ci: pass the imported certificate identity to the bundler

The certificate import step only placed the Developer ID certificate
in the keychain; without APPLE_SIGNING_IDENTITY the tauri bundler
silently skips signing and notarization, so every published macOS
bundle shipped unsigned and Apple Silicon rejected the app with the
damaged-app dialog. Extract the identity from the keychain after the
import and export it for the build step, so no additional secret is
required.
This commit is contained in:
Douglas Teles
2026-07-08 11:36:59 -03:00
parent a11e5d8e15
commit e628d71a01
+11
View File
@@ -74,6 +74,17 @@ jobs:
-k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# Tell tauri which identity to sign with. The import above only
# places the certificate in the keychain; without
# APPLE_SIGNING_IDENTITY the bundler skips signing entirely and
# the app ships unsigned (Gatekeeper then shows the misleading
# "damaged" dialog). Extract the identity name from the
# keychain so no extra secret is needed.
IDENTITY=$(security find-identity -v -p codesigning $KEYCHAIN_PATH \
| sed -n 's/.*"\(.*\)".*/\1/p' | head -1)
echo "Signing identity: ${IDENTITY}"
echo "APPLE_SIGNING_IDENTITY=${IDENTITY}" >> $GITHUB_ENV
- name: Build and release
uses: tauri-apps/tauri-action@v0
env: