I should not expect this to fail

Author: shijie-oai

.github/workflows/rust-release.yml

@@ -24,7 +24,6 @@ env:
   APPLE_CERTIFICATE_PASSWORD: codex-test-password
   # SHA-1 fingerprint of the test certificate; codesign accepts this format.
   APPLE_CODESIGN_IDENTITY: 4E7E4C6F30634C3C9E308723F109FE7C83C061ED
-  CODESIGN_TEST: true
 
 jobs:
   tag-check:
@@ -135,31 +134,39 @@ jobs:
             exit 1
           fi
 
-          cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
-          echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
+          # TODO: we will be directly using the p12 from github secrets
+          # cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12"
+          # echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path"
 
           keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db"
           security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
           security set-keychain-settings -lut 21600 "$keychain_path"
           security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path"
 
           keychain_args=()
+
           while IFS= read -r keychain; do
             [[ -n "$keychain" ]] && keychain_args+=("$keychain")
           done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g')
+
           if ((${#keychain_args[@]} > 0)); then
             security list-keychains -s "$keychain_path" "${keychain_args[@]}"
           else
             security list-keychains -s "$keychain_path"
           fi
+
           security default-keychain -s "$keychain_path"
           security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security
           security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path"
 
-          echo "::group::Imported signing identities"
-          security find-identity -v -p codesigning "$keychain_path" || true
-          security find-certificate -a -Z "$keychain_path" || true
-          echo "::endgroup::"
+          if [[ "${CODESIGN_DEBUG:-}" == "true" ]]; then
+            echo "::group::Imported signing identities"
+            # TODO: we will need to grab the identity from this and then use it in the next step
+            # TODO: WE DEFINITELY NEED TO GET RID OF THOSE
+            security find-identity -v -p codesigning "$keychain_path" || true
+            security find-certificate -a -Z "$keychain_path" || true
+            echo "::endgroup::"
+          fi
 
           rm -f "$cert_path"
 
@@ -187,12 +194,7 @@ jobs:
 
           for binary in codex codex-responses-api-proxy; do
             path="target/${{ matrix.target }}/release/${binary}"
-            if [[ "${CODESIGN_TEST:-}" == "true" ]]; then
-              echo "Ad-hoc signing $path (test mode)"
-              codesign --force --sign - "$path"
-            else
-              codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
-            fi
+            codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path"
             codesign --verify --deep --strict "$path"
           done