master release CI is failing in the macOS signing lane, and the current state is not a test/code regression in ActivityWatch itself.
Evidence from July 1, 2026:
- Successful earlier baseline:
Release run 28040610950 on June 23, 2026 completed the macOS packaging/signing path successfully.
- Pre-merge failures on July 1, 2026:
28523116461 (18a234b)
28523138998 (2715937)
- Post-merge failure on July 1, 2026:
What changed across those failures:
- Before PR
#1337 was merged, the macOS jobs were already failing during in-app signing inside the build:
codesign for bundled binaries failed with either ***: no identity found or The specified item could not be found in the keychain.
- PR
#1337 changed the workflow to auto-discover the identity via:
security find-identity -v -p codesigning build.keychain-db
- After merge, the same lane now fails earlier:
- certificate import succeeds (
1 identity imported)
- but
security find-identity -v -p codesigning build.keychain-db returns 0 valid identities found
- workflow aborts with
ERROR: no codesigning identity found after importing the macOS certificate
Important correction about PR validation:
- The PR
Release run 28534522833 was green on July 1, 2026, but the Apple signing secrets were empty on that pull_request run:
APPLE_EMAIL: empty
APPLE_PERSONALID: empty
CERTIFICATE_MACOS_P12_BASE64: empty
- So that run did not validate macOS signing. It only validated unsigned macOS packaging.
Current best diagnosis:
- The root problem appears to be the macOS signing credential state on
push runs, not ActivityWatch application code.
- Possibilities include:
- the uploaded
CERTIFICATE_MACOS_P12_BASE64 no longer contains a cert/private-key pair that macOS accepts for codesigning on current runners
- the secret now contains a cert type that
find-identity -p codesigning does not treat as valid
- the
APPLE_PERSONALID secret and the imported certificate no longer match
Concrete next step:
- Re-export/re-upload the macOS signing
.p12 plus password from the working Apple Developer setup.
- Verify the exact identity name/fingerprint on a macOS machine with:
security find-identity -v -p codesigning <keychain>
- Update repo secrets if needed.
- Re-run
Release on master.
I am not proposing another workflow tweak here because the failure existed before #1337, and the merged workflow change only moved the same break earlier in the lane.
masterrelease CI is failing in the macOS signing lane, and the current state is not a test/code regression in ActivityWatch itself.Evidence from July 1, 2026:
Releaserun28040610950on June 23, 2026 completed the macOS packaging/signing path successfully.28523116461(18a234b)28523138998(2715937)28548184603(b32338d)What changed across those failures:
#1337was merged, the macOS jobs were already failing during in-app signing inside the build:codesignfor bundled binaries failed with either***: no identity foundorThe specified item could not be found in the keychain.#1337changed the workflow to auto-discover the identity via:security find-identity -v -p codesigning build.keychain-db1 identity imported)security find-identity -v -p codesigning build.keychain-dbreturns0 valid identities foundERROR: no codesigning identity found after importing the macOS certificateImportant correction about PR validation:
Releaserun28534522833was green on July 1, 2026, but the Apple signing secrets were empty on thatpull_requestrun:APPLE_EMAIL:emptyAPPLE_PERSONALID:emptyCERTIFICATE_MACOS_P12_BASE64:emptyCurrent best diagnosis:
pushruns, not ActivityWatch application code.CERTIFICATE_MACOS_P12_BASE64no longer contains a cert/private-key pair that macOS accepts for codesigning on current runnersfind-identity -p codesigningdoes not treat as validAPPLE_PERSONALIDsecret and the imported certificate no longer matchConcrete next step:
.p12plus password from the working Apple Developer setup.security find-identity -v -p codesigning <keychain>Releaseonmaster.I am not proposing another workflow tweak here because the failure existed before
#1337, and the merged workflow change only moved the same break earlier in the lane.