From 426d400757b0ba0c69b41b893598d2be5cccdafe Mon Sep 17 00:00:00 2001
From: rhinoc <rhinoc@outlook.com>
Date: Sat, 10 Feb 2024 19:51:15 +0800
Subject: [PATCH] fix: add code_sign

---
 .github/workflows/release.yml   |  8 ++++++++
 liltr.xcodeproj/project.pbxproj | 14 ++++++++------
 scripts/code_sign.sh            | 15 +++++++++++++++
 scripts/reset_secret.sh         |  3 +++
 4 files changed, 34 insertions(+), 6 deletions(-)
 create mode 100755 scripts/code_sign.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f1435ff..164b34d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,7 +27,12 @@ env:
   NIUTRANS_SK: ${{ secrets.NIUTRANS_SK }}
   VOLCENGINE_AK: ${{ secrets.VOLCENGINE_AK }}
   VOLCENGINE_SK: ${{ secrets.VOLCENGINE_SK }}
+
+  # secrets
   SPARKLE_ED_PRIVATE_KEY: ${{ secrets.SPARKLE_ED_PRIVATE_KEY }}
+  BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
+  P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
+  KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
 
 jobs:
   build:
@@ -41,6 +46,9 @@ jobs:
     - name: Update version
       id: update_version
       run: echo "VERSION=$(scripts/update_version.sh)" >> $GITHUB_OUTPUT
+    - name: Code Sign
+      id: code_sign
+      run: scripts/code_sign.sh
     - name: Release
       id: release
       run: VERSION=${{steps.update_version.outputs.VERSION}} scripts/release.sh
diff --git a/liltr.xcodeproj/project.pbxproj b/liltr.xcodeproj/project.pbxproj
index e3f9de8..4a0883b 100644
--- a/liltr.xcodeproj/project.pbxproj
+++ b/liltr.xcodeproj/project.pbxproj
@@ -476,8 +476,8 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_IDENTITY = "-";
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
 				COPY_PHASE_STRIP = NO;
 				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = dwarf;
@@ -542,8 +542,8 @@
 				CLANG_WARN_UNGUARDED_AVAILABILITY = YES_AGGRESSIVE;
 				CLANG_WARN_UNREACHABLE_CODE = YES;
 				CLANG_WARN__DUPLICATE_METHOD_MATCH = YES;
-				CODE_SIGN_IDENTITY = "-";
-				CODE_SIGN_STYLE = Manual;
+				CODE_SIGN_IDENTITY = "Apple Development";
+				CODE_SIGN_STYLE = Automatic;
 				COPY_PHASE_STRIP = NO;
 				DEAD_CODE_STRIPPING = YES;
 				DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
@@ -572,7 +572,8 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
-				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 0.0.4;
@@ -604,7 +605,8 @@
 			buildSettings = {
 				ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon;
 				ASSETCATALOG_COMPILER_GLOBAL_ACCENT_COLOR_NAME = AccentColor;
-				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "-";
+				CODE_SIGN_IDENTITY = "Apple Development";
+				"CODE_SIGN_IDENTITY[sdk=macosx*]" = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
 				COMBINE_HIDPI_IMAGES = YES;
 				CURRENT_PROJECT_VERSION = 0.0.4;
diff --git a/scripts/code_sign.sh b/scripts/code_sign.sh
new file mode 100755
index 0000000..35607b0
--- /dev/null
+++ b/scripts/code_sign.sh
@@ -0,0 +1,15 @@
+# create variables
+CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
+KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
+
+# import certificate profile from secrets
+echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
+
+# create temporary keychain
+security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
+security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
+
+# import certificate to keychain
+security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+security list-keychain -d user -s $KEYCHAIN_PATH
\ No newline at end of file
diff --git a/scripts/reset_secret.sh b/scripts/reset_secret.sh
index 7e1ce37..f5f5247 100755
--- a/scripts/reset_secret.sh
+++ b/scripts/reset_secret.sh
@@ -11,3 +11,6 @@ EMPTY_STRING=""
 /usr/libexec/PlistBuddy -c "Set :VolcengineSK $EMPTY_STRING" "$INFO_PLIST_PATH"
 /usr/libexec/PlistBuddy -c "Set :NiuTransSK $EMPTY_STRING" "$INFO_PLIST_PATH"
 /usr/libexec/PlistBuddy -c "Set :BigHugeThesaurusSK $EMPTY_STRING" "$INFO_PLIST_PATH"
+
+# clean up
+security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
\ No newline at end of file