work on fixing the mac installer signing

Andrew · Andrew · commit 0838f061a128 · 2026-01-18T20:59:35.000+10:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -209,6 +209,13 @@ jobs:
             echo "✅ Installer certificate imported"
           fi
 
+          # Download and import Apple WWDR intermediate certificate (required for cert chain validation)
+          echo "=== Importing Apple WWDR Intermediate Certificate ==="
+          curl -sL "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer" -o AppleWWDRCAG3.cer
+          security import AppleWWDRCAG3.cer -k temp.keychain -T /usr/bin/codesign -T /usr/bin/productsign
+          rm AppleWWDRCAG3.cer
+          echo "✅ Apple WWDR G3 intermediate certificate imported"
+
           # Configure keychain
           security set-key-partition-list -S apple-tool:,apple:,codesign:,productsign: -s -k "$KEYCHAIN_PASSWORD" temp.keychain
           security default-keychain -s temp.keychain
@@ -218,6 +225,10 @@ jobs:
           echo "=== Available signing identities ==="
           security find-identity -v temp.keychain | sed 's/\("[^"]*"\)/"***"/g'
 
+          echo ""
+          echo "=== Available installer identities ==="
+          security find-identity -v temp.keychain | grep -i "installer" | sed 's/\("[^"]*"\)/"***"/g' || echo "No installer identities found"
+
       - name: Build application
         run: npm run private:compile
 
@@ -262,12 +273,25 @@ jobs:
           fi
 
       - name: Build macOS app (MAS target - Universal)
-        run: npm run private:build:mac
         env:
           # Enable code signing if certificates are available
           CSC_LINK: ${{ secrets.APPLE_APP_CERT_BASE64 }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
           APPLE_DEVELOPER_ID: ${{ secrets.APPLE_DEVELOPER_ID }}
+          APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
+        run: |
+          # Ensure keychain is unlocked and in search path for productsign
+          security unlock-keychain -p "actions" temp.keychain || true
+          security list-keychains -d user -s "$HOME/Library/Keychains/temp.keychain-db" "$HOME/Library/Keychains/login.keychain-db"
+          security default-keychain -s temp.keychain
+
+          # Verify installer identity is available
+          echo "=== Checking for installer identity ==="
+          security find-identity -v -p codesigning temp.keychain | grep -i "installer" || echo "Warning: No installer identity found in temp.keychain"
+          security find-identity -v temp.keychain | grep -i "installer" || echo "Warning: No installer identity found"
+
+          # Run the build
+          npm run private:build:mac
 
       - name: Sign macOS PKG
         env:
