From e0396df7b096d0b2bb74fe2cfcff4f11ffe94d3a Mon Sep 17 00:00:00 2001
From: Developer <dev@local-transcription.local>
Date: Fri, 10 Apr 2026 19:30:44 -0700
Subject: [PATCH] Use ad-hoc signing when no Apple certificate is configured

Prevents Tauri from auto-detecting local keychain certificates on the
build machine, which causes SecKeychainItemImport failures.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-app-macos.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/build-app-macos.yml b/.gitea/workflows/build-app-macos.yml
index 240458f..def71b1 100644
--- a/.gitea/workflows/build-app-macos.yml
+++ b/.gitea/workflows/build-app-macos.yml
@@ -60,7 +60,13 @@ jobs:
           APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
           APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
           APPLE_API_KEY_PATH: ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY }}.p8
-        run: npm run tauri build
+        run: |
+          # If no signing identity is configured, use ad-hoc signing to prevent
+          # Tauri from auto-detecting local keychain certificates
+          if [ -z "${APPLE_SIGNING_IDENTITY}" ]; then
+            export APPLE_SIGNING_IDENTITY="-"
+          fi
+          npm run tauri build
 
       - name: Upload to release
         env: