1ch1DON8bB0sgkI+5R/hvCxtV8ggBDPXm31uYVQE+ShTeAVqMbyvlg3LxkzE1xW71E2YSwgoGih3WwEVd5vmRunrucydSmflZcD3Z1LAG2qkwvyMKsbnevW9fyCxcpiDgHvDwgh9LFNnt3kp1b5fnZYASr36FMlh0oP1RwFJJ4UUdwmdeJjWVSqwbHdN7OlLiZ8rRFf/dq1T04/g41gJS0jb/xF3ERikh9Ix+PGHnEGfR6Ma7tlOx2gLLwxpIE1Dyj+yzwGvtQzLuNmgmurLMDv8JJ0ZrFDVWnZOn5/QfGUi5x6A07YneFfbToSl2vx/q/Erx07ktvAo8zjEAVdjr2DA1XGOY7LBLbZw4lqp1Zknp2UcgBbqKVxfaX+Cp4tQ8VdwrmK5/9bfv7nYmmHRItl+nKZWuTPMwKD+jqDOa0Xn/cg6zuusNg2ML/8+vGOAtXsdiuoVo+uqaI/x8C5NdAnUcfFEW9msCiHBvDkujrIb0rvnOR0BBrXTwrf9E1lxrfh2lUYVVSos47J6lTvyLoeGpF5dBx278KgZDUHISVMWsLymakHG6OB3V+PySnfUxjkE/COJIDh4BA+lGXfuSkkkANOMW1ifbZjWK1bZUAzi8Iq9qv7JdwAsWyZI8dThPqfyeX+QhM1Zo1/5ClGJ+1xmtYjsArLfA4ov5OBJ/A+OC+fSzzz6zUmSydLxp7MYoxKRCRqGvokh+MToiqhsTLq30jngUE5j0SAe1fL4qzxkTCp+4b4WKEBgS1W6hTo8OkV04HUlcxrYbiCHn2Wk0DKxDTbqyYBLoe8zHT6atZAz+bl/bDBDSOdLjusAaxA843EOZwOMiCJ0SAWkuMEW8R6VGKaxai68cbr/5YZ4tGElqif84MlWgpXL6MPWwcPEmcLq5OqKUAU3nTR6ifZXyheBzKDwvH2yJfguIhKzsSuXjGHGzIf2TIiBASEUB8c2Iaiu7dUmzviyaCAQIL3pJrH6K6fraNNnCUwyLL4RnEgiq7K0QjYE0iGGx3sJHsREtzeMjbYBWhv0V92y/TVdtfs4373kzTEu4BZw/9X12e4wFXSescET7gUD9TYdNnOAos4s7YbIMIIFdgYJKoZIhvcNAQcBoIIFZwSCBWMwggVfMIIFWwYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECFY34TJokGZvAgIIAASCBMhrLDsOp54QaapWlK6J1gle+DMKVKXoQrGOiwu96hrzQ0FsCn5Tjyb0sjaa9y71SHc3Z3aWw/UHH6lh3XqOD1x2kyiCvxYYD+NDSnaR8pGdxbQSXS57S59ESBlY+taTrWWzgUjvkscp8Illb5rXcm0wMQYFHhq2/2b3ysbSztB21/ybE4FXr7jvFkYOPWAdn/Do3kuxFsSdwH5kqJvB8SHHfSjmF99My0NKPCSpoUkd8SwbFkTxbcgajWRzuPo2TRMEnKgQmGuHULO0qEVbf88SzB3nE5ALfOv/xmV6usWBYK4WgexeRDYlqtxsk41dCVpXl0mX6Pm/VzPr3tVp7JzYECg5ajbbBd29r4yHs8jwA59Qg7ApFiEdCSIWAAWLBc2pSWixnPYf1h8u3MP7aBoF9dLq8eHF+NQwE7VRZEogwSvA/P28pVjuuqcprR58onw6y0ykS9TY66xl9T9yGBxWzh6kD/gNoopI4IA+iUoo+1F6LhRqUNDLh3ouxUGHDhe/0crwo1kq5wqPLgMWULt/4cEORfzll9BK8ncztJG/J8Xl53K8UpJDmzAHs7/ygSOuylbOMRiAhRYHv+0RqbjeXHZbyfNNhqrWTsJWnxJTxXf9mwTN94dNJCHC+13rMYl4XbjCOOCIQTd2Ajnhn2XzaVw3Op2Fqx9tfakhFcheIVbAYBF4sGMR807dzA5Tt7gD9hl+X6B7nobwk2FwCQ0JL/YRQh197Oi2vLAloYKfbaAncB69oCJ9tbOjl/C8G2eNRKMiP24/kEYy37P+bFq48j3xKSJJ8oD/+sW5ZgMxZqT4KZJzRUzwldpfd8frquxMKkijIvMQ/rI33I5FPoSikpE6I9IvnJ3BGjgha0tZThTnnkjpPKjRbDbZoDkkkGgjObZaCJbhXVOhKI3wgYqd8+otNlBiNvm9qC0/JvON9GD5TsFusRbF6R87X3jyWlm7skk/8TnFAYeQF4sUm6MihkZx/qXLJDVN4vS7tN123TKLyoh5CCA1zyAcHhuWSCv/3MiJYBW7GplkqoNs+ld/Zk1aLCLsF7tB1CXbM9HgOYVwL95Wmu0ih/J1qChzWA1Tix4+WfF3l02pN1aVIulTXbxEVe356kC2uE/xR5MPuaKeCOGCnmsf9mXBafvoRz52b5JsmkkNL8NpMhGX5e//SLGwWNVhJaq61+ZMthW5b8GY7RVDKrxdsWuSTGLRQWWNTlRU2ZCo/Q52YSAlF6WT4N9LCao2qTUMWCh47F20ty11/wSEIyrBPvTkjzxL/xu+KH5Fgj3LQVdtAL1/dBfbTjsgwLmxWBJUzAhRkCtZb60LVDECUZNzdn37X1hjkQMVILHbig7Y8EHwU3eTX80xsa7soARNwmeCKdybQTiiI1V6e3Aisrccean7/o+L9pN00DdS1IEOjGN/dy7Z7sIjSrMNFc+tk5YnvWBfqsxyhwQilGj5kthfmG8jQes/H3QP/qjd/ZeqTDZ/zEIy84upl+ik5MBWuDzW2yCqf3R+kVOtOZYCOOracD/EsXfQqL0sS89gmp/xvVxFYLjzEUG7cOmISnh3j1yZ1mLz0wiNkBkBv+br20e3yvh14YAnTWnSNZQK8fmfvlGWQ3gomHrvJCm3VkD1zdoxWjAjBgkqhkiG9w0BCRUxFgQUTn5MbzBjTDyeMIcj8Qn+fIPAYe0wMwYJKoZIhvcNAQkUMSYeJABDAG8AZABlAHgAIABUAGUAcwB0ACAAUwBpAGcAbgBpAG4AZzAxMCEwCQYFKw4DAhoFAAQUtXkuX4wtC4fEkGStkDEyyGGIlkYECIosLHRaW4M5AgIIAA==
-  APPLE_CERTIFICATE_PASSWORD: codex-test-password
+  # APPLE_CERTIFICATE: |-
+  #   MIIJfgIBAzCCCUQGCSqGSIb3DQEHAaCCCTUEggkxMIIJLTCCA68GCSqGSIb3DQEHBqCCA6AwggOcAgEAMIIDlQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIGTjnk+I5rd4CAggAgIIDaCB8Mi+3NFfBzkmTKPvMP6fB/rYxzB3q2uK6bPEh85KYgEZxMynr8bwqrdfBsdaAQn4Q1ch1DON8bB0sgkI+5R/hvCxtV8ggBDPXm31uYVQE+ShTeAVqMbyvlg3LxkzE1xW71E2YSwgoGih3WwEVd5vmRunrucydSmflZcD3Z1LAG2qkwvyMKsbnevW9fyCxcpiDgHvDwgh9LFNnt3kp1b5fnZYASr36FMlh0oP1RwFJJ4UUdwmdeJjWVSqwbHdN7OlLiZ8rRFf/dq1T04/g41gJS0jb/xF3ERikh9Ix+PGHnEGfR6Ma7tlOx2gLLwxpIE1Dyj+yzwGvtQzLuNmgmurLMDv8JJ0ZrFDVWnZOn5/QfGUi5x6A07YneFfbToSl2vx/q/Erx07ktvAo8zjEAVdjr2DA1XGOY7LBLbZw4lqp1Zknp2UcgBbqKVxfaX+Cp4tQ8VdwrmK5/9bfv7nYmmHRItl+nKZWuTPMwKD+jqDOa0Xn/cg6zuusNg2ML/8+vGOAtXsdiuoVo+uqaI/x8C5NdAnUcfFEW9msCiHBvDkujrIb0rvnOR0BBrXTwrf9E1lxrfh2lUYVVSos47J6lTvyLoeGpF5dBx278KgZDUHISVMWsLymakHG6OB3V+PySnfUxjkE/COJIDh4BA+lGXfuSkkkANOMW1ifbZjWK1bZUAzi8Iq9qv7JdwAsWyZI8dThPqfyeX+QhM1Zo1/5ClGJ+1xmtYjsArLfA4ov5OBJ/A+OC+fSzzz6zUmSydLxp7MYoxKRCRqGvokh+MToiqhsTLq30jngUE5j0SAe1fL4qzxkTCp+4b4WKEBgS1W6hTo8OkV04HUlcxrYbiCHn2Wk0DKxDTbqyYBLoe8zHT6atZAz+bl/bDBDSOdLjusAaxA843EOZwOMiCJ0SAWkuMEW8R6VGKaxai68cbr/5YZ4tGElqif84MlWgpXL6MPWwcPEmcLq5OqKUAU3nTR6ifZXyheBzKDwvH2yJfguIhKzsSuXjGHGzIf2TIiBASEUB8c2Iaiu7dUmzviyaCAQIL3pJrH6K6fraNNnCUwyLL4RnEgiq7K0QjYE0iGGx3sJHsREtzeMjbYBWhv0V92y/TVdtfs4373kzTEu4BZw/9X12e4wFXSescET7gUD9TYdNnOAos4s7YbIMIIFdgYJKoZIhvcNAQcBoIIFZwSCBWMwggVfMIIFWwYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECFY34TJokGZvAgIIAASCBMhrLDsOp54QaapWlK6J1gle+DMKVKXoQrGOiwu96hrzQ0FsCn5Tjyb0sjaa9y71SHc3Z3aWw/UHH6lh3XqOD1x2kyiCvxYYD+NDSnaR8pGdxbQSXS57S59ESBlY+taTrWWzgUjvkscp8Illb5rXcm0wMQYFHhq2/2b3ysbSztB21/ybE4FXr7jvFkYOPWAdn/Do3kuxFsSdwH5kqJvB8SHHfSjmF99My0NKPCSpoUkd8SwbFkTxbcgajWRzuPo2TRMEnKgQmGuHULO0qEVbf88SzB3nE5ALfOv/xmV6usWBYK4WgexeRDYlqtxsk41dCVpXl0mX6Pm/VzPr3tVp7JzYECg5ajbbBd29r4yHs8jwA59Qg7ApFiEdCSIWAAWLBc2pSWixnPYf1h8u3MP7aBoF9dLq8eHF+NQwE7VRZEogwSvA/P28pVjuuqcprR58onw6y0ykS9TY66xl9T9yGBxWzh6kD/gNoopI4IA+iUoo+1F6LhRqUNDLh3ouxUGHDhe/0crwo1kq5wqPLgMWULt/4cEORfzll9BK8ncztJG/J8Xl53K8UpJDmzAHs7/ygSOuylbOMRiAhRYHv+0RqbjeXHZbyfNNhqrWTsJWnxJTxXf9mwTN94dNJCHC+13rMYl4XbjCOOCIQTd2Ajnhn2XzaVw3Op2Fqx9tfakhFcheIVbAYBF4sGMR807dzA5Tt7gD9hl+X6B7nobwk2FwCQ0JL/YRQh197Oi2vLAloYKfbaAncB69oCJ9tbOjl/C8G2eNRKMiP24/kEYy37P+bFq48j3xKSJJ8oD/+sW5ZgMxZqT4KZJzRUzwldpfd8frquxMKkijIvMQ/rI33I5FPoSikpE6I9IvnJ3BGjgha0tZThTnnkjpPKjRbDbZoDkkkGgjObZaCJbhXVOhKI3wgYqd8+otNlBiNvm9qC0/JvON9GD5TsFusRbF6R87X3jyWlm7skk/8TnFAYeQF4sUm6MihkZx/qXLJDVN4vS7tN123TKLyoh5CCA1zyAcHhuWSCv/3MiJYBW7GplkqoNs+ld/Zk1aLCLsF7tB1CXbM9HgOYVwL95Wmu0ih/J1qChzWA1Tix4+WfF3l02pN1aVIulTXbxEVe356kC2uE/xR5MPuaKeCOGCnmsf9mXBafvoRz52b5JsmkkNL8NpMhGX5e//SLGwWNVhJaq61+ZMthW5b8GY7RVDKrxdsWuSTGLRQWWNTlRU2ZCo/Q52YSAlF6WT4N9LCao2qTUMWCh47F20ty11/wSEIyrBPvTkjzxL/xu+KH5Fgj3LQVdtAL1/dBfbTjsgwLmxWBJUzAhRkCtZb60LVDECUZNzdn37X1hjkQMVILHbig7Y8EHwU3eTX80xsa7soARNwmeCKdybQTiiI1V6e3Aisrccean7/o+L9pN00DdS1IEOjGN/dy7Z7sIjSrMNFc+tk5YnvWBfqsxyhwQilGj5kthfmG8jQes/H3QP/qjd/ZeqTDZ/zEIy84upl+ik5MBWuDzW2yCqf3R+kVOtOZYCOOracD/EsXfQqL0sS89gmp/xvVxFYLjzEUG7cOmISnh3j1yZ1mLz0wiNkBkBv+br20e3yvh14YAnTWnSNZQK8fmfvlGWQ3gomHrvJCm3VkD1zdoxWjAjBgkqhkiG9w0BCRUxFgQUTn5MbzBjTDyeMIcj8Qn+fIPAYe0wMwYJKoZIhvcNAQkUMSYeJABDAG8AZABlAHgAIABUAGUAcwB0ACAAUwBpAGcAbgBpAG4AZzAxMCEwCQYFKw4DAhoFAAQUtXkuX4wtC4fEkGStkDEyyGGIlkYECIosLHRaW4M5AgIIAA==
+  # APPLE_CERTIFICATE_PASSWORD: codex-test-password
   # Test-only signing values for this branch. Replace with GitHub secrets when ready.
-  # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }}
-  # APPLE_CERTIFICATE_PASSWORD: $({ secrets.APPLE_CERTIFICATE_PASSWORD })
+  APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }}
+  APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
   # SHA-1 fingerprint of the test certificate; codesign accepts this format.
   # APPLE_CODESIGN_IDENTITY: 4E7E4C6F30634C3C9E308723F109FE7C83C061ED
-  CODESIGN_DEBUG: true
+  CODESIGN_DEBUG: false
 
