Use electron-builder to import macOS signing certificate

The previous certificate import system causes electron-builder's code signing process to hang when the GitHub hosted macOS runner is used. electron-builder has a built-in system for importing the code signing certificate into the keychain. This requires the certificate to have been exported using a specific procedure, which is described vaguely in the electron-builder documentation: https://www.electron.build/code-signing And more thoroughly in this article: https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate The "KEYCHAIN" secret that was previously in use was apparently produced by some other procedure. The use of that secret results in a "security: SecKeychainItemImport: Unknown format in import." error during the electron-builder's certificate import process. The APPLE_SIGNING_CERTIFICATE_P12 secret was generated by following the instructions in the article at the link above and works fine with the electron-builder certificate import system.
2025-06-06 04:06:32 +00:00 · 2020-08-17 12:59:49 -07:00 · 2020-08-17 12:59:49 -07:00 · ce58590c0e
commit ce58590c0e
parent 1b8c510f33
1 changed files with 13 additions and 4 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -24,6 +24,9 @@ jobs:
          # - os: rsora-rpi-arm # self-hosted armhf
    runs-on: ${{ matrix.config.os }}
    timeout-minutes: 30
+    env:
+      CERTIFICATE_PATH: /tmp/macos_signing_certificate.p12
+
    steps:
      - name: Checkout
        uses: actions/checkout@v2
@ -39,12 +42,12 @@ jobs:
        with:
          python-version: '2.7'

-      - name: Update Keychain [macOS]
+      - name: Generate signing certificate file [macOS]
        if: runner.OS == 'macOS'
        run: |
-            echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db
-            security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
-            security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
+            # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from:
+            # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate
+            echo "${{ secrets.APPLE_SIGNING_CERTIFICATE_P12 }}" | base64 --decode > "${{ env.CERTIFICATE_PATH }}"

      - name: Package
        shell: bash
@ -58,6 +61,12 @@ jobs:
          IS_NIGHTLY: ${{ github.event_name == 'schedule' }}
          IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/') }}
        run: |
+            # electron-builder will try to sign during the Windows job if these environment variables are defined
+            if [ "${{ runner.OS }}" = "macOS" ]; then
+              # See: https://www.electron.build/code-signing
+              export CSC_LINK="${{ env.CERTIFICATE_PATH }}"
+              export CSC_KEY_PASSWORD="${{ secrets.KEYCHAIN_PASSWORD }}"
+            fi
            yarn --cwd ./electron/packager/
            yarn --cwd ./electron/packager/ package