From 7d0857c10d7afc2d1d2dd5001509218123f00f8d Mon Sep 17 00:00:00 2001
From: Will Chen <willchen90@gmail.com>
Date: Mon, 14 Apr 2025 23:56:11 -0700
Subject: [PATCH] Add macOS cert for release workflow

---
 .github/workflows/release.yml |  2 ++
 tools/add-macos-cert.sh       | 47 +++++++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)
 create mode 100644 tools/add-macos-cert.sh

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 57a679e..853d6fb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,6 +27,8 @@ jobs:
         with:
           node-version: 20
       - run: npm ci
+      - name: add macos cert
+        run: chmod +x tools/add-macos-cert.sh && . ./tools/add-macos-cert.sh
       - name: Publish app
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/tools/add-macos-cert.sh b/tools/add-macos-cert.sh
new file mode 100644
index 0000000..b2c76fc
--- /dev/null
+++ b/tools/add-macos-cert.sh
@@ -0,0 +1,47 @@
+# Based on https://github.com/electron/fiddle/blob/c3f3e9cc30a2341970575e27a7117a71e56e0b2a/tools/add-macos-cert.sh
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+KEY_CHAIN=build.keychain
+MACOS_CERT_P12_FILE=certificate.p12
+
+# Check if the variable is set
+if [ -n "$MACOS_CERT_P12" ]; then
+  # If the variable is set, print its length
+  variable_length=${#MACOS_CERT_P12}
+  echo "MACOS_CERT_P12 is set. Length: $variable_length"
+else
+  # If the variable is not set, print a message
+  echo "MACOS_CERT_P12 is not set."
+fi
+
+# Recreate the certificate from the secure environment variable
+echo -n "$MACOS_CERT_P12" | base64 -d > "$MACOS_CERT_P12_FILE"
+file_size=$(stat -f%z "$MACOS_CERT_P12_FILE")
+echo "Certificate size is $file_size bytes"
+
+# Create a keychain
+security create-keychain -p actions $KEY_CHAIN
+
+# Make the keychain the default so identities are found
+security default-keychain -s $KEY_CHAIN
+
+# Unlock the keychain
+security unlock-keychain -p actions $KEY_CHAIN
+
+# The latest Developer ID Intermediate Certificate from Apple is
+# missing on GitHub Actions (?), but we need it for the cert to be valid
+curl https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer -o DeveloperIDG2CA.cer
+sudo security add-trusted-cert -d -r unspecified -k $KEY_CHAIN DeveloperIDG2CA.cer
+rm -f DeveloperIDG2CA.cer
+
+security import $MACOS_CERT_P12_FILE -k $KEY_CHAIN -P "$MACOS_CERT_PASSWORD" -T /usr/bin/codesign;
+
+security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN
+
+# Debugging output
+security find-identity
+
+# remove certs
+rm -fr *.p12
\ No newline at end of file