productbuild hangs with no output in github actions

Question

Created May ’25

Replies 3

Boosts 0

Participants 2

I am running into this error with productbuild in github actions where the program hangs with a specific developer id. I have verified that my certification files are properly uploaded etc. and i am able to run this without the --sign command online and with --sign offline.

if i sign with a "3rd party mac developer installer: ***" it will run but then crash on stapling because this isn't the actual org i want to staple and don't really need to verify that i could staple with this other license since it is my personal license and i will be leaving this job soon so setting up all my other certs is a waste of time since it doesn't solve the problem. When i use my bosses/org "Developer ID Installer: ***" productbuild just hangs. I am at a loss here... the acutal command running is

productbuild --resources ./resources --distribution distribution.xml --sign "${{ secrets.DEVELOPER_ID_INSTALLER }}" --timestamp "${{ env.ARTIFACT_NAME }}.pkg"

I have confirmed that my distribution file is fine etc. because I can productbuild without signing fine. Any suggestions on where to go?

Answered by DTS Engineer in 838423022

So, the way I’d debug this if I were running this on a machine that I control would be to run spindump against the stuck productbuild process. Its backtrace would likely yield useful clues about where it’s stuck.

I’m not sure if that’s feasible in your specific CI system. You’d have to ask the vendor about that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

davisppppppp OP

May ’25

hangs on productsign if i split to productbuild and productsign

0

Answer 2

davisppppppp OP

May ’25

also can confirm that I can take my bosses p12 files and set them up on my computer using this script

KEYCHAIN_PATH1="$HOME/Library/Keychains/tmpsed1.keychain-db"
KEYCHAIN_PASSWORD1="$(openssl rand -base64 12)"
security create-keychain -p "$KEYCHAIN_PASSWORD1" "$KEYCHAIN_PATH1"
security unlock-keychain -p "$KEYCHAIN_PASSWORD1" "$KEYCHAIN_PATH1"
echo "keychain-path=$KEYCHAIN_PATH1"
echo "keychain-password=$KEYCHAIN_PASSWORD1"

#DEV_ID_APPLICATION=$(mktemp)
#echo $DEV_ID_APPLICATION
#base64 -i app.p12 | base64 -d >"$DEV_ID_APPLICATION"
#cat "$DEV_ID_APPLICATION"
security import app.p12 -f pkcs12 -k $KEYCHAIN_PATH1 -P password -T /usr/bin/codesign -T /usr/bin/security

export DEV_ID_INSTALLER=$(mktemp)
base64 -i installer.p12 | base64 -d >"$DEV_ID_INSTALLER"
security import installer.p12 -f pkcs12 -k "$HOME/Library/Keychains/tmpsed1.keychain-db" -P “password” -T /usr/bin/pkgbuild -T /usr/bin/security -T /usr/bin/productbuild

rm "$DEV_ID_INSTALLER"

security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PATH1" "$KEYCHAIN_PASSWORD1"
security list-keychains -d user -s "$KEYCHAIN_PATH1" $(security list-keychains -d user | xargs)

although for whatever reason I have to run each line individually as oppose to running the whole script.

then I can run "productbuild" fine

these commands are exactly what I'm using from this github action template

0

Answer 3

DTS Engineer OP

Apple

May ’25

Recommended

So, the way I’d debug this if I were running this on a machine that I control would be to run spindump against the stuck productbuild process. Its backtrace would likely yield useful clues about where it’s stuck.

I’m not sure if that’s feasible in your specific CI system. You’d have to ask the vendor about that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0