From 37a1417bf0bb5561b93ea628c0af2d744cfd416f Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Fri, 24 Apr 2026 07:47:29 +0530 Subject: [PATCH 1/4] fix: The specified item could not be found in the keychain --- .github/workflows/nightly.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index f1c55ab65..fb89bb4fb 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -6,6 +6,10 @@ name: Nightly builds on: schedule: - cron: "0 0 * * *" + pull_request: + branches: + - master + - release/** permissions: contents: read @@ -122,6 +126,7 @@ jobs: /usr/bin/security unlock-keychain -p espressif build.keychain /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain + /usr/bin/security list-keychains -d user -s build.keychain $(security list-keychains -d user | sed s/\"//g) echo "codesigning espressif-ide-macosx.cocoa.x86_64" /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v From acf956fcaa4d0402c613f4801c9c2c7bf7d334c4 Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Fri, 24 Apr 2026 08:07:47 +0530 Subject: [PATCH 2/4] fix: print diagnostics to check the issue --- .github/workflows/nightly.yml | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index fb89bb4fb..1d96ebc29 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -127,23 +127,33 @@ jobs: /usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain /usr/bin/security list-keychains -d user -s build.keychain $(security list-keychains -d user | sed s/\"//g) - + + echo "---- Identities visible to codesign in build.keychain ----" + /usr/bin/security find-identity -v -p codesigning build.keychain || true + /usr/bin/security find-identity -v build.keychain || true + echo "---- Certificates in build.keychain ----" + /usr/bin/security find-certificate -a -c "Developer ID" -Z build.keychain || true + echo "---- end ----" + + # Pick the identity by team identifier; matches any cert whose CN contains "(QWXF6GB4AV)". + SIGN_ID="QWXF6GB4AV" + echo "codesigning espressif-ide-macosx.cocoa.x86_64" - /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v + /usr/bin/codesign --keychain build.keychain --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app echo "codesigning espressif-ide-macosx.cocoa.aarch64" - /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v + /usr/bin/codesign --keychain build.keychain --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app - + echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64" $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh - /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v + /usr/bin/codesign --keychain build.keychain --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg - + echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64" $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh - /usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v + /usr/bin/codesign --keychain build.keychain --options runtime --force -s "$SIGN_ID" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg - name: Notarization of Espressif-IDE dmg files From 8a7414a85b36962064cfbab39e0adb5f4716d8b6 Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Fri, 24 Apr 2026 08:54:22 +0530 Subject: [PATCH 3/4] fix: add Apple Developer ID intermediate CAs --- .github/workflows/nightly.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 1d96ebc29..880bc7b4b 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -128,6 +128,11 @@ jobs: /usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain /usr/bin/security list-keychains -d user -s build.keychain $(security list-keychains -d user | sed s/\"//g) + curl -fsSL https://www.apple.com/certificateauthority/DeveloperIDCA.cer -o DeveloperIDCA.cer + curl -fsSL https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer -o DeveloperIDG2CA.cer + /usr/bin/security import DeveloperIDCA.cer -k build.keychain -T /usr/bin/codesign || true + /usr/bin/security import DeveloperIDG2CA.cer -k build.keychain -T /usr/bin/codesign || true + echo "---- Identities visible to codesign in build.keychain ----" /usr/bin/security find-identity -v -p codesigning build.keychain || true /usr/bin/security find-identity -v build.keychain || true From 13eb44661dbcbdd0e7dc79c306366ccffe618f7e Mon Sep 17 00:00:00 2001 From: Kondal Kolipaka Date: Fri, 24 Apr 2026 09:17:50 +0530 Subject: [PATCH 4/4] fix: import AppleIncRootCertificate also --- .github/workflows/nightly.yml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 880bc7b4b..40ca021a0 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -130,35 +130,39 @@ jobs: curl -fsSL https://www.apple.com/certificateauthority/DeveloperIDCA.cer -o DeveloperIDCA.cer curl -fsSL https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer -o DeveloperIDG2CA.cer - /usr/bin/security import DeveloperIDCA.cer -k build.keychain -T /usr/bin/codesign || true - /usr/bin/security import DeveloperIDG2CA.cer -k build.keychain -T /usr/bin/codesign || true + curl -fsSL https://www.apple.com/appleca/AppleIncRootCertificate.cer -o AppleIncRootCertificate.cer + /usr/bin/security import DeveloperIDCA.cer -k build.keychain || true + /usr/bin/security import DeveloperIDG2CA.cer -k build.keychain || true + /usr/bin/security import AppleIncRootCertificate.cer -k build.keychain || true - echo "---- Identities visible to codesign in build.keychain ----" + echo "---- Identities (default search list) ----" + /usr/bin/security find-identity -v -p codesigning || true + /usr/bin/security find-identity -v || true + echo "---- Identities in build.keychain ----" /usr/bin/security find-identity -v -p codesigning build.keychain || true - /usr/bin/security find-identity -v build.keychain || true - echo "---- Certificates in build.keychain ----" - /usr/bin/security find-certificate -a -c "Developer ID" -Z build.keychain || true + echo "---- Verify leaf cert chain ----" + /usr/bin/security find-certificate -c "Developer ID Application" -p build.keychain > leaf.pem || true + /usr/bin/security verify-cert -c leaf.pem -p codeSign -L 2>&1 || true echo "---- end ----" - # Pick the identity by team identifier; matches any cert whose CN contains "(QWXF6GB4AV)". SIGN_ID="QWXF6GB4AV" echo "codesigning espressif-ide-macosx.cocoa.x86_64" - /usr/bin/codesign --keychain build.keychain --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v + /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app echo "codesigning espressif-ide-macosx.cocoa.aarch64" - /usr/bin/codesign --keychain build.keychain --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v + /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v /usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64" $PWD/releng/ide-dmg-builder/ide-dmg-builder.sh - /usr/bin/codesign --keychain build.keychain --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v + /usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "$SIGN_ID" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64" $PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh - /usr/bin/codesign --keychain build.keychain --options runtime --force -s "$SIGN_ID" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v + /usr/bin/codesign --options runtime --force -s "$SIGN_ID" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v /usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg - name: Notarization of Espressif-IDE dmg files