Wrap signing certificate password in single quotes to prevent corruption

per1234 · per1234 · commit c53daac0bb89 · 2025-11-01T09:49:26.000-07:00
High quality passwords may contain characters with special treatment by the shell (e.g., $).

The release workflows contain a command that imports the macOS code signing certificate to the runner machine's
keychain. The command references a GitHub Actions secret that contains the password of the certificate.

Previously, that reference was wrapped in double quotes. This resulted in the password string being subject to shell
expansions. If the password contained characters that incidentally resemble shell code, this resulted in the corruption
of the password, nd thus a spurious failure of the release workflow:

```
security: SecKeychainItemImport: The user name or passphrase you entered is not correct.
```
diff --git a/.github/workflows/publish-go-nightly-task.yml b/.github/workflows/publish-go-nightly-task.yml
@@ -140,7 +140,7 @@ jobs:
             -f pkcs12 \
             -A \
             -T /usr/bin/codesign \
-            -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
+            -P '${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}'
 
           security set-key-partition-list \
             -S apple-tool:,apple: \
diff --git a/.github/workflows/release-go-task.yml b/.github/workflows/release-go-task.yml
@@ -150,7 +150,7 @@ jobs:
             -f pkcs12 \
             -A \
             -T "/usr/bin/codesign" \
-            -P "${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}"
+            -P '${{ secrets.INSTALLER_CERT_MAC_PASSWORD }}'
 
           security set-key-partition-list \
             -S apple-tool:,apple: \
