From 234e6e0dec9da5533b2bd54859f0c1884b2b3388 Mon Sep 17 00:00:00 2001
From: Matias Korhonen <me@matiaskorhonen.fi>
Date: Wed, 7 Aug 2024 18:13:26 +0300
Subject: [PATCH] Codesigning experimentation

---
 .github/workflows/codesign.yml | 77 ++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .github/workflows/codesign.yml

diff --git a/.github/workflows/codesign.yml b/.github/workflows/codesign.yml
new file mode 100644
index 0000000..69dadb0
--- /dev/null
+++ b/.github/workflows/codesign.yml
@@ -0,0 +1,77 @@
+name: Codesign
+
+on:
+  push:
+    branches: [ "main", "next" ]
+  pull_request:
+    branches: [ "main", "next" ]
+
+permissions:
+  contents: read
+
+# Testing codesigning on macOS runners
+# https://docs.github.com/en/actions/deployment/deploying-xcode-applications/installing-an-apple-certificate-on-macos-runners-for-xcode-development
+
+jobs:
+  build_with_signing:
+    runs-on: macos-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+      - name: Install the Apple certificate and provisioning profile
+        env:
+          BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+          P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+          BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+          PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
+          KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+          echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+
+          # apply provisioning profile
+          mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
+          cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
+      - name: Fetch PaperAge release
+        uses: robinraju/release-downloader@v1.11
+        with:
+          repository: "matiaskorhonen/paper-age"
+          latest: true
+          extract: true
+          fileName: paper-age-universal-apple-darwin.tar.gz
+          out-file-path: tmp
+      - name: Show the contents of the release
+        run: ls -la tmp
+      - name: Sign the binary
+        env:
+          CODESIGN_IDENTITY: ${{ secrets.CODESIGN_IDENTITY }}
+        run: |
+          # sign the binary
+          codesign --sign "$CODESIGN_IDENTITY" tmp/paper-age
+      - name: Upload the signed binary
+        uses: actions/upload-artifact@v4
+        with:
+          name: signed-paper-age
+          path: tmp/paper-age
+          retention-days: 7
+      - name: Clean up keychain and provisioning profile
+        if: ${{ always() }}
+        run: |
+          security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
+          rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision