Skip to content

Add code signing support for XCFrameworks#844

Open
Kyle-Ye wants to merge 3 commits intomainfrom
feature/codesign-xcframework
Open

Add code signing support for XCFrameworks#844
Kyle-Ye wants to merge 3 commits intomainfrom
feature/codesign-xcframework

Conversation

@Kyle-Ye
Copy link
Collaborator

@Kyle-Ye Kyle-Ye commented Mar 24, 2026

Summary

  • Sign all 7 xcframeworks (main + 6 dependency stubs) with a self-signed "OpenSwiftUI" certificate during the release build
  • Import signing certificate from GitHub secrets via apple-actions/import-codesign-certs@v3
  • Gracefully skip signing when certificate is not available (external contributor PRs, manual builds)

Changes

  • Scripts/build_xcframework.sh — added signing step after xcframework creation
  • .github/actions/build-xcframework/action.yml — added certificate import step and new inputs
  • .github/workflows/release.yml — pass signing secrets to the composite action

Setup required

Add these GitHub repo secrets:

  • SIGNING_CERTIFICATE_BASE_64 — base64-encoded .p12 certificate
  • SIGNING_CERTIFICATE_PASSWORD — password for the .p12 file

Test plan

  • Verify release workflow still succeeds without secrets (signing skipped)
  • Add secrets and verify xcframeworks are signed in release
  • Verify signature with codesign -dv --verbose=4 OpenSwiftUI.xcframework

@Kyle-Ye
Add code signing support for XCFrameworks
21f8876 
Sign all xcframeworks with a self-signed certificate during the release
build. The signing identity defaults to "OpenSwiftUI" and can be
overridden via OPENSWIFTUI_SIGNING_IDENTITY. Gracefully skips if no
certificate is found (e.g. external contributor PRs).
@augmentcode
Copy link

augmentcode bot commented Mar 24, 2026

🤖 Augment PR Summary

Summary: This PR adds optional code-signing for the generated XCFramework artifacts during the release build.

Changes:

  • Extends the build-xcframework composite action with inputs for a base64-encoded .p12 certificate and password.
  • Imports the signing certificate in CI using apple-actions/import-codesign-certs@v3 when provided.
  • Passes signing secrets from .github/workflows/release.yml into the composite action.
  • Runs codesign over the main XCFramework and dependency-stub XCFrameworks after building, and skips signing when no certificate is available.

🤖 Was this summary useful? React with 👍 or 👎

augmentcode[bot]
augmentcode bot reviewed Mar 24, 2026
View reviewed changes
Copy link

@augmentcode augmentcode bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 2 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

.github/actions/build-xcframework/action.yml
with:
xcode-version: ${{ inputs.xcode-version }}
- name: Import signing certificate
if: ${{ inputs.signing-certificate-base64 != '' }}
Copy link

@augmentcode augmentcode bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The import step is gated only on signing-certificate-base64, so a missing/empty signing-certificate-password (or an import failure due to other issues) will be silently ignored due to continue-on-error, potentially producing unsigned release artifacts without a clear signal.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

Scripts/build_xcframework.sh Outdated
# Code sign xcframeworks if signing certificate is available
SIGNING_IDENTITY="${OPENSWIFTUI_SIGNING_IDENTITY:-OpenSwiftUI}"
echo "Checking if signing certificate '$SIGNING_IDENTITY' is installed..."
if security find-certificate -c "$SIGNING_IDENTITY" > /dev/null 2>&1; then
Copy link

@augmentcode augmentcode bot Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security find-certificate -c only verifies that a certificate exists, not that a usable code-signing identity (with private key) is available; if the cert imports without a key, the subsequent codesign call will fail unexpectedly.

Severity: medium

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

@Kyle-Ye
Add signing certificate support to manual build workflow
deb1466 
Manual inputs fall back to repo secrets when left empty.
@codecov
Copy link

codecov bot commented Mar 24, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 26.85%. Comparing base (cd9a5fc) to head (aa78507).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #844   +/-   ##
=======================================
  Coverage   26.85%   26.85%           
=======================================
  Files         671      671           
  Lines       43470    43470           
=======================================
  Hits        11675    11675           
  Misses      31795    31795

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Kyle-Ye
Fix codesign keychain lookup for CI temporary keychain
aa78507 
Search all user keychains to find the signing certificate and pass
--keychain to codesign, fixing the case where apple-actions/import-codesign-certs
imports into a temporary keychain.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@augmentcode augmentcode[bot] augmentcode[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

build issue enhancement New feature or request platform: macOS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kyle-Ye