From 797098b4b9c5d415906a292365eae7ef0958443e Mon Sep 17 00:00:00 2001
From: Mark Callow <github@callow.im>
Date: Fri, 4 Oct 2024 15:13:08 +0900
Subject: [PATCH] Fix CI build hanging due to codesign prompt.

---
 scripts/before_build_macos.sh | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/scripts/before_build_macos.sh b/scripts/before_build_macos.sh
index 365695b313..b5eadbb62a 100755
--- a/scripts/before_build_macos.sh
+++ b/scripts/before_build_macos.sh
@@ -21,9 +21,10 @@ MACOS_CERTS_TMPFILE=macOS_certificates.p12
 # Set up a keychain for signing certificates
 security create-keychain -p $KEY_PASS $KEY_CHAIN
 security default-keychain -s $KEY_CHAIN
+# Turn off timeout that re-locks the keychain to avoid risk of build
+# taking longer than whatever timeout is set (default is 300s).
+security set-keychain-settings -u $KEY_CHAIN
 security unlock-keychain -p $KEY_PASS $KEY_CHAIN
-# Set locking timeout to 3600 secondsa. Avoid hang in codesign.
-security set-keychain-settings -t 3600 -u $KEY_CHAIN
 
 # Import the macOS certificates
 #
@@ -35,11 +36,15 @@ security set-keychain-settings -t 3600 -u $KEY_CHAIN
 # it was exported.
 #
 echo $MACOS_CERTIFICATES_P12 | base64 --decode > $MACOS_CERTS_TMPFILE
+# In CI (macOS 12.6) `security` prints a bunch of "attribute" info when
+# importing. I have been unable to find out if it is a security risk.
+# -q does not squelch it. macOS 14.6 `security` does not do this.
+#
 security import $MACOS_CERTS_TMPFILE -k $KEY_CHAIN -P $MACOS_CERTIFICATES_PASSWORD -T /usr/bin/codesign -T /usr/bin/productbuild
 rm $MACOS_CERTS_TMPFILE
 
-# Avoid hang in codesign.
-# See https://docs.travis-ci.com/user/common-build-problems/#mac-macos-sierra-1012-code-signing-errors
+# Allow Apple tools access to signing certs in the keychain. Both this and
+# an unlocked keychain are needed for access.
 #
 security set-key-partition-list -S apple-tool:,apple: -s -k $KEY_PASS $KEY_CHAIN