🤖 Fix keychain race condition in parallel macOS signing

Problem:
When running parallel electron-builder processes (x64 + arm64),
both try to create the same keychain simultaneously, causing:
  SecKeychainCreate: A keychain with the same name already exists

Solution:
Pre-create and configure keychain in setup-macos-signing.sh before
running parallel builds. This ensures:
- Certificate is imported before electron-builder runs
- Both parallel processes use the same pre-configured keychain
- No race condition on keychain creation

Changes:
- Create unique keychain with timestamp
- Import certificate into keychain before parallel builds
- Configure keychain permissions for codesign
- Export CSC_KEYCHAIN for electron-builder
- Add verification step to confirm signing is enabled

Author: ammar-agent

.github/workflows/build.yml

@@ -28,6 +28,16 @@ jobs:
           AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
           AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
 
+      - name: Verify signing setup
+        run: |
+          if [ -n "${CSC_LINK:-}" ]; then
+            echo "✅ Code signing enabled"
+            security list-keychains -d user
+            security find-identity -v -p codesigning
+          else
+            echo "⚠️ Code signing NOT enabled"
+          fi
+
       - name: Package for macOS
         run: make dist-mac
 

scripts/setup-macos-signing.sh

@@ -14,9 +14,40 @@ set -euo pipefail
 # Setup code signing certificate
 if [ -n "${MACOS_CERTIFICATE:-}" ]; then
   echo "Setting up code signing certificate..."
-  echo "$MACOS_CERTIFICATE" | base64 -D >/tmp/certificate.p12
-  echo "CSC_LINK=/tmp/certificate.p12" >>"$GITHUB_ENV"
+  
+  # Decode certificate
+  CERT_PATH=/tmp/certificate.p12
+  echo "$MACOS_CERTIFICATE" | base64 -D >"$CERT_PATH"
+  
+  # Create a unique keychain for this build (avoid parallel build conflicts)
+  KEYCHAIN_NAME="build-$(date +%s).keychain"
+  KEYCHAIN_PATH="$HOME/Library/Keychains/$KEYCHAIN_NAME"
+  KEYCHAIN_PASSWORD=$(openssl rand -hex 32)
+  
+  # Delete keychain if it already exists (cleanup from previous runs)
+  security delete-keychain "$KEYCHAIN_PATH" 2>/dev/null || true
+  
+  # Create new keychain
+  security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+  security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
+  security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+  
+  # Import certificate to keychain
+  security import "$CERT_PATH" -k "$KEYCHAIN_PATH" -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+  
+  # Add keychain to search list and set as default
+  security list-keychains -d user -s "$KEYCHAIN_PATH" $(security list-keychains -d user | sed s/\"//g)
+  security default-keychain -s "$KEYCHAIN_PATH"
+  
+  # Allow codesign to access the keychain without prompting
+  security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
+  
+  # Export for electron-builder (it will use the already-imported certificate)
+  echo "CSC_LINK=$CERT_PATH" >>"$GITHUB_ENV"
   echo "CSC_KEY_PASSWORD=$MACOS_CERTIFICATE_PWD" >>"$GITHUB_ENV"
+  echo "CSC_KEYCHAIN=$KEYCHAIN_PATH" >>"$GITHUB_ENV"
+  
+  echo "✅ Code signing certificate imported to keychain"
 else
   echo "⚠️  No code signing certificate provided - building unsigned"
 fi