From 85db58650e478183958cf9e64ac80209ac2b8e37 Mon Sep 17 00:00:00 2001
From: Ammar Bandukwala <ammar@ammar.io>
Date: Tue, 7 Oct 2025 14:19:10 -0500
Subject: [PATCH 1/2] Fix: macOS code signing by decoding certificate to file

The MACOS_CERTIFICATE secret contains newlines which caused
electron-builder's internal base64 decoder to fail with:
'SecKeychainItemImport: Unknown format in import'

Solution: Decode the certificate ourselves and provide a file path
instead of using the base64: prefix. This approach:
- Handles newlines in the base64 string correctly
- Avoids electron-builder's internal decoder issues
- Only sets CSC_LINK when the secret is available

Tested successfully on debug-cert-format branch with both x64 and
arm64 builds being signed correctly.
---
 .github/workflows/build.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2c45c3f23c..301c6a81f4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,10 +27,14 @@ jobs:
         run: bun run build
 
       - name: Package for macOS
-        env:
-          CSC_LINK: ${{ secrets.MACOS_CERTIFICATE && format('base64:{0}', secrets.MACOS_CERTIFICATE) || '' }}
-          CSC_KEY_PASSWORD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
-        run: bun run dist:mac
+        run: |
+          # Decode certificate to file to avoid issues with newlines in base64 string
+          if [ -n "${{ secrets.MACOS_CERTIFICATE }}" ]; then
+            echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > /tmp/certificate.p12
+            export CSC_LINK="/tmp/certificate.p12"
+            export CSC_KEY_PASSWORD="${{ secrets.MACOS_CERTIFICATE_PWD }}"
+          fi
+          bun run dist:mac
 
       - name: Upload macOS DMG
         uses: actions/upload-artifact@v4

From 84f3775776134274e6d270f9deb3d5204a09009c Mon Sep 17 00:00:00 2001
From: Ammar Bandukwala <ammar@ammar.io>
Date: Tue, 7 Oct 2025 14:23:40 -0500
Subject: [PATCH 2/2] Fix: Use BSD-compatible base64 flag for macOS

Changed base64 --decode to base64 -D for macOS BSD compatibility.
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 301c6a81f4..3af473ad0b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -30,7 +30,7 @@ jobs:
         run: |
           # Decode certificate to file to avoid issues with newlines in base64 string
           if [ -n "${{ secrets.MACOS_CERTIFICATE }}" ]; then
-            echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > /tmp/certificate.p12
+            echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 -D > /tmp/certificate.p12
             export CSC_LINK="/tmp/certificate.p12"
             export CSC_KEY_PASSWORD="${{ secrets.MACOS_CERTIFICATE_PWD }}"
           fi