From 70243260487e7d547621a0375a6ab4f707a8b2a4 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 19 Jan 2024 17:04:32 +0100 Subject: [PATCH 01/51] Add windows cli signing --- .github/workflows/build-cli.yml | 41 +++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index b0f3e7b63..020a4ef08 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -89,6 +89,47 @@ jobs: TARGET: ${{ matrix.settings.target }} run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} + - name: Login to Azure + uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve secrets windows + if: runner.os == 'Windows' + id: retrieve-secrets-windows + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "code-signing-vault-url, + code-signing-client-id, + code-signing-tenant-id, + code-signing-client-secret, + code-signing-cert-name" + + - name: Install AST + if: runner.os == 'Windows' + run: dotnet tool install --global AzureSignTool --version 4.0.1 + + - name: Sign windows binary + if: runner.os == 'Windows' + env: + SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} + SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} + SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} + SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} + SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} + run: | + azuresigntool sign -v ` + -kvu $env::SIGNING_VAULT_URL ` + -kvi $env::SIGNING_CLIENT_ID ` + -kvt $env::SIGNING_TENANT_ID ` + -kvs $env::SIGNING_CLIENT_SECRET ` + -kvc $env::SIGNING_CERT_NAME ` + -fd sha256 ` + -du https://bitwarden.com ` + -tr http://timestamp.digicert.com ` + ./target/${{ matrix.settings.target }}/release/bws.exe + - name: Zip Windows shell: cmd if: runner.os == 'Windows' From e78cea8fa734605597b3a3b3b2360a6f322272c2 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 19 Jan 2024 17:11:10 +0100 Subject: [PATCH 02/51] Fix --- .github/workflows/build-cli.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 020a4ef08..949408bc0 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -119,15 +119,15 @@ jobs: SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} run: | - azuresigntool sign -v ` - -kvu $env::SIGNING_VAULT_URL ` - -kvi $env::SIGNING_CLIENT_ID ` - -kvt $env::SIGNING_TENANT_ID ` - -kvs $env::SIGNING_CLIENT_SECRET ` - -kvc $env::SIGNING_CERT_NAME ` - -fd sha256 ` - -du https://bitwarden.com ` - -tr http://timestamp.digicert.com ` + azuresigntool sign -v \ + -kvu $env::SIGNING_VAULT_URL \ + -kvi $env::SIGNING_CLIENT_ID \ + -kvt $env::SIGNING_TENANT_ID \ + -kvs $env::SIGNING_CLIENT_SECRET \ + -kvc $env::SIGNING_CERT_NAME \ + -fd sha256 \ + -du https://bitwarden.com \ + -tr http://timestamp.digicert.com \ ./target/${{ matrix.settings.target }}/release/bws.exe - name: Zip Windows From c0e35fe2247e6949ed99130b545bcc2c639ae91e Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 19 Jan 2024 17:17:55 +0100 Subject: [PATCH 03/51] Fix env variables --- .github/workflows/build-cli.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 949408bc0..a941bca10 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -120,11 +120,11 @@ jobs: SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} run: | azuresigntool sign -v \ - -kvu $env::SIGNING_VAULT_URL \ - -kvi $env::SIGNING_CLIENT_ID \ - -kvt $env::SIGNING_TENANT_ID \ - -kvs $env::SIGNING_CLIENT_SECRET \ - -kvc $env::SIGNING_CERT_NAME \ + -kvu $SIGNING_VAULT_URL \ + -kvi $SIGNING_CLIENT_ID \ + -kvt $SIGNING_TENANT_ID \ + -kvs $SIGNING_CLIENT_SECRET \ + -kvc $SIGNING_CERT_NAME \ -fd sha256 \ -du https://bitwarden.com \ -tr http://timestamp.digicert.com \ From 68764762e2d2092aada9de5aa2fe70131046b665 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Mon, 22 Jan 2024 17:05:27 +0100 Subject: [PATCH 04/51] Add macos sign and notarize --- .github/secrets/devid-app-cert.p12.gpg | Bin 0 -> 3324 bytes .github/workflows/build-cli.yml | 64 +++++++++++++++++++++++++ 2 files changed, 64 insertions(+) create mode 100644 .github/secrets/devid-app-cert.p12.gpg diff --git a/.github/secrets/devid-app-cert.p12.gpg b/.github/secrets/devid-app-cert.p12.gpg new file mode 100644 index 0000000000000000000000000000000000000000..8e2e2146e238314d23c9460e75989d6517783809 GIT binary patch literal 3324 zcmV@SCNaV%#Or%konszRFi;Wb~eE&{yc>i`T$Nn z#odyov^Creleum-z#UN(Sgivs!oZq}>6Fkb4IcHKl^)sXdTdv5XHWX5e$Na-<6gGE&F18gf?oEIH&iPtIwHng8^KAS*cHAGg@3y2f%z?Mssu4-oxF{4r z8A~N;!fnE_V@wEL==H_1>itYt_=j-iACf%}lsc-G1|im$S<;njht>%9)znwj1xLwW0bI z9F#i-DTB#lb^9tN94L9Q|3h-to6BD`OEqLD#n@k_%?1)jWKsC2=3qF@za4? z983KD<)16zpjfaSPvNrtTP`Bowf$?mF&idM0p1}e@>Cwm=jbq4YSNhUQ8k^R`#Juz zCQB@*>GEs%!Xsfmz)TRUK7?SW==sU_GK}=aFUYxHq=PVlqdN@}?R#CR4(uauXUE#K zz{OrFFf(C!PqmpDEPBD=?G@8cN}2Lz4s0wty8RKMrq` zM?5)$K^Not?{({{y#c97RZmKr>U>va3XL78YMzoKh=2YIdFspYVs#PqL(4V%t4vZj zEL^9-{Cwl!^%$x%!dD26*`?{_8AJ)4BY#39YM4d)R8bJnWG~pLqIJIa7G**LDKQ$R zOF<7VT6&%s#3IlzT_+A4X*tt~ztsTkD%06La@)e#DP>Q}TC^h7d0VK(FdzD*3v3(9 zAO{sR>d?fNk4^V}XaL7zDD!RGYjJ{W7b=_B>p)oM3DHT1RyZB20!um-vPXDYbP#D_ zO8$n3Hn!Jp5p{Rm5%j*&D``)jP}2s?D$`N=B1{(wBivnso%mM2S8_rk-tW-FN-(T3 zuA%B_;JcWvQy<*pwTwpgGBh*JEssO&P6SP{L64geRMquK$+Qw$Z3NKAdFx>SJgxls zM=69PzK0}u?r6grUDobA+a<|(9wtR9Ov)hFz#qG3Y(dp>@4j2sAp&H_GJEFja;9U( zwK{6rZs%c6S;L7hFjC;%z)TM@RCKvMyNS1OLlx?6!Ks?dNE`O0)dJ^`nXu5ye`p;d z-~=mDMc7OQKIuT*RPG-e@@Jij*c3P;Ia(Boe0Hr7dPOi7YH~<$p7aXBU&8UaOFaK2f zSwh&IJY6!E%co0)w<;2+GO`o=C7Yy(MGUY3pU5fS++|f%RlFIG>0-0h0N^e|Mb*Hs zAB{|+%wgTw|b5>>;f{z8DIY2K# zg`uC}x_t!hsPsu;L=M$*f?Rh^8@!ddAeZ`V3U>ZP1f79-3OBO*MfF2!O~(a-^7hD4`DlEX?fgs>fxamDH4ROArzH!OD;OE3@nJz5zN#& zIZwMBe%p3I>J59=L%SxQJiTV3z?0+$jY9k%_l#IKm6ap|wqWuDogn}Kru<*%kg%ZZ z!nP$CHgM%`2p(9>ebC`YTK%?l4+PZA*Ie+%+&S|Wk}lKUNDr(%-C~(*clwcc@ zxLv$p@9ZT_HF2!*XY}msk4^t0FxO z30qQWh)2PwdPUSoelhkGQs%9hy;tM&P#tI}3z7(6^^AjWP0-W943oc5AWQa5ME9|( z+MB=!2U3m=cB4XH+qX*3!`d9Ul|rW{QAX)A9wbe@^eE3Y)Q~$+MQTRg$z`* znUJg*12>l4TMoBhp^#Eqw7D=f28^(oELBp30U+~5F_WENLj!ej_9{YZ>Xf3@9>z2Y zd4YEzdN4tWgF^PJCMpSoQ!(AZZU_|!5}~FWVLIT;P8z&gyy*5f3ghx$)+G?=O+^AP z3gN>70EEQ>my4X>ji*M=@P?eo0CRw!h8+t^x`!RAWv$-)iNOFj(yhesT^brG z?=cYVmyHTgxK$>Z;s;;l!0^ekXdZjwWtR^_n`Y|iyhjGZ)%tX-`4jtDVa}lEl(h=?w+Dn&;q8@huau z$KeLyv>lr{ZZZeRS^E5<7G6qq>G6;<5+b)2y40;57iW40!N1#XIcd89+F74mZf&2u z?#2B|!6=~aJ3!DFu}7+2kXmZ`ud_#3wgvY*nl~G~r z@#A2kp8Gia*EA9jM6n*-P$4r)OMXlgkH(UbGKHAwV|4mvgUozB75s~&gc&xIhcilW z{M6pjuxe9pWPjuFk#@`&`fz&=!{sTBV4jo7&$?#D$X9{OT-#m7eu{KQM?-UO$rk(;GVOYI(ga+y%~?k$GUlNP15>T5~^0G zjrz(wEGhF2W5mkg7nu3L(Y3uu`;Y9e$}fdz?ghrAkS^^og!(<0k76q>t%9=U)21JU zf@PAeg4bQ5;t3fY+Fh@-%OYN)Lz5c>goJv=z|I+%y8!f1w%IuK@;#A-r1yc^Y1+tv z3~#4RDOOjvfDuAad)gJ}jrx@(w!f!GlxS-fc6xN=3wKDtx* zICcmv+a%M0ee+~RAb_qK)BNV8U&qos(DTxpwJ#MH)ZLn}f=huj!OiJG7FWU**X3r7 z3E!KKpP0RPU*BP(Cz537@Mx(~=Qy88yb``PCX{G}#< z0i6y0Q+E>>q zZr>4^I!Ilmp`}U`fEqguzf68YhNf6ab|fL!E0dKX7UveK>Qnf9YV{*YNDMAgQ>ona ze2`%f4q5mo{FC8yU1{EE_JkTe{F28G3cM1GqDFfCvm+T*%v(V}AhPo*>~ z=+;b>D95m^J>Urjwd}7< G(vHAR8DUNU literal 0 HcmV?d00001 diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index a941bca10..4fe97deeb 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -94,6 +94,70 @@ jobs: with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + - name: Retrieve secrets macos + if: runner.os == 'macos' + id: retrieve-secrets-macos + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "macos-bws-notarization-apple-id, + macos-bws-notarization-team-id, + macos-bws-notarization-password, + macos-bws-certificate-name" + + - name: Decrypt secrets + if: runner.os == 'macos' + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + run: | + mkdir -p $HOME/secrets + + gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + --output "$HOME/secrets/devid-app-cert.p12" \ + "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + + - name: Set up keychain + if: runner.os == 'macos' + env: + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} + run: | + security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security set-keychain-settings -lut 1200 build.keychain + + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + + - name: Sign macos + if: runner.os == 'macos' + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v + + - name: Notarize app macos + if: runner.os == 'macos' + env: + MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} + MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} + MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} + run: | + + echo "Create keychain profile" + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + + echo "Creating temp notarization archive" + ditto -c -k --keepParent "./target/${{ matrix.settings.target }}/release/bws" "notarization.zip" + + echo "Notarize app" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + + echo "Attach staple" + xcrun stapler staple "./target/${{ matrix.settings.target }}/release/bws" + - name: Retrieve secrets windows if: runner.os == 'Windows' id: retrieve-secrets-windows From 72944fd74074617522308d76adcb45eecc25f590 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Mon, 22 Jan 2024 17:20:20 +0100 Subject: [PATCH 05/51] Add verbose flag and change ownership --- .github/workflows/build-cli.