 jobs:
   tag-check:
@@ -168,16 +168,10 @@ jobs:
 
           security default-keychain -s "$keychain_path"
           security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
-          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path"
-
-          if [[ "${CODESIGN_DEBUG:-}" == "true" ]]; then
-            echo "::group::Imported signing identities"
-              security find-identity -v -p codesigning "$keychain_path" || true
-              security find-certificate -a -Z "$keychain_path" || true
-            echo "::endgroup::"
-          fi
+          security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null
 
           codesign_hashes=()
+          # SO this is breaking because our cert (at least the testing one) is not generated as codesign
           while IFS= read -r hash; do
             [[ -n "$hash" ]] && codesign_hashes+=("$hash")
           done < <(security find-identity -v -p codesigning "$keychain_path" \
@@ -200,8 +194,15 @@ jobs:
           fi
 
           APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}"
-          export APPLE_CODESIGN_IDENTITY
-          echo "Resolved codesign identity: $APPLE_CODESIGN_IDENTITY"
+          # export APPLE_CODESIGN_IDENTITY
+          # echo "Resolved codesign identity: $APPLE_CODESIGN_IDENTITY"
+
+          if [[ "${CODESIGN_DEBUG:-}" == "true" ]]; then
+            echo "::group::Imported signing identities"
+              security find-identity -v -p codesigning "$keychain_path" || true
+              security find-certificate -a -Z "$keychain_path" || true
+            echo "::endgroup::"
+          fi
 
           rm -f "$cert_path"
 
@@ -220,12 +221,14 @@ jobs:
           fi
 
           keychain_args=()
-          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" && "${CODESIGN_DEBUG:-}" == "true" ]]; then
+          if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then
             keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}")
-            echo "::group::Signing keychain diagnostics"
-            security find-identity -v -p codesigning "${APPLE_CODESIGN_KEYCHAIN}" || true
-            security find-certificate -a -Z "${APPLE_CODESIGN_KEYCHAIN}" || true
-            echo "::endgroup::"
+            if [[ "${CODESIGN_DEBUG:-}" == "true" ]]; then
+              echo "::group::Signing keychain diagnostics"
+                security find-identity -v -p codesigning "${APPLE_CODESIGN_KEYCHAIN}" || true
+                security find-certificate -a -Z "${APPLE_CODESIGN_KEYCHAIN}" || true
+              echo "::endgroup::"
+            if
           fi
 
           for binary in codex codex-responses-api-proxy; do