From 9c35659c6e8b9ef85e525730ea7150fa2f07dd50 Mon Sep 17 00:00:00 2001
From: Mikunj <mikunj@live.com.au>
Date: Tue, 18 Feb 2020 16:08:56 +1100
Subject: [PATCH] Only enable signing if we have a certificate on Mac

---
 .github/workflows/build-binaries.yml |  9 +++++++--
 .github/workflows/release.yml        |  9 +++++++--
 build/setup-mac-certificate.sh       | 15 +++++++++++++++
 3 files changed, 29 insertions(+), 4 deletions(-)
 create mode 100755 build/setup-mac-certificate.sh

diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml
index e3dfd3a8e..01a6a515c 100644
--- a/.github/workflows/build-binaries.yml
+++ b/.github/workflows/build-binaries.yml
@@ -52,12 +52,17 @@ jobs:
         if: runner.os == 'Windows'
         run: node_modules\.bin\electron-builder --config.extraMetadata.environment=%SIGNAL_ENV% --publish=never --config.directories.output=release
 
+      - name: Setup mac certificate
+        if: runner.os == 'macOS'
+        run: ./build/setup-mac-certificate.sh
+        env:
+          MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
+          MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
+
       - name: Build mac production binaries
         if: runner.os == 'macOS'
         run: $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=never --config.directories.output=release
         env:
-          CSC_LINK: ${{ secrets.MAC_CERTIFICATE }}
-          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
           SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
           SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
           SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2ea6585df..700b52a50 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,12 +49,17 @@ jobs:
         if: runner.os == 'Windows'
         run: node_modules\.bin\electron-builder --config.extraMetadata.environment=%SIGNAL_ENV% --publish=always
 
+      - name: Setup mac certificate
+        if: runner.os == 'macOS'
+        run: ./build/setup-mac-certificate.sh
+        env:
+          MAC_CERTIFICATE: ${{ secrets.MAC_CERTIFICATE }}
+          MAC_CERTIFICATE_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
+
       - name: Build mac production binaries
         if: runner.os == 'macOS'
         run: $(yarn bin)/electron-builder --config.extraMetadata.environment=$SIGNAL_ENV --config.mac.bundleVersion=${{ github.ref }} --publish=always
         env:
-          CSC_LINK: ${{ secrets.MAC_CERTIFICATE }}
-          CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }}
           SIGNING_APPLE_ID: ${{ secrets.SIGNING_APPLE_ID }}
           SIGNING_APP_PASSWORD: ${{ secrets.SIGNING_APP_PASSWORD }}
           SIGNING_TEAM_ID: ${{ secrets.SIGNING_TEAM_ID }}
diff --git a/build/setup-mac-certificate.sh b/build/setup-mac-certificate.sh
new file mode 100755
index 000000000..a8ec903c2
--- /dev/null
+++ b/build/setup-mac-certificate.sh
@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+if [ -z "$MAC_CERTIFICATE" ]; then
+  export CSC_LINK="$MAC_CERTIFICATE"
+  echo "MAC_CERTIFICATE found."
+else
+  echo "MAC_CERTIFICATE not set. Ignoring."
+fi
+
+if [ -z "$MAC_CERTIFICATE_PASSWORD" ]; then
+  export CSC_KEY_PASSWORD="$MAC_CERTIFICATE_PASSWORD"
+  echo "MAC_CERTIFICATE_PASSWORD found."
+else
+  echo "MAC_CERTIFICATE_PASSWORD not set. Ignoring."
+fi