Skip to content

fix: keychain logging too much information #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Oct 8, 2025
Merged

fix: keychain logging too much information #18

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e87d267
fix: keychain logging too much information
thymikee Oct 8, 2025
98039d8
fixup SECURITY_IMPORT_ERROR=
thymikee Oct 8, 2025
ea35a91
fixup
thymikee Oct 8, 2025
3e7af8e
log errors
thymikee Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 22 additions & 12 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -248,29 +248,39 @@ runs:

if [ -n "${{ inputs.certificate-file }}" ]; then
# Use certificate file directly
cp "${{ inputs.certificate-file }}" $CERTIFICATE_PATH
cp "${{ inputs.certificate-file }}" "$CERTIFICATE_PATH"
else
# Decode base64 certificate
echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o $CERTIFICATE_PATH
echo -n "${{ inputs.certificate-base64 }}" | base64 --decode -o "$CERTIFICATE_PATH"
fi

# Import the certificate silently (suppress sensitive output)
if [ -n "${{ inputs.certificate-password }}" ]; then
security import $CERTIFICATE_PATH -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
else
SECURITY_IMPORT_ERROR=$(security import $CERTIFICATE_PATH -A -t cert -f pkcs12 -k $KEYCHAIN_PATH 2>&1)
SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -P "${{ inputs.certificate-password }}" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1)
if [ $? -ne 0 ]; then
echo "Certificate import failed. If this P12 file requires a password, please provide certificate-password input."
echo "Certificate import failed with provided password."
echo "Error output from 'security import':"
echo "$SECURITY_IMPORT_ERROR"
exit 1
fi
else
SECURITY_IMPORT_ERROR=$(security import "$CERTIFICATE_PATH" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH" 2>&1)
Copy link

@cursor cursor bot Oct 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: Security Import Command Fails Silently

The security import command's output and error handling are inconsistent and problematic. When a certificate password is provided, import failures go undetected, leading to silent failures. For password-less certificates, the command captures sensitive keychain metadata on success, which can be logged. Additionally, the exit code check for the password-less case is broken, causing import failures to be missed.

Fix in Cursor Fix in Web

SECURITY_IMPORT_EXIT_CODE=$?
if [ $SECURITY_IMPORT_EXIT_CODE -ne 0 ]; then
echo "Certificate import failed. If this P12 file requires a password, please provide 'certificate-password' input."
echo "Error output from 'security import':"
echo "$SECURITY_IMPORT_ERROR"
exit 1
fi
fi
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH

# Infer certificate identity
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH | grep -oE '([0-9A-F]{40})' | head -n 1)
echo "Certificate identity: $IDENTITY"
echo "IDENTITY=$IDENTITY" >> $GITHUB_ENV
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH" >/dev/null
security list-keychain -d user -s "$KEYCHAIN_PATH" >/dev/null

# Infer certificate identity (safe: SHA-1 fingerprint only)
IDENTITY=$(security find-identity -v -p codesigning "$KEYCHAIN_PATH" | grep -oE '([0-9A-F]{40})' | head -n 1)
echo "Using signing identity (SHA-1): ${IDENTITY:0:8}…"
echo "IDENTITY=$IDENTITY" >> "$GITHUB_ENV"

# Unpack provisioning profile (legacy single profile support)
PROFILE_DIR="$HOME/Library/MobileDevice/Provisioning Profiles"
Expand Down