[codex] fix(ci): resolve macOS codesign identity from imported cert#1337
Conversation
| run: | | ||
| if [ -n "$APPLE_EMAIL" ]; then | ||
| ./scripts/ci/import-macos-p12.sh | ||
| APPLE_PERSONALID=$(security find-identity -v -p codesigning "${KEY_CHAIN:-build.keychain-db}" | sed -n 's/.*"\\(.*\\)"/\\1/p' | head -1) |
There was a problem hiding this comment.
Broken sed regex — identity extraction always fails
In a YAML literal block scalar (|), backslashes are not escape sequences, so \\( reaches the shell as two characters: \ and (. Inside single quotes, the shell passes them literally to sed. In POSIX BRE, \\( means "literal backslash then literal (", not a capture group — so the pattern never matches an identity like Apple Distribution: Company (TEAMID). APPLE_PERSONALID will always be empty, and the explicit exit 1 guard will fire on every run. Single backslashes are needed: 's/.*"\(.*\)"/\1/p'. The same bug is present at line 595.
|
Verified the fix on the active PR build (run 28534522833). Both macOS release jobs that were previously failing with "no identity found" / "Code signing identity: None" are now green:
Linux x86_64, Linux arm64, and the lint/CodeQL/Greptile checks are also green; only Windows is still running. Promoting from draft so this is visible to reviewers. |
|
@greptileai review |
|
Correction after re-checking the actual runs on July 1, 2026: The merged workflow change in What the logs now show:
So the current evidence points to a macOS signing credential / secret-state problem on I opened The practical next step is to refresh/re-upload the working macOS signing |
What changed
scripts/ci/import-macos-p12.shfor currentmacos-latestrunners by recreating the keychain, setting the search list, and printing discovered codesigning identities for debuggingAPPLE_PERSONALIDfromAPPLE_TEAMID, since the packaging step now derives the real signing identity after importWhy
masterrelease CI started failing on July 1, 2026 in both macOS release jobs. The failing step wascodesignduringPackage dmg, with errors likeno identity foundandThe specified item could not be found in the keychain.The existing workflow depended on a brittle
APPLE_PERSONALIDvalue and an old keychain import flow. This patch makes the workflow use the identity that macOS actually exposes after import, which is whatcodesignneeds.Impact
This should unblock the
Releaseworkflow onmasterfor both Qt and Tauri macOS builds without changing Linux or Windows packaging.Validation
git diff --checkbash -n scripts/ci/import-macos-p12.sh28523138998and28523116461Local end-to-end signing was not possible here because the Apple certificate secrets and a macOS runner are only available in GitHub Actions.