I recently wasted more time than I care to admit working through an issue where I was getting build errors that did not make sense. I was trying to set up the build/publish of a .NET MAUI application, and I wanted to inject my certificate using a GitHub Actions Secret, and it failed miserably; this post explores the issue and resolution.
The Issue
Apple issues certificates based on the company's legal name. My company's legal name is "IowaComputerGurus, Inc." which makes my full distribution certificate name similar to "Apple Distribution: IowaComputerGurus, Inc. (XXXXX)." Having transitioned my project from Xamarin Forms to .NET MAUI, I updated to the SDK-style projects. I wanted to remove any hard-coded elements and pass in my CertKey using the paramter -p:CertKey.
Instead of this working as I expected, I was met with a lovely build error.
MSBuild version 17.6.3+07e294721 for .NET
MSBUILD : error MSB1006: Property is not valid.
Switch: Inc. (XXXXXX)’ As you can see, dotnet was trying to utilize my comma to split my input and provide an array of values rather than my literal string. Even with the value quoted. This issue existed using a secret, using a hard-coded string, and almost any other combination of attempts.
The Fix
Thankfully, I was able to get some direct assistance from a wonderful person at Microsoft on the MAUI team and with almost an hour of trial and error together, we finally came up with the fix and final solution with just a few small changes to my action.
Set Incoming Secret to an Environment Variable
Rather than trying to inject the secret value directly, I had the Certificate Name secret transferred into an action-specific environment variable using the following snippet.
APPLE_CERTIFICATE_NAME: ${{ secrets.APPLE_ICG_CERTIFICATE_NAME }}
Doing this ensured that we could employ the proper BASH escaped usage of this later when we trigger our publish.
Update Publish Step to Escape Value
Now it was required to escape my secret value using "\" before and \"" after to ensure that I had a proper display. This resulted in a publish command similar to the following.
- name: Build/Package iOS
run: |
dotnet publish '${{ env.mauiproject-path }}' \
-c Release -f net7.0-ios \
-p:version='${{ steps.gitversion.outputs.majorMinorPatch }}' \
-p:ApplicationVersion='${{ steps.gitversion.outputs.commitsSinceVersionSource }}' \
-p:ApplicationDisplayVersion='${{ steps.gitversion.outputs.majorMinorPatch }}' \
-p:ArchiveOnBuild=true \
-p:CodesignProvision='${{ secrets.PROVISION }}' \
-p:RuntimeIdentifier=ios-arm64 \
-p:CodesignKey="\"$APPLE_CERTIFICATE_NAME\"" \
-bl:ios.binlog
if: matrix.buildTarget == 'ios'The key is that for the certificate name ONLY I need to use the BASH syntax, properly escaped to ensure that it is passed into dotnet in a manner that is usable. For those needing to use this, be careful if you copy the above to ensure that you get the proper quotes. All quotes in the CodeSignKey line are double quotes.
Wrapping Up
This one was a fun issue that cost me a lot of time. A special thank you to the .NET MAUI team for their assistance in finding a resolution. For those of us with commas in our organization names, I hope this helps you save a little time along the way!