Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DEVOPS-1333] Add code signing to the macOS bws CLI #535

Merged
merged 54 commits into from
Feb 23, 2024
Merged
Show file tree
Hide file tree
Changes from 50 commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
7024326
Add windows cli signing
michalchecinski Jan 19, 2024
e78cea8
Fix
michalchecinski Jan 19, 2024
c0e35fe
Fix env variables
michalchecinski Jan 19, 2024
6876476
Add macos sign and notarize
michalchecinski Jan 22, 2024
72944fd
Add verbose flag and change ownership
michalchecinski Jan 22, 2024
d9de046
Fix verbose flag
michalchecinski Jan 22, 2024
9c9a781
Fix
michalchecinski Jan 22, 2024
d809093
Add sign and notarize to universal macos app
michalchecinski Jan 22, 2024
6a4822a
Add creating singning and notarizing pkg
michalchecinski Jan 23, 2024
116b271
Fix
michalchecinski Jan 23, 2024
ebfec2a
Fix
michalchecinski Jan 23, 2024
df531cf
Fix patch
michalchecinski Jan 23, 2024
f659fec
Split macos stage
michalchecinski Jan 24, 2024
8b6b5d9
Create dmg, sign and notarize it
michalchecinski Jan 24, 2024
e3ba846
Merge branch 'main' into DEVOPS-1333-Add-code-signing-to-the-bws-cli
michalchecinski Jan 24, 2024
596d8c7
Fix dmg
michalchecinski Jan 24, 2024
2262967
Fix linux build
michalchecinski Jan 24, 2024
1522dd3
Fix patrh
michalchecinski Jan 24, 2024
6774ea5
Maybe fix
michalchecinski Jan 24, 2024
22ac9eb
Fix
michalchecinski Jan 25, 2024
bd11b6c
Add entitlements
michalchecinski Jan 30, 2024
276d8a8
Change way of signing universal binary
michalchecinski Jan 31, 2024
c79611f
fix
michalchecinski Jan 31, 2024
bec7128
Fix
michalchecinski Jan 31, 2024
a893523
CHange entitlements
michalchecinski Jan 31, 2024
4d42018
Try to build and sign pkg
michalchecinski Jan 31, 2024
7265f9c
Try to fix
michalchecinski Jan 31, 2024
22fdeea
Try to fix #2
michalchecinski Jan 31, 2024
539aee2
Change pkgbuild
michalchecinski Feb 1, 2024
4e571c2
Change output of pkg
michalchecinski Feb 1, 2024
58031a2
Sign during pkgbuild
michalchecinski Feb 1, 2024
53fc3d0
Not dign pkg in another step
michalchecinski Feb 1, 2024
efeecd6
Try another cert to sign pkg
michalchecinski Feb 1, 2024
8b6220c
Sign zip before notarization
michalchecinski Feb 6, 2024
6799afd
Remove installer cert
michalchecinski Feb 6, 2024
cc4202a
Fix
michalchecinski Feb 6, 2024
b99bfc7
sign zip before notarization universal
michalchecinski Feb 6, 2024
6420435
Fix zip
michalchecinski Feb 6, 2024
bd1b21b
Add timestamp
michalchecinski Feb 6, 2024
61aa540
FIx
michalchecinski Feb 6, 2024
45d893f
Fix
michalchecinski Feb 6, 2024
0285746
Get cert from kv
michalchecinski Feb 7, 2024
e0cdc57
Fix
michalchecinski Feb 7, 2024
954cdfd
FIx
michalchecinski Feb 7, 2024
5151505
Crete dir for secrets from keyvault
michalchecinski Feb 7, 2024
09f8963
Check the contents of $HOME/secrets/devid-app-cert.p12
michalchecinski Feb 8, 2024
65b766e
Download p12 cert
michalchecinski Feb 9, 2024
d9e26b8
Maybe fix
michalchecinski Feb 9, 2024
e754da9
Go back to get cert from github/secrets
michalchecinski Feb 9, 2024
cad5499
FIx
michalchecinski Feb 9, 2024
d00b4f2
Update .github/workflows/build-cli.yml
michalchecinski Feb 22, 2024
2fb9426
Ran prettier
michalchecinski Feb 22, 2024
6c2fb19
Merge branch 'main' into DEVOPS-1333-Add-code-signing-to-the-bws-cli
michalchecinski Feb 23, 2024
809176c
Merge branch 'main' into DEVOPS-1333-Add-code-signing-to-the-bws-cli
michalchecinski Feb 23, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added .github/secrets/devid-app-cert.p12.gpg
Binary file not shown.
271 changes: 256 additions & 15 deletions .github/workflows/build-cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,93 @@ jobs:
VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
echo "package_version=$VERSION" >> $GITHUB_OUTPUT

build:
build-windows:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
needs:
- setup
michalchecinski marked this conversation as resolved.
Show resolved Hide resolved
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
strategy:
fail-fast: false
matrix:
settings:
- os: windows-2022
target: x86_64-pc-windows-msvc

