From ce58590c0e6c4ba07bd5d4c0e82633d81fe741f0 Mon Sep 17 00:00:00 2001
From: per1234 <accounts@perglass.com>
Date: Mon, 17 Aug 2020 12:59:49 -0700
Subject: [PATCH] Use electron-builder to import macOS signing certificate

The previous certificate import system causes electron-builder's code signing process to hang when the GitHub hosted macOS runner is used.

electron-builder has a built-in system for importing the code signing certificate into the keychain. This requires the certificate to have been exported using a specific procedure, which is described vaguely in the electron-builder documentation:

https://www.electron.build/code-signing

And more thoroughly in this article:

https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate

The "KEYCHAIN" secret that was previously in use was apparently produced by some other procedure. The use of that secret results in a "security: SecKeychainItemImport: Unknown format in import." error during the electron-builder's certificate import process. The APPLE_SIGNING_CERTIFICATE_P12 secret was generated by following the instructions in the article at the link above and works fine with the electron-builder certificate import system.
---
 .github/workflows/build.yml | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 8c3e9866..f14d38a1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -24,6 +24,9 @@ jobs:
           # - os: rsora-rpi-arm # self-hosted armhf
     runs-on: ${{ matrix.config.os }}
     timeout-minutes: 30
+    env:
+      CERTIFICATE_PATH: /tmp/macos_signing_certificate.p12
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -39,12 +42,12 @@ jobs:
         with:
           python-version: '2.7'
 
-      - name: Update Keychain [macOS]
+      - name: Generate signing certificate file [macOS]
         if: runner.OS == 'macOS'
         run: |
-            echo "${{ secrets.KEYCHAIN }}" | base64 --decode > ~/Library/Keychains/apple-developer.keychain-db
-            security list-keychains -s ~/Library/Keychains/apple-developer.keychain-db
-            security unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" ~/Library/Keychains/apple-developer.keychain-db
+            # APPLE_SIGNING_CERTIFICATE_P12 secret was produced by following the procedure from:
+            # https://www.kencochrane.com/2020/08/01/build-and-sign-golang-binaries-for-macos-with-github-actions/#exporting-the-developer-certificate
+            echo "${{ secrets.APPLE_SIGNING_CERTIFICATE_P12 }}" | base64 --decode > "${{ env.CERTIFICATE_PATH }}"
 
       - name: Package
         shell: bash
@@ -58,6 +61,12 @@ jobs:
           IS_NIGHTLY: ${{ github.event_name == 'schedule' }}
           IS_RELEASE: ${{ startsWith(github.ref, 'refs/tags/') }}
         run: |
+            # electron-builder will try to sign during the Windows job if these environment variables are defined
+            if [ "${{ runner.OS }}" = "macOS" ]; then
+              # See: https://www.electron.build/code-signing
+              export CSC_LINK="${{ env.CERTIFICATE_PATH }}"
+              export CSC_KEY_PASSWORD="${{ secrets.KEYCHAIN_PASSWORD }}"
+            fi
             yarn --cwd ./electron/packager/
             yarn --cwd ./electron/packager/ package