Skip to content

fix(release): use correct secret names for macOS notarization#23

Merged
mohabbis merged 1 commit into
masterfrom
fix/macos-signing-secret-names
Jun 8, 2026
Merged

fix(release): use correct secret names for macOS notarization#23
mohabbis merged 1 commit into
masterfrom
fix/macos-signing-secret-names

Conversation

@mohabbis

@mohabbis mohabbis commented Jun 8, 2026

Copy link
Copy Markdown
Owner

Summary

  • The "Configure macOS signing" step in .github/workflows/release.yml checked for APPLE_CERTIFICATE/APPLE_CERTIFICATE_PASSWORD repo secrets, but the certificate is actually configured under different secret names: BUILD_CERTIFICATE_BASE64 and P12_PASSWORD. The check always evaluated false, so the build silently fell back to SIGNING_MODE=adhoc.
  • The "Build universal app" step then redeclared the cert env vars with a || '' fallback, which set APPLE_CERTIFICATE/APPLE_CERTIFICATE_PASSWORD to empty strings (present-but-empty) rather than leaving them unset. Tauri's bundler treats a present env var — even an empty one — as "a certificate is configured" and attempts security import on it, producing:
    security: SecKeychainItemImport: One or more parameters passed to a function were not valid.
    Error failed to bundle project failed codesign application: failed to import keychain certificate
    
  • This is why the latest release (v1.0.5) shipped with no Ghost.dmg — only Ghost_Setup.exe.

Fix

  • Point the cert detection/export at the secrets that actually exist (BUILD_CERTIFICATE_BASE64APPLE_CERTIFICATE, P12_PASSWORDAPPLE_CERTIFICATE_PASSWORD), flipping detection to SIGNING_MODE=full so the real APPLE_SIGNING_IDENTITY ("Developer ID Application: ...") is used and the app gets signed + notarized.
  • Remove the redundant env: block on "Build universal app" — the signing step already exports exactly the right vars to $GITHUB_ENV; leaving cert vars unset (not empty-string) in ad-hoc mode is what makes the bundler skip security import entirely.
  • Update RELEASING.md to document the actual secret names in use.

Test plan

  • Merge, then push a new release tag (e.g. v1.0.6) to trigger release.yml
  • build-mac logs "Apple Developer ID detected → signing + notarizing" / SIGNING_MODE=full
  • "Build universal app" completes without the SecKeychainItemImport error
  • New release has both Ghost.dmg and Ghost_Setup.exe assets, and the macOS download link on ghost.muharafiq.com resolves correctly

The "Configure macOS signing" step checked for APPLE_CERTIFICATE /
APPLE_CERTIFICATE_PASSWORD secrets, but the repo has the certificate
configured under different names (BUILD_CERTIFICATE_BASE64, P12_PASSWORD).
The check always failed, so the build fell back to ad-hoc mode — and the
"Build universal app" step's env block then passed empty-string cert vars
to Tauri's bundler, which still attempted `security import` on them and
failed with "SecKeychainItemImport: ... not valid / failed to import
keychain certificate".

Point detection at the secrets that actually exist, and stop redeclaring
the cert env vars on the build step (the signing step already exports
exactly the right ones to $GITHUB_ENV — leaving them unset in ad-hoc mode
is what makes the bundler skip cert import entirely).
@vercel

vercel Bot commented Jun 8, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ghost Ready Ready Preview, Comment Jun 8, 2026 2:30pm

@mohabbis mohabbis marked this pull request as ready for review June 8, 2026 14:35
@mohabbis mohabbis merged commit b4e8eb4 into master Jun 8, 2026
12 checks passed
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant