fix(release): use dedicated keychain for cert pre-import

.github/workflows/release.yml

@@ -65,7 +65,7 @@ jobs:
       - name: Install sidecar npm dependencies
         run: npm --prefix sidecar ci
 
-      - name: Pre-import Apple Developer ID cert into login keychain
+      - name: Pre-import Apple Developer ID cert into a dedicated keychain
         env:
           APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
           APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
@@ -84,36 +84,39 @@ jobs:
           # tauri-action *does* import the cert into a fresh keychain — but
           # only later, when it actually runs `tauri build`. By that point
           # the .node has been baked into the .app already. So we mirror
-          # tauri-action's keychain dance here, ahead of time, into
-          # login.keychain-db (the runner's default keychain that codesign
-          # consults).
-          #
-          # When tauri-action runs later it creates its own temporary
-          # keychain and imports the cert again; both keychains end up
-          # holding the same identity, codesign finds it in either.
+          # tauri-action's keychain dance here, ahead of time, in a fresh
+          # keychain that we add to codesign's search list.
           if [ -z "$APPLE_CERTIFICATE" ] || [ -z "$APPLE_CERTIFICATE_PASSWORD" ]; then
             echo "Apple signing secrets missing — skipping cert pre-import."
             echo "Runtime .node files will be left unsigned (matches the"
             echo "unsigned-build path; notarization will not pass)."
             exit 0
           fi
-          P12=/tmp/aos-devid.p12
+          # Create a fresh keychain with a known password so we can
+          # set-key-partition-list non-interactively. The runner's
+          # login.keychain-db has an unknown password so we can't reuse
+          # it for this dance.
+          KEYCHAIN=$RUNNER_TEMP/aos-codesign.keychain-db
+          KEYCHAIN_PW=$(openssl rand -hex 16)
+          security create-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
+          # Don't auto-lock or time out during the build.
+          security set-keychain-settings "$KEYCHAIN"
+          security unlock-keychain -p "$KEYCHAIN_PW" "$KEYCHAIN"
+          # Import the cert; -T grants codesign access without GUI prompt.
+          P12=$RUNNER_TEMP/aos-devid.p12
           echo "$APPLE_CERTIFICATE" | base64 -d > "$P12"
-          # The login keychain on macos-latest runners is empty and has no
-          # password. unlock with the empty password (no-op if already
-          # unlocked, but tolerant if it's locked).
-          security unlock-keychain -p "" ~/Library/Keychains/login.keychain-db 2>/dev/null || true
           security import "$P12" -P "$APPLE_CERTIFICATE_PASSWORD" \
-            -k ~/Library/Keychains/login.keychain-db \
+            -k "$KEYCHAIN" \
             -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/pkgbuild
-          # Grant codesign non-interactive access to the imported key —
-          # without this, codesign blocks waiting for a GUI password prompt
-          # that will never come on a headless runner.
-          security set-key-partition-list -S apple-tool:,apple:,codesign: \
-            -s -k "" ~/Library/Keychains/login.keychain-db
           rm -f "$P12"
-          # Sanity: confirm the identity is now visible.
-          security find-identity -v -p codesigning ~/Library/Keychains/login.keychain-db
+          # Authorize codesign etc. to use the imported key without a UI prompt.
+          security set-key-partition-list -S apple-tool:,apple:,codesign: \
+            -s -k "$KEYCHAIN_PW" "$KEYCHAIN"
+          # Add to the user search list AHEAD of login.keychain-db so
+          # `codesign --sign <name>` finds the identity here first.
+          security list-keychain -d user -s "$KEYCHAIN" ~/Library/Keychains/login.keychain-db
+          # Sanity: identity must be visible to codesign now.
+          security find-identity -v -p codesigning "$KEYCHAIN"
 
       - name: Build sidecar (bundle + package binary)
         run: |