- os: windows-2022
target: aarch64-pc-windows-msvc
steps:
- name: Checkout repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install rust
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable
with:
toolchain: stable
targets: ${{ matrix.settings.target }}

- name: Cache cargo registry
uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
with:
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }}

- name: Build
env:
TARGET: ${{ matrix.settings.target }}
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}

- name: Login to Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets
id: retrieve-secrets-windows
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "code-signing-vault-url,
code-signing-client-id,
code-signing-tenant-id,
code-signing-client-secret,
code-signing-cert-name"

- name: Install AST
run: dotnet tool install --global AzureSignTool --version 4.0.1

- name: Sign windows binary
env:
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }}
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }}
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }}
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }}
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }}
run: |
azuresigntool sign -v \
-kvu $SIGNING_VAULT_URL \
-kvi $SIGNING_CLIENT_ID \
-kvt $SIGNING_TENANT_ID \
-kvs $SIGNING_CLIENT_SECRET \
-kvc $SIGNING_CERT_NAME \
-fd sha256 \
-du https://bitwarden.com \
-tr http://timestamp.digicert.com \
./target/${{ matrix.settings.target }}/release/bws.exe

- name: Zip
shell: cmd
run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe

- name: Upload artifact
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
with:
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
if-no-files-found: error


build-macos:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
needs:
Expand All @@ -47,11 +133,110 @@ jobs:
- os: macos-12
target: aarch64-apple-darwin

- os: windows-2022
target: x86_64-pc-windows-msvc
steps:
- name: Checkout repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- os: windows-2022
target: aarch64-pc-windows-msvc
- name: Install rust
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable
with:
toolchain: stable
targets: ${{ matrix.settings.target }}

- name: Cache cargo registry
uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1
with:
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }}

- name: Build
env:
TARGET: ${{ matrix.settings.target }}
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}

- name: Login to Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets macos
id: retrieve-secrets-macos
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "macos-bws-notarization-apple-id,
macos-bws-notarization-team-id,
macos-bws-notarization-password,
macos-bws-certificate-name,
macos-bws-installer-certificate-name"

- name: Decrypt secrets
env:
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
run: |
mkdir -p $HOME/secrets

gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
--output "$HOME/secrets/devid-app-cert.p12" \
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg"

- name: Set up keychain
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
run: |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
security set-keychain-settings -lut 1200 build.keychain

ls $HOME/secrets

security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild

security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain

- name: Sign macos
env:
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./target/${{ matrix.settings.target }}/release/bws

- name: Notarize app macos
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }}
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }}
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }}
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: |
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"

echo "Creating notarization archive"
zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws

codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip

echo "Notarize app"
xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait

- name: Upload artifact
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
with:
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
if-no-files-found: error

build-linux:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
needs:
- setup
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
strategy:
fail-fast: false
matrix:
settings:

- os: ubuntu-22.04
target: x86_64-unknown-linux-gnu
Expand Down Expand Up @@ -89,13 +274,7 @@ jobs:
TARGET: ${{ matrix.settings.target }}
run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}

- name: Zip Windows
shell: cmd
if: runner.os == 'Windows'
run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe

- name: Zip Unix
if: runner.os != 'Windows'
- name: Zip linux
run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws

- name: Upload artifact
Expand All @@ -110,7 +289,7 @@ jobs:
runs-on: macos-12
needs:
- setup
- build
- build-macos
env:
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
steps:
Expand Down Expand Up @@ -138,8 +317,70 @@ jobs:

lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws

- name: Zip universal artifact
run: zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws
- name: Login to Azure
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets
id: retrieve-secrets-macos
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "macos-bws-notarization-apple-id,
macos-bws-notarization-team-id,
macos-bws-notarization-password,
macos-bws-certificate-name,
macos-bws-installer-certificate-name"

- name: Decrypt secrets
env:
DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
run: |
mkdir -p $HOME/secrets

gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
--output "$HOME/secrets/devid-app-cert.p12" \
"$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg"

- name: Set up keychain
env:
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
run: |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
security set-keychain-settings -lut 1200 build.keychain

security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild

security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain

- name: Sign binary
env:
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-aarch64-apple-darwin/bws

- name: Notarize app
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }}
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }}
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }}
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
run: |

echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"

echo "Creating notarization archive"
zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws

codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip

echo "Notarize app"
xcrun notarytool submit ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait

- name: Upload artifact
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
Expand Down
8 changes: 8 additions & 0 deletions crates/bws/entitlements.plist
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>
Loading