From e87d267b7d7e058c1f2337816088b9727c31da7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pierzcha=C5=82a?= Date: Wed, 8 Oct 2025 09:04:49 -0700 Subject: [PATCH 1/4] fix: keychain logging too much information --- action.yml | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/action.yml b/action.yml index 75043c3..03bc275 100644 --- a/action.yml +++ b/action.yml @@ -248,15 +248,17 @@ runs: if [ -n "${{ inputs.certificate-file }}" ]; then # Use certificate file directly - cp "${{ inputs.certificate-file }}" $CERTIFICATE_PATH + cp "${{ inputs.certificate-file }}" "$CERTIFICATE_PATH" else # Decode base64 certificate - echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o $CERTIFICATE_PATH + echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o "$CERTIFICATE_PATH" fi + + # Import the certificate silently (suppress sensitive output) if [ -n "${{ inputs.certificate-password }}" ]; then - security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH + security import "$CERTIFICATE_PATH" -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" >/dev/null else - SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1) + SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1 >/dev/null) if [ $? -ne 0 ]; then echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." echo "Error output from 'security import':" @@ -264,13 +266,14 @@ runs: exit 1 fi fi - security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH - security list-keychain -d user -s $KEYCHAIN_PATH - # Infer certificate identity - IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep -oE '([0-9A-F]{40})' | head -n 1) - echo "Certificate identity: $IDENTITY" - echo "IDENTITY=$IDENTITY" >> $GITHUB_ENV + security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" >/dev/null + security list-keychain -d user -s "$KEYCHAIN_PATH" >/dev/null + + # Infer certificate identity (safe: SHA-1 fingerprint only) + IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -oE '([0-9A-F]{40})' | head -n 1) + echo "Using signing identity (SHA-1): ${IDENTITY:0:8}…" + echo "IDENTITY=$IDENTITY" >> "$GITHUB_ENV" # Unpack provisioning profile (legacy single profile support) PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles" From 98039d88d088b96dee39598c9d007e11bd1ae6e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pierzcha=C5=82a?= Date: Wed, 8 Oct 2025 09:09:02 -0700 Subject: [PATCH 2/4] fixup SECURITY_IMPORT_ERROR= --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 03bc275..857bfeb 100644 --- a/action.yml +++ b/action.yml @@ -258,7 +258,7 @@ runs: if [ -n "${{ inputs.certificate-password }}" ]; then security import "$CERTIFICATE_PATH" -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" >/dev/null else - SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1 >/dev/null) + SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" >/dev/null 2>&1) if [ $? -ne 0 ]; then echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." echo "Error output from 'security import':" From ea35a91535b606b13dc82871339b1796f042ef63 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pierzcha=C5=82a?= Date: Wed, 8 Oct 2025 09:12:12 -0700 Subject: [PATCH 3/4] fixup --- action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 857bfeb..58dfc7c 100644 --- a/action.yml +++ b/action.yml @@ -258,7 +258,7 @@ runs: if [ -n "${{ inputs.certificate-password }}" ]; then security import "$CERTIFICATE_PATH" -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" >/dev/null else - SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" >/dev/null 2>&1) + SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1) if [ $? -ne 0 ]; then echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." echo "Error output from 'security import':" From 3e7af8ea86fb36bbde709a6d5384bf353fb21406 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Pierzcha=C5=82a?= Date: Wed, 8 Oct 2025 09:16:43 -0700 Subject: [PATCH 4/4] log errors --- action.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/action.yml b/action.yml index 58dfc7c..ea058c1 100644 --- a/action.yml +++ b/action.yml @@ -256,11 +256,18 @@ runs: # Import the certificate silently (suppress sensitive output) if [ -n "${{ inputs.certificate-password }}" ]; then - security import "$CERTIFICATE_PATH" -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" >/dev/null + SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1) + if [ $? -ne 0 ]; then + echo "Certificate import failed with provided password." + echo "Error output from 'security import':" + echo "$SECURITY_IMPORT_ERROR" + exit 1 + fi else SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1) - if [ $? -ne 0 ]; then - echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input." + SECURITY_IMPORT_EXIT_CODE=$? + if [ $SECURITY_IMPORT_EXIT_CODE -ne 0 ]; then + echo "Certificate import failed. If this P12 file requires a password, please provide 'certificate-password' input." echo "Error output from 'security import':" echo "$SECURITY_IMPORT_ERROR" exit 1