tauri-apps
GitHub Action gets stuck running codesign on macOS
Hi, I'm trying to sign my macOS app using the Tauri action and it's hanging when it first runs codesign. From testing it out locally, it seems like it's getting stuck waiting on the user prompt to unlock the keychain. From my understanding of the keychain, the call to security unlock-keychain should avoid this but it doesn't seem to be working. Any help would be apperciated.
Full log below:
Finished `release` profile [optimized] target(s) in 5m 46s
Bundling [tauri_bundler::bundle::macos::app] Arboretum.app (/Users/runner/work/arboretum/arboretum/target/aarch64-apple-darwin/release/bundle/macos/Arboretum.app)
Running [tauri_bundler::bundle::common] Command `xattr -crs /Users/runner/work/arboretum/arboretum/target/aarch64-apple-darwin/release/bundle/macos/Arboretum.app`
Signing [tauri_bundler::bundle::macos::sign] with identity "Developer ID Application: Garett Cooper (***)"
Running [tauri_bundler::bundle::common] Command `security delete-keychain tauri-build.keychain`
security: SecKeychainDelete: The specified keychain could not be found.
Info [tauri_bundler::bundle::macos::sign] setup keychain from environment variables...
Running [tauri_bundler::bundle::common] Command `base64 --decode -i /var/folders/t_/mmhnh941511_hp2lwh383bp00000gn/T/.tmpJVZQCk/cert.p12.tmp -o /var/folders/t_/mmhnh941511_hp2lwh383bp00000gn/T/.tmpJVZQCk/cert.p12`
Running [tauri_bundler::bundle::common] Command `security create-keychain -p tauri-build tauri-build.keychain`
Running [tauri_bundler::bundle::common] Command `security unlock-keychain -p tauri-build tauri-build.keychain`
Running [tauri_bundler::bundle::common] Command `security import /var/folders/t_/mmhnh941511_hp2lwh383bp00000gn/T/.tmpJVZQCk/cert.p12 -k tauri-build.keychain -P *** -T /usr/bin/codesign -T /usr/bin/pkgbuild -T /usr/bin/productbuild`
1 identity imported.
Running [tauri_bundler::bundle::common] Command `security set-keychain-settings -t 3600 -u tauri-build.keychain`
Running [tauri_bundler::bundle::common] Command `security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k tauri-build tauri-build.keychain`
keychain: "/Users/runner/Library/Keychains/tauri-build.keychain-db"
version: 512
class: 0x00000010
attributes: <ATTRIBUES OMITTED>
Running [tauri_bundler::bundle::common] Command `security list-keychain -d user -s /Users/runner/Library/Keychains/build.keychain-db tauri-build.keychain`
Info [tauri_bundler::bundle::macos::sign] Signing app bundle...
Signing [tauri_bundler::bundle::macos::sign] /Users/runner/work/arboretum/arboretum/target/aarch64-apple-darwin/release/bundle/macos/Arboretum.app/Contents/Frameworks/Python.framework
Info [tauri_bundler::bundle::macos::sign] using entitlements file at ./Entitlements.plist
Running [tauri_bundler::bundle::common] Command `codesign --force -s Developer ID Application: Garett Cooper (***) --keychain tauri-build.keychain --entitlements ./Entitlements.plist /Users/runner/work/arboretum/arboretum/target/aarch64-apple-darwin/release/bundle/macos/Arboretum.app/Contents/Frameworks/Python.framework`
/Users/runner/work/arboretum/arboretum/target/aarch64-apple-darwin/release/bundle/macos/Arboretum.app/Contents/Frameworks/Python.framework: replacing existing signature
Did this happen once, multiple times, or every time? macOS code signing, especially in CI likes to have hiccups for some reason and most of the time retrying is enough.
If it does happen frequently, can you try it without bundling Python just to check if that's the issue (cause i can't remember seeing anyone bundling and signing it yet)?
It seems like it's every time, I've tried it 10 - 15 times without success. Removing the Python framework didn't help either, it just got stuck trying to sign the executable instead.
Same/similar problem here, it is stuck on signing. Nothing fancy going on just the vanilla tauri-apps/tauri-action with the following env variables:
- uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
with:
tagName: app-v__VERSION__ # the action automatically replaces \_\_VERSION\_\_ with the app version.
releaseName: "App v__VERSION__"
releaseBody: "See the assets to download this version and install."
releaseDraft: true
prerelease: false
args: ${{ matrix.args }}
The last log where it hangs:
found cert "Developer ID Application: Ted Steen (***)" with organization "Ted Steen"
Signing with identity "Developer ID Application: Ted Steen (***)"
Signing with identity "Developer ID Application: Ted Steen (***)"
Signing /Users/runner/work/***/src-tauri/target/x86_64-apple-darwin/release/bundle/macOS/***.app/Contents/MacOS/***
Both aarch64 and x86_64 jobs are hanging at the same place
It has to do with the way the certs are imported. I don't know what it is, but it works for me when using this action instead of my own import scripts Old import scripts:
- name: Import Apple Developer Certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
KEYCHAIN_PASSWORD=password
echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain
Action that works: https://github.com/Apple-Actions/import-codesign-certs/tree/master
This is the build & verify steps that worked for me with that action, it was also getting stuck for me with the steps in the guide:
- uses: apple-actions/import-codesign-certs@v3
if: matrix.platform == 'macos-latest'
with:
p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }}
p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
keychain: build
- name: Verify Certificate
if: matrix.platform == 'macos-latest'
run: |
security find-identity -v -p codesigning build.keychain
CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
echo "Certificate imported."
Swapped "Apple Development" for "Developer ID Application" since "Apple Development" wasn't in the text being grep'd, ` ~~I've not been able to get notarisation working yet though so that might be incorrect~~ Got it Notarised, was just issues with APPLE_TEAM_ID / APPLE_PASSWORD.
This is the build & verify steps that worked for me with that action, it was also getting stuck for me with the steps in the guide:
- uses: apple-actions/import-codesign-certs@v3 if: matrix.platform == 'macos-latest' with: p12-file-base64: ${{ secrets.APPLE_CERTIFICATE }} p12-password: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} keychain: build - name: Verify Certificate if: matrix.platform == 'macos-latest' run: | security find-identity -v -p codesigning build.keychain CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application") CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}') echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV echo "Certificate imported."Swapped
"Apple Development"for"Developer ID Application"since"Apple Development"wasn't in the text being grep'd, ` ~I've not been able to get notarisation working yet though so that might be incorrect~ Got it Notarised, was just issues with APPLE_TEAM_ID / APPLE_PASSWORD.
This was the initial error in my case.
I ran into the exact issue and found the fix for it The reason is keychain was locked before the build finishes. Then the build is blocked and waiting for the user to unlock keychain. Adding this command will prevent keychain from locking for 1 hour, you can adjust the value to something that suits you
security set-keychain-settings -t 3600 -u build.keychain
The complete script is
- name: Import Apple Developer Certificate
env:
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security set-keychain-settings -t 3600 -u build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain
I have a PR to add a sample template that solves this problem 👍
https://github.com/tauri-apps/tauri-action/pull/1021
security set-keychain-settings -t 3600 -u build.keychain
This is exact addition fully fixed topic issue in my case. @PatrickDinh so thank you!
