TechQA.

GitHub Actions: productsign hangs

1.4k views Asked by At

I am having an issue with GitHub Actions. When I call productsign the job just hangs. When searching the internet it seems that the job tries to ask the user for a password but I do not get any errors or feedback from the logs. The job just hangs for ever. When run on my own computer everything works as expected and the .pkg is signed.

My step in the workflow is as follows

  - name: Build & Sign Installer
    run: |
      export LC_ALL=en_US.UTF-8
      export LANG=en_US.UTF-8
      (cd fastlane && ./decrypt_secret.sh)
      carthage update --use-xcframeworks --platform macOS
      bundle exec fastlane set_release_version
      bundle exec fastlane mac install_certificates
      bundle exec fastlane mac build_main_app
      bundle exec fastlane mac build_updater
      bundle exec fastlane mac build_installer
      (cd installer && productsign --sign <identity> app-1.0.0.pkg app-1.0.0-signed.pkg)

I have tried a lot of different solutions, but nothing works

  1. security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -A
  2. security import ${P12_FILE} -k ${KEYCHAIN_PATH} -P ${P12_PASSWORD} -T /usr/bin/productsign
  3. Setting partition list using security set-key-partition-list
  4. creating a new keychain / unlocking keychain
  5. Switched to use the --sign param on productbuild (also hangs when --sign added)
  6. Manually imported the certificate without fastlane match at all
  7. I think any other solution found on google

Any ideas? Is this a bug in GitHub Actions?

macos github-actions code-signing fastlane productsign
Original Q&A
1

There are 1 answers

4
Rasmus Styrk On BEST ANSWER

Ok, we finally figured it out. The solution is to create tmp keychain, set its as default and configure some attributes. This makes sure codesign and productsign can access it without being prompted for a password.

Setup Tmp Keychain

# default again user login keychain
security list-keychains -d user -s login.keychain

# Create temp keychain
security create-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Append temp keychain to the user domain
security list-keychains -d user -s "$MY_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)

# Remove relock timeout
security set-keychain-settings "$MY_KEYCHAIN"

# Unlock keychain
security unlock-keychain -p "$MY_KEYCHAIN_PASSWORD" "$MY_KEYCHAIN"

# Add certificate to keychain
security import $CERT -k "$MY_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"

# Enable codesigning from a non user interactive shell
security set-key-partition-list -S apple-tool:,apple:, -s -k $MY_KEYCHAIN_PASSWORD -D "${IDENTITY_CERTIFICATE}" -t private $MY_KEYCHAIN

Clean up Keychain

# Delete temporary keychain
security delete-keychain "$MY_KEYCHAIN"

# default again user login keychain
security list-keychains -d user -s login.keychain

Related Questions in MACOS

Related Questions in GITHUB-ACTIONS

Related Questions in CODE-SIGNING

Related Questions in FASTLANE

Related Questions in PRODUCTSIGN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions