build: attempt to fix mas 23

2026-01-23 02:36:05 +00:00 · 2025-11-10 14:56:05 +01:00 · 2025-11-10 14:56:05 +01:00 · 7b20b68b5b
commit 7b20b68b5b
parent 1f66267df1
2 changed files with 52 additions and 2 deletions
--- a/.github/workflows/build-publish-to-mac-store-on-release.yml
+++ b/.github/workflows/build-publish-to-mac-store-on-release.yml
@ -92,6 +92,34 @@ jobs:
        env:
          PROVISION_PROFILE: ${{secrets.mas_provision_profile}}

+      - name: Verify provisioning profile certificate
+        run: |
+          security cms -D -i embedded.provisionprofile > /tmp/profile.plist
+          python3 << 'EOF'
+          import plistlib
+          import subprocess
+          import hashlib
+
+          with open('/tmp/profile.plist', 'rb') as f:
+              plist_data = plistlib.load(f)
+
+          cert_data = plist_data['DeveloperCertificates'][0]
+          fingerprint = hashlib.sha1(cert_data).hexdigest().upper()
+
+          # Write to temp file and extract subject
+          with open('/tmp/cert.der', 'wb') as f:
+              f.write(cert_data)
+
+          result = subprocess.run(['openssl', 'x509', '-in', '/tmp/cert.der', '-inform', 'DER',
+                                  '-noout', '-subject', '-fingerprint', '-sha1'],
+                                 capture_output=True, text=True)
+
+          print("=== PROVISIONING PROFILE CERTIFICATE ===")
+          print(result.stdout)
+          print(f"SHA1 Fingerprint: {fingerprint}")
+          print("========================================")
+          EOF
+
      - run: npm run env # Generate env.generated.ts

      #      - name: Lint
--- a/.github/workflows/test-mac-dmg-build.yml
+++ b/.github/workflows/test-mac-dmg-build.yml
@ -53,6 +53,17 @@ jobs:
      - name: Install npm packages
        run: npm i

+      - name: Decode provisioning profile
+        shell: bash
+        env:
+          PROVISION_PROFILE: ${{ secrets.dl_provision_profile }}
+        run: |
+          if [ -z "$PROVISION_PROFILE" ]; then
+            echo "dl_provision_profile secret is missing"
+            exit 1
+          fi
+          echo "$PROVISION_PROFILE" | base64 --decode > embedded.provisionprofile
+
      - name: Configure macOS signing keychain
        env:
          MAC_CERTS: ${{ secrets.mac_certs }}
@ -78,13 +89,24 @@ jobs:
            echo "CSC_NAME=Developer ID Application: Johannes Millan (363FAFK383)"
          } >> "$GITHUB_ENV"

+      - name: Prepare for app notarization
+        run: |
+          mkdir -p ~/private_keys/
+          echo '${{ secrets.mac_api_key }}' > ~/private_keys/AuthKey_${{ secrets.mac_api_key_id }}.p8
+
      - name: Generate environment & build sources
        run: |
          npm run env
-          npm run buildAllElectron:noTests:prod
+          npm run build

      - name: Build Developer ID DMG
-        run: npm run dist:mac:dl
+        env:
+          API_KEY_ID: ${{ secrets.mac_api_key_id }}
+          API_KEY_ISSUER_ID: ${{ secrets.mac_api_key_issuer_id }}
+          APPLE_ID: ${{ secrets.APPLE_ID }}
+          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
+          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
+        run: npx electron-builder --mac

      - name: Verify DMG signature
        run: |