Using GitHub Actions Secrets to Store Certificates/Keys | josh-ops

[utterances-bot]

Using GitHub Actions Secrets to Store Certificates/Keys | josh-ops

Storing a certificate/private key as a GitHub Actions secret

https://josh-ops.com/posts/storing-certificates-as-github-secrets/

[willwatson-bot]

Thank you for the tutorial. I used your decoding command:

echo -n "$MACOS_CERTIFICATE" | base64 -d -o certificate.p12

However, I'm consistently getting the following error:

security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)

This happens when I try to run a command to add "certificate.p12" to my keychain (for signing/notarizing for macOS):

security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PASS" -A -T /usr/bin/codesign

I have verified round-trip base64 encoding-decoding on my local machine, and I have even compared hash functions on my local machine to the macOS runner in GitHub Actions. There is no corruption taking place in the .p12 file. However, my certificate password appears to consistently fail on the macOS runner. I have verified that my password is correct in GitHub Secrets.

The only thing that I can think of is my local machine is running Windows, while the runner is macOS. However, I have verified that the encryption method is SHA256RSA, and thus, I don't see how this could be the issue.

If anyone has any suggestions, I'd be very thankful. And once again, thanks Josh for pointing me in the right direction.