always resign

StephenHodgson · StephenHodgson · commit b3ef97de6100 · 2025-05-09T19:48:36.000-04:00
diff --git a/dist/index.js b/dist/index.js
@@ -58050,6 +58050,7 @@ const semver = __nccwpck_require__(1383);
 const AppStoreConnectClient_1 = __nccwpck_require__(7486);
 const utilities_1 = __nccwpck_require__(5739);
 const core = __nccwpck_require__(2186);
+const AppleCredential_1 = __nccwpck_require__(4199);
 const xcodebuild = '/usr/bin/xcodebuild';
 const xcrun = '/usr/bin/xcrun';
 const WORKSPACE = process.env.GITHUB_WORKSPACE || process.cwd();
@@ -58542,9 +58543,7 @@ async function createMacOSInstallerPkg(projectRef) {
     }
     const developerIdInstallerCert = await (0, AppStoreConnectClient_1.GetCertificate)(projectRef, 'MAC_INSTALLER_DISTRIBUTION');
     core.info(`Found Developer ID Installer certificate: [${developerIdInstallerCert.id}] ${developerIdInstallerCert.attributes.name}`);
-    const certPath = path.join(process.env.RUNNER_TEMP, 'developer_id_installer.cer');
-    await fs.promises.writeFile(certPath, developerIdInstallerCert.attributes.certificateContent);
-    core.info(`Saved Developer ID Installer certificate to: ${certPath}`);
+    await (0, AppleCredential_1.ImportCertificate)(developerIdInstallerCert);
     const signPkgPath = __nccwpck_require__.ab + "sign-app-pkg.sh";
     core.info(`Signing pkg: ${pkgPath}`);
     let codesignOutput = '';
diff --git a/dist/index.js.map b/dist/index.js.map
diff --git a/dist/sign-app-bundle.sh b/dist/sign-app-bundle.sh
@@ -12,12 +12,6 @@ SIGNING_IDENTITY="$3"
 # remove any metadata from the app bundle
 xattr -cr "$APP_BUNDLE_PATH"
 
-# verify the app bundle
-if codesign --verify --verbose=2 "$APP_BUNDLE_PATH"; then
-    echo "App bundle is already signed and verified. skipping..."
-    exit 0
-fi
-
 if [ -z "$SIGNING_IDENTITY" ]; then
     # get the signing identity that matches Developer ID Application
     SIGNING_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | awk -F'"' '{print $2}' | head -n 1)
@@ -38,6 +32,6 @@ find "$APP_BUNDLE_PATH" -name "*.dylib" -exec codesign --force --verify --verbos
 codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_BUNDLE_PATH"
 
 # verify the app bundle
-if ! codesign --verify --verbose=2 "$APP_BUNDLE_PATH"; then
+if ! codesign --verify --deep --strict --verbose=2 "$APP_BUNDLE_PATH"; then
     exit 1
 fi
diff --git a/src/sign-app-bundle.sh b/src/sign-app-bundle.sh
@@ -12,12 +12,6 @@ SIGNING_IDENTITY="$3"
 # remove any metadata from the app bundle
 xattr -cr "$APP_BUNDLE_PATH"
 
-# verify the app bundle
-if codesign --verify --verbose=2 "$APP_BUNDLE_PATH"; then
-    echo "App bundle is already signed and verified. skipping..."
-    exit 0
-fi
-
 if [ -z "$SIGNING_IDENTITY" ]; then
     # get the signing identity that matches Developer ID Application
     SIGNING_IDENTITY=$(security find-identity -p codesigning -v | grep "Developer ID Application" | awk -F'"' '{print $2}' | head -n 1)
@@ -38,6 +32,6 @@ find "$APP_BUNDLE_PATH" -name "*.dylib" -exec codesign --force --verify --verbos
 codesign --deep --force --verify --verbose --timestamp --options runtime --entitlements "$ENTITLEMENTS_PATH" --sign "$SIGNING_IDENTITY" "$APP_BUNDLE_PATH"
 
 # verify the app bundle
-if ! codesign --verify --verbose=2 "$APP_BUNDLE_PATH"; then
+if ! codesign --verify --deep --strict --verbose=2 "$APP_BUNDLE_PATH"; then
     exit 1
 fi
diff --git a/src/xcode.ts b/src/xcode.ts
@@ -16,7 +16,7 @@ import {
 } from './AppStoreConnectClient';
 import { log } from './utilities';
 import core = require('@actions/core');
-import { AppleCredential } from './AppleCredential';
+import { AppleCredential, ImportCertificate } from './AppleCredential';
 import { SemVer } from 'semver';
 
 const xcodebuild = '/usr/bin/xcodebuild';
@@ -526,10 +526,7 @@ async function createMacOSInstallerPkg(projectRef: XcodeProject): Promise<string
     // TODO get Developer ID Installer signing certificate from app store connect API
     const developerIdInstallerCert = await GetCertificate(projectRef, 'MAC_INSTALLER_DISTRIBUTION');
     core.info(`Found Developer ID Installer certificate: [${developerIdInstallerCert.id}] ${developerIdInstallerCert.attributes.name}`);
-    // save certificate contents to runner.temp directory
-    const certPath = path.join(process.env.RUNNER_TEMP, 'developer_id_installer.cer');
-    await fs.promises.writeFile(certPath, developerIdInstallerCert.attributes.certificateContent);
-    core.info(`Saved Developer ID Installer certificate to: ${certPath}`);
+    await ImportCertificate(developerIdInstallerCert);
     // sign the .pkg using ./sign-app-pkg.sh
     const signPkgPath = path.join(__dirname, 'sign-app-pkg.sh');
     core.info(`Signing pkg: ${pkgPath}`);
