Fix package build error handling and certificate verification

- Add proper error checking for pkgbuild command - Verify package exists before attempting notarization - Improve certificate verification in GitHub workflow - Show actual certificate details instead of just count - Add specific checks for required Developer ID certificates This should fix the 'file doesn't exist' error during notarization.
2026-02-17 20:10:07 -06:00 · 2025-06-16 17:19:46 -07:00
parent 52fc5dd563
commit dad7d4c303
2 changed files with 29 additions and 5 deletions
--- a/.github/workflows/publish-lume.yml
+++ b/.github/workflows/publish-lume.yml
@@ -114,9 +114,22 @@ jobs:
          # Allow codesign to access the certificates (minimal output)
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain > /dev/null 2>&1
          
-          # Verify certificates were imported but only show count, not details
-          echo "Verifying signing identity (showing count only)..."
-          security find-identity -v -p codesigning | grep -c "valid identities found" || true
+          # Verify certificates were imported
+          echo "Verifying signing identities..."
+          security find-identity -v -p codesigning build.keychain
+          
+          # Verify specific certificates exist
+          if ! security find-identity -v -p codesigning build.keychain | grep -q "Developer ID Application: ${{ secrets.DEVELOPER_NAME }}"; then
+            echo "Error: Developer ID Application certificate not found"
+            exit 1
+          fi
+          
+          if ! security find-identity -v -p codesigning build.keychain | grep -q "Developer ID Installer: ${{ secrets.DEVELOPER_NAME }}"; then
+            echo "Error: Developer ID Installer certificate not found"
+            exit 1
+          fi
+          
+          echo "All required certificates verified successfully"
          
          # Clean up certificate files
          rm application.p12 installer.p12
--- a/libs/lume/scripts/build/build-release-notarized.sh
+++ b/libs/lume/scripts/build/build-release-notarized.sh
@@ -72,12 +72,23 @@ cp -f .build/release/lume "$TEMP_ROOT/usr/local/bin/"

 # Build the installer package
 log "essential" "Building installer package..."
-pkgbuild --root "$TEMP_ROOT" \
+if ! pkgbuild --root "$TEMP_ROOT" \
         --identifier "com.trycua.lume" \
         --version "1.0" \
         --install-location "/" \
         --sign "$CERT_INSTALLER_NAME" \
-         ./.release/lume.pkg 2> /dev/null
+         ./.release/lume.pkg; then
+    log "error" "Failed to build installer package"
+    exit 1
+fi
+
+# Verify the package was created
+if [ ! -f "./.release/lume.pkg" ]; then
+    log "error" "Package file ./.release/lume.pkg was not created"
+    exit 1
+fi
+
+log "essential" "Package created successfully"

 # Submit for notarization using stored credentials
 log "essential" "Submitting for notarization..."