From 25da042b6e4e9ee366b3930b8e3a74e0e42fccf0 Mon Sep 17 00:00:00 2001
From: mrdulasolutions <matt@mrdula.solutions>
Date: Tue, 12 May 2026 19:29:46 -0400
Subject: [PATCH] fix(release): use dedicated keychain for cert pre-import

PR #9 imported the Apple cert into login.keychain-db and then
called `security set-key-partition-list -k ""` to authorize
codesign access. macos-latest runners' login keychain has a
non-empty password (set by the runner image), so this failed with
"SecKeychainItemSetAccessWithPassword: The user name or passphrase
you entered is not correct" and the whole step aborted.

Switch to the same pattern tauri-action uses internally: create a
fresh keychain in $RUNNER_TEMP with a freshly-generated password,
import the cert there, authorize via set-key-partition-list with
the known password, then add the keychain to codesign's user
search list ahead of login.keychain-db.

This isolates our keychain from the runner's, avoids fighting an
unknown login password, and stays out of tauri-action's way when
it creates its own ephemeral keychain later (codesign finds the
identity in either; both have the same name).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 45 +++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e734915..115f13c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -65,7 +65,7 @@ jobs:
       - name: Install sidecar npm dependencies
         run: npm --prefix sidecar ci
 
-      - name: Pre-import Apple Developer ID cert into login keychain
+      - name: Pre-import Apple Developer ID cert into a dedicated keychain
         env:
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
@@ -84,36 +84,39 @@ jobs:
           # tauri-action *does* import the cert into a fresh keychain — but
           # only later, when it actually runs `tauri build`. By that point
           # the .node has been baked into the .app already. So we mirror
-          # tauri-action's keychain dance here, ahead of time, into
-          # login.keychain-db (the runner's default keychain that codesign
-          # consults).
-          #
-          # When tauri-action runs later it creates its own temporary
-          # keychain and imports the cert again; both keychains end up
-          # holding the same identity, codesign finds it in either.
+          # tauri-action's keychain dance here, ahead of time, in a fresh
+          # keychain that we add to codesign's search list.
           if [ -z "$APPLE_CERTIFICATE" ] || [ -z "$APPLE_CERTIFICATE_PASSWORD" ]; then
             echo "Apple signing secrets missing — skipping cert pre-import."
             echo "Runtime .node files will be left unsigned (matches the"
             echo "unsigned-build path; notarization will not pass)."
             exit 0
           fi
-          P12=/tmp/aos-devid.p12
+          # Create a fresh keychain with a known password so we can
+          # set-key-partition-list non-interactively. The runner's
+          # login.keychain-db has an unknown password so we can't reuse
+          # it for this dance.
+          KEYCHAIN=$RUNNER_TEMP/aos-codesign.keychain-db
+          KEYCHAIN_PW=$(openssl rand -hex 16)
+          security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
+          # Don't auto-lock or time out during the build.
+          security set-keychain-settings "$KEYCHAIN"
+          security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
+          # Import the cert; -T grants codesign access without GUI prompt.
+          P12=$RUNNER_TEMP/aos-devid.p12
           echo "$APPLE_CERTIFICATE" | base64 -d > "$P12"
-          # The login keychain on macos-latest runners is empty and has no
-          # password. unlock with the empty password (no-op if already
-          # unlocked, but tolerant if it's locked).
-          security unlock-keychain -p "" ~/Library/Keychains/login.keychain-db 2>/dev/null || true
           security import "$P12" -P "$APPLE_CERTIFICATE_PASSWORD" \
-            -k ~/Library/Keychains/login.keychain-db \
+            -k "$KEYCHAIN" \
             -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/pkgbuild
-          # Grant codesign non-interactive access to the imported key —
-          # without this, codesign blocks waiting for a GUI password prompt
-          # that will never come on a headless runner.
-          security set-key-partition-list -S apple-tool:,apple:,codesign: \
-            -s -k "" ~/Library/Keychains/login.keychain-db
           rm -f "$P12"
-          # Sanity: confirm the identity is now visible.
-          security find-identity -v -p codesigning ~/Library/Keychains/login.keychain-db
+          # Authorize codesign etc. to use the imported key without a UI prompt.
+          security set-key-partition-list -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PW" "$KEYCHAIN"
+          # Add to the user search list AHEAD of login.keychain-db so
+          # `codesign --sign <name>` finds the identity here first.
+          security list-keychain -d user -s "$KEYCHAIN" ~/Library/Keychains/login.keychain-db
+          # Sanity: identity must be visible to codesign now.
+          security find-identity -v -p codesigning "$KEYCHAIN"
 
       - name: Build sidecar (bundle + package binary)
         run: |