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 4fe97deeb..99e7aa6fe 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -156,7 +156,8 @@ jobs: xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait echo "Attach staple" - xcrun stapler staple "./target/${{ matrix.settings.target }}/release/bws" + chmod -R 755 "./target/${{ matrix.settings.target }}/release/bws" + xcrun stapler staple "./target/${{ matrix.settings.target }}/release/bws" -v - name: Retrieve secrets windows if: runner.os == 'Windows' From d9de04635ea204741758b836b52aa626123251ee Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Mon, 22 Jan 2024 17:26:34 +0100 Subject: [PATCH 06/51] Fix verbose flag --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 99e7aa6fe..cad926be0 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -157,7 +157,7 @@ jobs: echo "Attach staple" chmod -R 755 "./target/${{ matrix.settings.target }}/release/bws" - xcrun stapler staple "./target/${{ matrix.settings.target }}/release/bws" -v + xcrun stapler staple -v "./target/${{ matrix.settings.target }}/release/bws" - name: Retrieve secrets windows if: runner.os == 'Windows' From 9c9a7818d3cb790f8528c2bb1bb8505114630dbf Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Mon, 22 Jan 2024 17:38:02 +0100 Subject: [PATCH 07/51] Fix --- .github/workflows/build-cli.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index cad926be0..10438f74a 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -155,9 +155,9 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - echo "Attach staple" - chmod -R 755 "./target/${{ matrix.settings.target }}/release/bws" - xcrun stapler staple -v "./target/${{ matrix.settings.target }}/release/bws" + # Apple don't support staple cli tools + # echo "Attach staple" + # xcrun stapler staple -v "./target/${{ matrix.settings.target }}/release/bws" - name: Retrieve secrets windows if: runner.os == 'Windows' From d8090936bd94a53a1cc3d19dde980274fe84b301 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Mon, 22 Jan 2024 18:01:02 +0100 Subject: [PATCH 08/51] Add sign and notarize to universal macos app --- .github/workflows/build-cli.yml | 61 +++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 10438f74a..6416fd392 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -244,6 +244,67 @@ jobs: lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws + - name: Login to Azure + uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve secrets + id: retrieve-secrets-macos + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "macos-bws-notarization-apple-id, + macos-bws-notarization-team-id, + macos-bws-notarization-password, + macos-bws-certificate-name" + + - name: Decrypt secrets + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + run: | + mkdir -p $HOME/secrets + + gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + --output "$HOME/secrets/devid-app-cert.p12" \ + "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + + - name: Set up keychain + env: + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} + run: | + security create-keychain -p $KEYCHAIN_PASSWORD build.keychain + security default-keychain -s build.keychain + security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain + security set-keychain-settings -lut 1200 build.keychain + + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain + + - name: Sign + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-aarch64-apple-darwin/bws -v + + - name: Notarize app + env: + MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} + MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} + MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} + run: | + + echo "Create keychain profile" + xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + + echo "Creating temp notarization archive" + ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws" "notarization.zip" + + echo "Notarize app" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + - name: Zip universal artifact run: zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws From 6a4822a4a9bd09726d7b81ff814dd5154e4235cc Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 23 Jan 2024 15:51:12 +0100 Subject: [PATCH 09/51] Add creating singning and notarizing pkg --- .github/workflows/build-cli.yml | 58 ++++++++++++++++++++++++++++----- 1 file changed, 50 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 6416fd392..4f2d3b6d9 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -138,6 +138,11 @@ jobs: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v + - name: Create pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + run: pkgbuild --root ./${{ matrix.settings.target }} --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + - name: Notarize app macos if: runner.os == 'macos' env: @@ -155,9 +160,15 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - # Apple don't support staple cli tools - # echo "Attach staple" - # xcrun stapler staple -v "./target/${{ matrix.settings.target }}/release/bws" + rm notarization.zip + + echo "Creating temp notarization archive" + ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" "notarization.zip" + + echo "Notarize pkg" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + + xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - name: Retrieve secrets windows if: runner.os == 'Windows' @@ -200,10 +211,17 @@ jobs: if: runner.os == 'Windows' run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe - - name: Zip Unix - if: runner.os != 'Windows' + - name: Zip linux + if: runner.os != 'Windows' && runner.os != 'macos' run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws + - name: Zip macos + if: runner.os == 'macos' + run: | + zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws + zip ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + + - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: @@ -284,11 +302,16 @@ jobs: security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - - name: Sign + - name: Sign binary env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-aarch64-apple-darwin/bws -v + - name: Create pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + run: pkgbuild --root ./bws-aarch64-apple-darwin --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + - name: Notarize app env: MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} @@ -305,16 +328,35 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + rm notarization.zip + + echo "Creating temp notarization archive" + ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" "notarization.zip" + + echo "Notarize pkg" + xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + + xcrun stapler staple "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + - name: Zip universal artifact - run: zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws + run: | + zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws + zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg - - name: Upload artifact + - name: Upload binary artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: name: bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error + - name: Upload pkg artifact + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error + third_party: name: Generate THIRDPARTY.html runs-on: ubuntu-22.04 From 116b271feb5f826dda4ec27fdf54d04a7454a0c1 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 23 Jan 2024 15:59:16 +0100 Subject: [PATCH 10/51] Fix --- .github/workflows/build-cli.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 4f2d3b6d9..0d98bff97 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -139,6 +139,7 @@ jobs: run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v - name: Create pkg + if: runner.os == 'macos' env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: pkgbuild --root ./${{ matrix.settings.target }} --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" From ebfec2a0725eb058b10c0b8bb3b80deef4490ff3 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 23 Jan 2024 16:01:40 +0100 Subject: [PATCH 11/51] Fix --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 0d98bff97..dc5b817ab 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -142,7 +142,7 @@ jobs: if: runner.os == 'macos' env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: pkgbuild --root ./${{ matrix.settings.target }} --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + run: pkgbuild --root ./target/${{ matrix.settings.target }} --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - name: Notarize app macos if: runner.os == 'macos' From df531cfb44e6da5609d05edef5b7a8b81e8f5735 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 23 Jan 2024 16:09:54 +0100 Subject: [PATCH 12/51] Fix patch --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index dc5b817ab..a3e12d1d8 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -142,7 +142,7 @@ jobs: if: runner.os == 'macos' env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: pkgbuild --root ./target/${{ matrix.settings.target }} --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - name: Notarize app macos if: runner.os == 'macos' From f659fecd29f9ff2b16b767fdb2bf931d3f5ed39e Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 16:57:25 +0100 Subject: [PATCH 13/51] Split macos stage --- .github/workflows/build-cli.yml | 207 +++++++++++++++++++++----------- 1 file changed, 135 insertions(+), 72 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index a3e12d1d8..2b573d3a7 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -30,7 +30,7 @@ jobs: VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") echo "package_version=$VERSION" >> $GITHUB_OUTPUT - build: + build-windows: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} needs: @@ -41,23 +41,11 @@ jobs: fail-fast: false matrix: settings: - - os: macos-12 - target: x86_64-apple-darwin - - - os: macos-12 - target: aarch64-apple-darwin - - os: windows-2022 target: x86_64-pc-windows-msvc - os: windows-2022 target: aarch64-pc-windows-msvc - - - os: ubuntu-22.04 - target: x86_64-unknown-linux-gnu - - - os: ubuntu-22.04 - target: aarch64-unknown-linux-gnu steps: - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -73,21 +61,97 @@ jobs: with: key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} - - name: Install Cross (aarch64-unknown-linux-gnu) - if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} - run: cargo install cross --locked - - name: Build - if: ${{ matrix.settings.target != 'aarch64-unknown-linux-gnu' }} env: TARGET: ${{ matrix.settings.target }} run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} - - name: Build (aarch64-unknown-linux-gnu) - if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} + - name: Login to Azure + uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve secrets + id: retrieve-secrets-windows + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "code-signing-vault-url, + code-signing-client-id, + code-signing-tenant-id, + code-signing-client-secret, + code-signing-cert-name" + + - name: Install AST + run: dotnet tool install --global AzureSignTool --version 4.0.1 + + - name: Sign windows binary + env: + SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} + SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} + SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} + SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} + SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} + run: | + azuresigntool sign -v \ + -kvu $SIGNING_VAULT_URL \ + -kvi $SIGNING_CLIENT_ID \ + -kvt $SIGNING_TENANT_ID \ + -kvs $SIGNING_CLIENT_SECRET \ + -kvc $SIGNING_CERT_NAME \ + -fd sha256 \ + -du https://bitwarden.com \ + -tr http://timestamp.digicert.com \ + ./target/${{ matrix.settings.target }}/release/bws.exe + + - name: Zip + shell: cmd + run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe + + - name: Upload artifact + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error + + + build-macos: + name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} + runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} + needs: + - setup + env: + _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + strategy: + fail-fast: false + matrix: + settings: + - os: macos-12 + target: x86_64-apple-darwin + + - os: macos-12 + target: aarch64-apple-darwin + + steps: + - name: Checkout repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install rust + uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable + with: + toolchain: stable + targets: ${{ matrix.settings.target }} + + - name: Cache cargo registry + uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 + with: + key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} + + - name: Build env: TARGET: ${{ matrix.settings.target }} - run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} + run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 @@ -95,7 +159,6 @@ jobs: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets macos - if: runner.os == 'macos' id: retrieve-secrets-macos uses: bitwarden/gh-actions/get-keyvault-secrets@main with: @@ -106,7 +169,6 @@ jobs: macos-bws-certificate-name" - name: Decrypt secrets - if: runner.os == 'macos' env: DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} run: | @@ -117,7 +179,6 @@ jobs: "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - name: Set up keychain - if: runner.os == 'macos' env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} @@ -133,19 +194,16 @@ jobs: security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Sign macos - if: runner.os == 'macos' env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v - name: Create pkg - if: runner.os == 'macos' env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - name: Notarize app macos - if: runner.os == 'macos' env: MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} @@ -171,57 +229,62 @@ jobs: xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - - name: Retrieve secrets windows - if: runner.os == 'Windows' - id: retrieve-secrets-windows - uses: bitwarden/gh-actions/get-keyvault-secrets@main + - name: Zip macos + run: | + zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws + zip ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + + - name: Upload artifact + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 with: - keyvault: "bitwarden-ci" - secrets: "code-signing-vault-url, - code-signing-client-id, - code-signing-tenant-id, - code-signing-client-secret, - code-signing-cert-name" + name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error - - name: Install AST - if: runner.os == 'Windows' - run: dotnet tool install --global AzureSignTool --version 4.0.1 + build-linux: + name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} + runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} + needs: + - setup + env: + _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + strategy: + fail-fast: false + matrix: + settings: - - name: Sign windows binary - if: runner.os == 'Windows' - env: - SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} - SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} - SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} - SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} - SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} - run: | - azuresigntool sign -v \ - -kvu $SIGNING_VAULT_URL \ - -kvi $SIGNING_CLIENT_ID \ - -kvt $SIGNING_TENANT_ID \ - -kvs $SIGNING_CLIENT_SECRET \ - -kvc $SIGNING_CERT_NAME \ - -fd sha256 \ - -du https://bitwarden.com \ - -tr http://timestamp.digicert.com \ - ./target/${{ matrix.settings.target }}/release/bws.exe + - os: ubuntu-22.04 + target: x86_64-unknown-linux-gnu - - name: Zip Windows - shell: cmd - if: runner.os == 'Windows' - run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe + - os: ubuntu-22.04 + target: aarch64-unknown-linux-gnu + steps: + - name: Checkout repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - name: Zip linux - if: runner.os != 'Windows' && runner.os != 'macos' - run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws + - name: Install rust + uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable + with: + toolchain: stable + targets: ${{ matrix.settings.target }} - - name: Zip macos - if: runner.os == 'macos' - run: | - zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - zip ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + - name: Cache cargo registry + uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 + with: + key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} + - name: Install Cross (aarch64-unknown-linux-gnu) + if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} + run: cargo install cross --locked + + - name: Build (aarch64-unknown-linux-gnu) + if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} + env: + TARGET: ${{ matrix.settings.target }} + run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} + + - name: Zip linux + run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 @@ -235,7 +298,7 @@ jobs: runs-on: macos-12 needs: - setup - - build + - build-macos env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} steps: From 8b6b5d96c5e957fb991f8e72284ace4e775b3bb6 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 18:00:07 +0100 Subject: [PATCH 14/51] Create dmg, sign and notarize it --- .github/workflows/build-cli.yml | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 2b573d3a7..473675b0d 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -371,10 +371,20 @@ jobs: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-aarch64-apple-darwin/bws -v - - name: Create pkg + # - name: Create pkg + # env: + # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + # run: pkgbuild --root ./bws-aarch64-apple-darwin --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + + - name: Create dmg + run: | + hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./bws-aarch64-apple-darwin -ov -fs HFS+ + hdiutil convert ./tmp.dmg -format UDZO -o ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg + + - name: Sign dmg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: pkgbuild --root ./bws-aarch64-apple-darwin --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg -v - name: Notarize app env: @@ -395,17 +405,17 @@ jobs: rm notarization.zip echo "Creating temp notarization archive" - ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" "notarization.zip" + ditto -c -k --keepParent "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" - echo "Notarize pkg" + echo "Notarize dmg" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + xcrun stapler staple "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" - name: Zip universal artifact run: | zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws - zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg + zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg - name: Upload binary artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 From 596d8c77151f1da7d9535e1658cd6eb8e52526ba Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 18:10:43 +0100 Subject: [PATCH 15/51] Fix dmg --- .github/workflows/build-cli.yml | 35 ++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index b999f8d38..d2e541cb0 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -198,10 +198,20 @@ jobs: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v - - name: Create pkg + # - name: Create pkg + # env: + # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + # run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + + - name: Create dmg + run: | + hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./bws-aarch64-apple-darwin -ov -fs HFS+ + hdiutil convert ./tmp.dmg -format UDZO -o ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg + + - name: Sign dmg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg -v - name: Notarize app macos env: @@ -222,17 +232,17 @@ jobs: rm notarization.zip echo "Creating temp notarization archive" - ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" "notarization.zip" + ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" - echo "Notarize pkg" + echo "Notarize dmg" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" - name: Zip macos run: | zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - zip ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + zip ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 @@ -241,6 +251,13 @@ jobs: path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error + - name: Upload dmg artifact + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error + build-linux: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} @@ -415,7 +432,7 @@ jobs: - name: Zip universal artifact run: | zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws - zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg + zip ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg - name: Upload artifact uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 @@ -427,8 +444,8 @@ jobs: - name: Upload pkg artifact uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 with: - name: bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip - path: ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip + name: bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error third_party: From 2262967ca76f6d13b07598b044e7b0b68e369a94 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 18:14:43 +0100 Subject: [PATCH 16/51] Fix linux build --- .github/workflows/build-cli.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index d2e541cb0..d7d0a11c4 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -294,6 +294,12 @@ jobs: if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} run: cargo install cross --locked + - name: Build + if: ${{ matrix.settings.target != 'aarch64-unknown-linux-gnu' }} + env: + TARGET: ${{ matrix.settings.target }} + run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} + - name: Build (aarch64-unknown-linux-gnu) if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} env: From 1522dd343b7c75f20fc5578316a213892ab7b60e Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 18:20:04 +0100 Subject: [PATCH 17/51] Fix patrh --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index d7d0a11c4..805d494f2 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -205,7 +205,7 @@ jobs: - name: Create dmg run: | - hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./bws-aarch64-apple-darwin -ov -fs HFS+ + hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ hdiutil convert ./tmp.dmg -format UDZO -o ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg - name: Sign dmg From 6774ea5ceadde019e4716286d2a94a0d8bf6f863 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 18:32:46 +0100 Subject: [PATCH 18/51] Maybe fix --- .github/workflows/build-cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 805d494f2..1f7f8c790 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -205,8 +205,8 @@ jobs: - name: Create dmg run: | - hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ - hdiutil