🤖 Fix: Restore base64: prefix for CSC_LINK #75
Conversation
Electron-builder requires the base64: prefix to recognize that CSC_LINK contains inline certificate data rather than a file path. Without it, electron-builder treats the value as a file path and fails.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
| - name: Package for macOS | ||
| env: | ||
| CSC_LINK: ${{ secrets.MACOS_CERTIFICATE }} | ||
| CSC_LINK: base64:${{ secrets.MACOS_CERTIFICATE }} | ||
| CSC_KEY_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | ||
| run: bun run dist:mac |
There was a problem hiding this comment.
Adding the base64: prefix fixes signing when the certificate secret is present, but this value is now always set even when secrets.MACOS_CERTIFICATE is empty (e.g. PRs from forks where secrets are masked). In those runs the env var becomes the literal string base64:, causing electron-builder to attempt to decode an empty certificate and fail the macOS packaging step, whereas previously the env var was empty and signing was skipped. Consider only setting CSC_LINK when the secret exists (or defaulting to an empty string) so unsigned builds still succeed in environments without the certificate.
Useful? React with 👍 / 👎.
When secrets are unavailable (e.g., PRs from forks), CSC_LINK was being set to the literal string 'base64:' which caused electron-builder to fail. Now CSC_LINK is only set when MACOS_CERTIFICATE exists: - If secret exists: CSC_LINK="base64:<certificate>" - If secret is empty: CSC_LINK="" This allows unsigned builds to succeed when secrets are not available.
## Problem PR #74 removed the `base64:` prefix from `CSC_LINK`, but electron-builder requires this prefix to distinguish between: - A file path to a certificate file - Inline base64-encoded certificate data Without the prefix, electron-builder treats the base64 string as a file path and fails to find the certificate. ## Solution Restore the `base64:` prefix: ```yaml CSC_LINK: base64:${{ secrets.MACOS_CERTIFICATE }} ``` ## How it works - `MACOS_CERTIFICATE` secret contains the raw base64-encoded .p12 certificate - The `base64:` prefix tells electron-builder to decode the certificate data inline - Electron-builder creates a temporary keychain and imports the certificate automatically ## References - Codex comment on PR #74 identifying the issue - electron-builder documentation on CSC_LINK format _Generated with `cmux`_
1 participant
Problem
PR #74 removed the
base64:prefix fromCSC_LINK, but electron-builder requires this prefix to distinguish between:Without the prefix, electron-builder treats the base64 string as a file path and fails to find the certificate.
Solution
Restore the
base64:prefix:How it works
MACOS_CERTIFICATEsecret contains the raw base64-encoded .p12 certificatebase64:prefix tells electron-builder to decode the certificate data inlineReferences
Generated with
cmux