Intermittent failure in code signing on Mac Mini #794
Description
Issue overview
The Mac Mini ARM64 is failing intermittently around code signing operations
Current Behavior
I have seen two failure modes:
- Failure in "Configure for codesigning"
https://github.com/openstudiocoalition/OpenStudioApplication/actions/runs/13744554223/job/38437897985
A new keychain file (the /_work/_temp/ directory is wiped clean for each build) is created but import of the DeveloperIDG2CA.cer fails because it already exists in the keychain
- security import AppleWWDRCAG2.cer -k /Users/irvinemac/actions-runner/_work/_temp/app-signing.keychain-db
03/08 20:47:58 [NOTICE] Download complete: /Users/irvinemac/actions-runner/_work/_temp/codesigning/DeveloperIDG2CA.cer
Download Results:
gid |stat|avg speed |path/URI
======+====+===========+=======================================================
9a3392|OK | n/a|/Users/irvinemac/actions-runner/_work/_temp/codesigning/DeveloperIDG2CA.cerStatus Legend:
(OK):download completed.
1 certificate imported.
- security import DeveloperIDG2CA.cer -k /Users/irvinemac/actions-runner/_work/_temp/app-signing.keychain-db
security: SecKeychainItemImport: The specified item already exists in the keychain.
- Failure in IFW CodeSigning.cmake
https://github.com/openstudiocoalition/OpenStudioApplication/actions/runs/13744554223/job/38451133496
CPack: Create package
CPack: - Configuration
CPack: - Generate package
CPack Error: Problem running IFW command: "/Users/irvinemac/actions-runner/_work/_temp/QtIFW/binarycreator" "--sign" "Developer ID Application: The Energy Coalition (UG9S5ZLM34)" "-c" "/Users/irvinemac/actions-runner/_work/OpenStudioApplication/OpenStudioApplication/build/_CPack_Packages/Darwin/IFW/OpenStudioApplication-1.9.0+f52673f493-macOS13-arm64/config/config.xml" "-p" "/Users/irvinemac/actions-runner/_work/OpenStudioApplication/OpenStudioApplication/build/_CPack_Packages/Darwin/IFW/OpenStudioApplication-1.9.0+f52673f493-macOS13-arm64/packages" "-i" "Licenses,OpenStudioApp,Python,Resources,RubyAPI,CLI,CLI,Resources" "/Users/irvinemac/actions-runner/_work/OpenStudioApplication/OpenStudioApplication/build/_CPack_Packages/Darwin/IFW/OpenStudioApplication-1.9.0+f52673f493-macOS13-arm64.dmg"
Please check "/Users/irvinemac/actions-runner/_work/OpenStudioApplication/OpenStudioApplication/build/_CPack_Packages/Darwin/IFW/IFWOutput.log" for errors
CPack Error: Problem compressing the directory
CPack Error: Error when generating package: OpenStudioApplication
Inside that log file is
Critical: Failed to sign app bundle: running codesign failed with exit code 1: error: The specified item could not be found in the keychain
Expected Behavior
The code signing should work repeatedly without fail.
Steps to Reproduce
It's possible that running CI actions back to back cause this behavior to switch around? The call to security unlock-keychain unlocks it for 6 hrs (due to potential for long builds). The call to notarytool store-credentials says it imports the profile to the default keychain. It's possible that these unlock times and interaction with the default keychain cause issues?
Possible Solution
Can we use a keychain file for IFW CodeSigning.cmake and not the default keychain?
Do we need some always run GitHub workflow steps to clean up keychains for future runs?
Details
Environment
Some additional details about your environment for this issue (if relevant):
- Platform (Operating system, version):
- Version of OpenStudioApplication (if using an intermediate build, include SHA):
Context
Have to continuously re-run the Mac actions to get them to work.