Skip to content

release(ci): macOS signing identity invalid on push runs; PR #1337 validation was unsigned #1339

Description

@TimeToBuildBob

master release CI is failing in the macOS signing lane, and the current state is not a test/code regression in ActivityWatch itself.

Evidence from July 1, 2026:

  • Successful earlier baseline: Release run 28040610950 on June 23, 2026 completed the macOS packaging/signing path successfully.
  • Pre-merge failures on July 1, 2026:
    • 28523116461 (18a234b)
    • 28523138998 (2715937)
  • Post-merge failure on July 1, 2026:
    • 28548184603 (b32338d)

What changed across those failures:

  1. Before PR #1337 was merged, the macOS jobs were already failing during in-app signing inside the build:
    • codesign for bundled binaries failed with either ***: no identity found or The specified item could not be found in the keychain.
  2. PR #1337 changed the workflow to auto-discover the identity via:
    • security find-identity -v -p codesigning build.keychain-db
  3. After merge, the same lane now fails earlier:
    • certificate import succeeds (1 identity imported)
    • but security find-identity -v -p codesigning build.keychain-db returns 0 valid identities found
    • workflow aborts with ERROR: no codesigning identity found after importing the macOS certificate

Important correction about PR validation:

  • The PR Release run 28534522833 was green on July 1, 2026, but the Apple signing secrets were empty on that pull_request run:
    • APPLE_EMAIL: empty
    • APPLE_PERSONALID: empty
    • CERTIFICATE_MACOS_P12_BASE64: empty
  • So that run did not validate macOS signing. It only validated unsigned macOS packaging.

Current best diagnosis:

  • The root problem appears to be the macOS signing credential state on push runs, not ActivityWatch application code.
  • Possibilities include:
    • the uploaded CERTIFICATE_MACOS_P12_BASE64 no longer contains a cert/private-key pair that macOS accepts for codesigning on current runners
    • the secret now contains a cert type that find-identity -p codesigning does not treat as valid
    • the APPLE_PERSONALID secret and the imported certificate no longer match

Concrete next step:

  1. Re-export/re-upload the macOS signing .p12 plus password from the working Apple Developer setup.
  2. Verify the exact identity name/fingerprint on a macOS machine with:
    • security find-identity -v -p codesigning <keychain>
  3. Update repo secrets if needed.
  4. Re-run Release on master.

I am not proposing another workflow tweak here because the failure existed before #1337, and the merged workflow change only moved the same break earlier in the lane.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions