Apple signing `KEYCHAIN_PASSWORD` value

[setoelkahfi]

It's been a while since I looked at our GH release since I mostly focused on app stores distribution. Now, I'm moving my app to using organizational account from my personal account. It's known to be working with my personal developer account, now my " Verify Certificate" failed.

Run CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
  CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
  CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
  echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
  echo "Certificate imported."
  shell: /bin/bash -e {0}
  env:
    APPLE_ID: ***
    APPLE_ID_PASSWORD: ***
    PNPM_HOME: /Users/runner/setup-pnpm/node_modules/.bin
    PATH: /Users/runner/setup-pnpm/node_modules/.bin:/Users/runner/hostedtoolcache/node/20.19.5/arm64/bin:/Users/runner/.local/bin:/opt/homebrew/bin:/opt/homebrew/sbin:/Users/runner/.cargo/bin:/usr/local/opt/curl/bin:/usr/local/bin:/usr/local/sbin:/Users/runner/bin:/Users/runner/.yarn/bin:/Users/runner/Library/Android/sdk/tools:/Users/runner/Library/Android/sdk/platform-tools:/Library/Frameworks/Python.framework/Versions/Current/bin:/Library/Frameworks/Mono.framework/Versions/Current/Commands:/usr/bin:/bin:/usr/sbin:/sbin:/Users/runner/.dotnet/tools
    CARGO_HOME: /Users/runner/.cargo
    CARGO_INCREMENTAL: 0
    CARGO_TERM_COLOR: always
Error: Process completed with exit code 1.

workflow file:

name: "Deploy SplitFire AI Desktop"

on:
  push:
    branches:
      - release/splitfire-desktop
  workflow_dispatch:

# This workflow will trigger on each push to the `release` branch to create or update a GitHub release, build your app, and upload the artifacts to the release.
defaults:
  run:
    working-directory: frontend/splitfire-desktop

jobs:
  publish-tauri:
    permissions:
      contents: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - platform: "macos-latest" # for Arm based macs (M1 and above).
            args: "--target aarch64-apple-darwin -c src-tauri/tauri.prod-macos.conf.json"
          - platform: "macos-latest" # for Intel based macs.
            args: "--target x86_64-apple-darwin -c src-tauri/tauri.prod-macos.conf.json"
          - platform: "ubuntu-22.04"
            args: "-c src-tauri/tauri.prod.conf.json"
          - platform: "windows-latest"
            args: "-c src-tauri/tauri.prod.conf.json"

    runs-on: ${{ matrix.platform }}
    env:
      APPLE_ID: ${{ secrets.APPLE_ID }}
      APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
    steps:
      - uses: actions/checkout@v4
        with:
          lfs: true

      - name: setup node
        uses: actions/setup-node@v4
        with:
          node-version-file: frontend/splitfire-desktop/.nvmrc
      - uses: pnpm/action-setup@v4
        with:
          version: 10
      - name: Setup Ruby
        uses: ruby/setup-ruby@v1
        with:
          ruby-version: 3.3.4
      - name: Install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
          toolchain: 1.90
          # Those targets are only used on macos runners so it's in an `if` to slightly speed up windows and linux builds.
          targets: ${{ matrix.platform == 'macos-latest' && 'aarch64-apple-darwin,x86_64-apple-darwin' || '' }}

      - name: Install Ubuntu dependencies
        if: matrix.platform == 'ubuntu-22.04' # This must match the platform value defined above.
        run: |
          sudo apt-get update
          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf libasound2-dev libudev-dev

      - name: Import Apple Developer Certificate
        if: matrix.platform == 'macos-latest'
        uses: apple-actions/import-codesign-certs@v3
        with:
          p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
          p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          keychain: build
      - name: Verify Certificate
        if: matrix.platform == 'macos-latest'
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."
      - name: Create .p8 file
        run: |
            mkdir -p ~/.appstoreconnect/private_keys
            echo "${{ secrets.APPLE_API_KEY_STRING }}" > ~/.appstoreconnect/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
      - name: Install frontend dependencies
        run: pnpm install

      - uses: tauri-apps/tauri-action@v0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
          APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
          APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
        with:
          projectPath: frontend/splitfire-desktop
          tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
          releaseName: "SplitFire AI v__VERSION__"
          releaseBody: "See the assets to download this version and install."
          releaseDraft: true
          prerelease: false
          args: ${{ matrix.args }}

I updated the APPLE_CERTIFICATE, APPLE_CERTIFICATE_PASSWORD, APPLE_API_ISSUER, APPLE_API_KEY, APPLE_ID and APPLE_ID_PASSWORD to using my organizational account. But I don't know that the KEYCHAIN_PASSWORD should be. It couldn't be my MacBook keychain access password, right?

In this docs, what's the value of the KEYCHAIN_PASSWORD? Or could it be some other issues? Any clue?

[FabianLars]

You can use whatever you want. You create the keychain in the security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain line with the password you want.

will move this to the docs repo to fix the website

[setoelkahfi]

I just realized that the Import Apple Developer Certificate and Verify Certificate steps have changed. I'll try updating the step to follow the docs.

[setoelkahfi]

Now I updated my workflow to follow the current docs, it finds the identity in the "Import Apple Developer Certificate" step, but the "Verify Certificate" step still failing with the same error.

      - name: Import Apple Developer Certificate
        if: matrix.platform == 'macos-latest'
        env:
          APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
          APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
          security set-keychain-settings -t 3600 -u build.keychain
          security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
          security find-identity -v -p codesigning build.keychain

      - name: Verify Certificate
        if: matrix.platform == 'macos-latest'
        run: |
          CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Apple Development")
          CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
          echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
          echo "Certificate imported."

The identify it found is:

  1) D86randomthing-mumbo-jumbo-829 "3rd Party Mac Developer Application: Splitfire AB (teamidstring)"
     1 valid identities found

Is that why the grep "Apple Development" failing?

[setoelkahfi]

I checked my latest tauri prod config file and I'm missing the signingIdentify field, I'll update the field to match the identify found in the workflow.

[setoelkahfi]

Got this error, I think I'm making progress

failed to bundle project failed codesign application: failed to resolve signing identity
       Error failed to bundle project failed codesign application: failed to resolve signing identity
 ELIFECYCLE  Command failed with exit code 1.

[setoelkahfi]

I manage to build my app for desktops now eventhough I couldn't open it on my MacBook after installing it

Several things to note:

1. The certificate to publish macOS app outside of AppStore is Developer ID Application
2. With that being said, the grep command in verify certificate step should be the name of your developer id application certificate.
3. I don't provide the signingIdentity in my Tauri config file.