burrow/Scripts/ci/install-apple-signing-assets.sh
Conrad Kramer 002bd382e9
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Wire Forge-native release infrastructure
2026-06-07 05:51:12 -07:00

124 lines
4.2 KiB
Bash
Executable file

#!/usr/bin/env bash
set -euo pipefail
repo_root="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")/../.." && pwd)"
cd "$repo_root"
signing_ready=0
keychain_path=""
write_env() {
local key="$1"
local value="$2"
if [[ -n "${GITHUB_ENV:-}" ]]; then
echo "${key}=${value}" >> "$GITHUB_ENV"
fi
}
install_profile_file() {
local source="$1"
[[ -f "$source" ]] || return 0
local uuid
uuid="$(security cms -D -i "$source" 2>/dev/null | plutil -extract UUID raw -o - - 2>/dev/null || true)"
if [[ -z "$uuid" ]]; then
uuid="$(basename "$source")"
fi
local profiles_dir="$HOME/Library/MobileDevice/Provisioning Profiles"
mkdir -p "$profiles_dir"
cp "$source" "${profiles_dir}/${uuid}.provisionprofile"
echo "Installed provisioning profile ${uuid}."
}
install_profile_base64() {
local name="$1"
local value="${!name:-}"
[[ -n "$value" ]] || return 0
local out="${RUNNER_TEMP:-/tmp}/${name}.provisionprofile"
printf '%s' "$value" | base64 --decode > "$out"
install_profile_file "$out"
}
install_profile_env_path() {
local name="$1"
local path="${!name:-}"
[[ -n "$path" ]] || return 0
if [[ ! -f "$path" ]]; then
echo "::error ::${name} points to a missing provisioning profile: ${path}" >&2
exit 1
fi
install_profile_file "$path"
}
for profile in \
Apple/Profiles/*.provisionprofile \
Apple/Profiles/*.mobileprovision \
.forgejo/actions/export/*.provisionprofile \
.forgejo/actions/export/*.mobileprovision; do
[[ -e "$profile" ]] || continue
install_profile_file "$profile"
done
install_profile_env_path APPLE_PROVISIONING_PROFILE_PATH
install_profile_env_path APPLE_NETWORK_EXTENSION_PROVISIONING_PROFILE_PATH
install_profile_env_path APPLE_MACOS_PROVISIONING_PROFILE_PATH
install_profile_base64 APPLE_PROVISIONING_PROFILE_BASE64
install_profile_base64 APPLE_NETWORK_EXTENSION_PROVISIONING_PROFILE_BASE64
install_profile_base64 APPLE_MACOS_PROVISIONING_PROFILE_BASE64
cert_base64="${APPLE_SIGNING_CERTIFICATE_BASE64:-${APPLE_DISTRIBUTION_CERTIFICATE_BASE64:-}}"
cert_path_env="${APPLE_SIGNING_CERTIFICATE_PATH:-${APPLE_DISTRIBUTION_CERTIFICATE_PATH:-}}"
cert_password="${APPLE_SIGNING_CERTIFICATE_PASSWORD:-${APPLE_DISTRIBUTION_CERTIFICATE_PASSWORD:-}}"
keychain_password="${APPLE_KEYCHAIN_PASSWORD:-${cert_password}}"
if [[ -n "$cert_base64" || -n "$cert_path_env" ]]; then
if [[ -z "$cert_password" ]]; then
echo "::error ::APPLE_SIGNING_CERTIFICATE_PASSWORD is required when Apple signing certificate material is set." >&2
exit 1
fi
cert_path="${RUNNER_TEMP:-/tmp}/burrow-apple-signing.p12"
keychain_path="$HOME/Library/Keychains/BurrowRelease.keychain-db"
if [[ -n "$cert_path_env" ]]; then
if [[ ! -f "$cert_path_env" ]]; then
echo "::error ::APPLE_SIGNING_CERTIFICATE_PATH points to a missing file: ${cert_path_env}" >&2
exit 1
fi
cp "$cert_path_env" "$cert_path"
else
printf '%s' "$cert_base64" | base64 --decode > "$cert_path"
fi
security create-keychain -p "$keychain_password" "$keychain_path" || true
security set-keychain-settings -lut 21600 "$keychain_path"
security unlock-keychain -p "$keychain_password" "$keychain_path"
security import "$cert_path" \
-k "$keychain_path" \
-P "$cert_password" \
-T /usr/bin/codesign \
-T /usr/bin/security \
-T /usr/bin/productbuild \
-T /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$keychain_password" "$keychain_path" >/dev/null
existing="$(security list-keychains -d user | sed 's/[ "]//g' || true)"
if ! printf '%s\n' "$existing" | grep -Fxq "$keychain_path"; then
security list-keychains -d user -s "$keychain_path" $existing
fi
signing_ready=1
write_env BURROW_APPLE_KEYCHAIN_PATH "$keychain_path"
else
identities="$(security find-identity -v -p codesigning 2>/dev/null || true)"
if printf '%s\n' "$identities" | grep -Eq '"(Apple Distribution|Developer ID Application):'; then
signing_ready=1
fi
fi
write_env BURROW_APPLE_SIGNING_READY "$signing_ready"
if [[ "$signing_ready" == "1" ]]; then
echo "Apple signing assets are available."
else
echo "::notice ::Apple signing certificate is not configured; release lane will build unsigned validation artifacts only."
fi