Skip to content

fix(release): use dedicated keychain for cert pre-import#10

Merged
mrdulasolutions merged 1 commit into
mainfrom
claude/preimport-fix-keychain
May 12, 2026
Merged

fix(release): use dedicated keychain for cert pre-import#10
mrdulasolutions merged 1 commit into
mainfrom
claude/preimport-fix-keychain

Conversation

@mrdulasolutions
Copy link
Copy Markdown
Owner

@mrdulasolutions mrdulasolutions commented May 12, 2026

Summary

PR #9's pre-import step imported the Apple cert into `login.keychain-db` and called `security set-key-partition-list -k ""` to authorize codesign access. macos-latest runners' login keychain has a non-empty password (set by the runner image), so this failed with:

```
security: SecKeychainItemSetAccessWithPassword: The user name or passphrase you entered is not correct.
```

— and the whole step aborted before the sidecar build ever ran.

Fix

Use the same pattern tauri-action uses internally:

  1. `security create-keychain` in `$RUNNER_TEMP` with a freshly-generated random password (so we know it).
  2. `security import` the cert there.
  3. `security set-key-partition-list -k $KEYCHAIN_PW` — works because we know our own keychain's password.
  4. `security list-keychain -d user -s $KEYCHAIN ~/Library/Keychains/login.keychain-db` — add to the user search list ahead of login so codesign finds the identity here first.

This stays out of tauri-action's way when it later creates its own ephemeral keychain — codesign finds the identity in either, both have the same name, no conflict.

🤖 Generated with Claude Code

@mrdulasolutions @claude
fix(release): use dedicated keychain for cert pre-import
25da042 
PR #9 imported the Apple cert into login.keychain-db and then
called `security set-key-partition-list -k ""` to authorize
codesign access. macos-latest runners' login keychain has a
non-empty password (set by the runner image), so this failed with
"SecKeychainItemSetAccessWithPassword: The user name or passphrase
you entered is not correct" and the whole step aborted.

Switch to the same pattern tauri-action uses internally: create a
fresh keychain in $RUNNER_TEMP with a freshly-generated password,
import the cert there, authorize via set-key-partition-list with
the known password, then add the keychain to codesign's user
search list ahead of login.keychain-db.

This isolates our keychain from the runner's, avoids fighting an
unknown login password, and stays out of tauri-action's way when
it creates its own ephemeral keychain later (codesign finds the
identity in either; both have the same name).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mrdulasolutions mrdulasolutions merged commit ac0b362 into main May 12, 2026
2 of 3 checks passed
@mrdulasolutions mrdulasolutions mentioned this pull request May 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mrdulasolutions