convert ./tmp.dmg -format UDZO -o ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg + hdiutil create ./${{ matrix.settings.target }}-tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ + hdiutil convert -format UDZO -o ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg ./${{ matrix.settings.target }}-tmp.dmg - name: Sign dmg env: From 22ac9eb1abc1d8e63f104192e434944e43c26d4f Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 25 Jan 2024 11:48:50 +0100 Subject: [PATCH 19/51] Fix --- .github/workflows/build-cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 1f7f8c790..a42ee2406 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -205,8 +205,8 @@ jobs: - name: Create dmg run: | - hdiutil create ./${{ matrix.settings.target }}-tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ - hdiutil convert -format UDZO -o ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg ./${{ matrix.settings.target }}-tmp.dmg + hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ + hdiutil convert -format UDZO -o './target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg' ./tmp.dmg - name: Sign dmg env: From bd11b6cb7db4d4a7b5cdf8363683dcc07943f7ba Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 30 Jan 2024 16:52:55 +0100 Subject: [PATCH 20/51] Add entitlements --- .github/workflows/build-cli.yml | 49 +++++++++++++++++---------------- crates/bws/entitlements.plist | 10 +++++++ 2 files changed, 35 insertions(+), 24 deletions(-) create mode 100644 crates/bws/entitlements.plist diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index a42ee2406..20580082a 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -196,22 +196,24 @@ jobs: - name: Sign macos env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v + MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} + run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./target/${{ matrix.settings.target }}/release/bws -v + # /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v # - name: Create pkg # env: # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} # run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - - name: Create dmg - run: | - hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ - hdiutil convert -format UDZO -o './target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg' ./tmp.dmg + # - name: Create dmg + # run: | + # hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ + # hdiutil convert -format UDZO -o './target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg' ./tmp.dmg - - name: Sign dmg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg -v + # - name: Sign dmg + # env: + # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg -v - name: Notarize app macos env: @@ -229,20 +231,19 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - rm notarization.zip + # rm notarization.zip - echo "Creating temp notarization archive" - ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" + # echo "Creating temp notarization archive" + # ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" - echo "Notarize dmg" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + # echo "Notarize dmg" + # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" + # xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" - name: Zip macos - run: | - zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - zip ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg + run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws + # zip ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 @@ -251,12 +252,12 @@ jobs: path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - - name: Upload dmg artifact - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 - with: - name: bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip - path: ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip - if-no-files-found: error + # - name: Upload dmg artifact + # uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + # with: + # name: bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip + # path: ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip + # if-no-files-found: error build-linux: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} diff --git a/crates/bws/entitlements.plist b/crates/bws/entitlements.plist new file mode 100644 index 000000000..a472f51af --- /dev/null +++ b/crates/bws/entitlements.plist @@ -0,0 +1,10 @@ + + + + + com.apple.security.files.user-selected.read-write + + com.apple.security.files.bookmarks.app-scope + + + \ No newline at end of file From 276d8a826516f56043585667545c26b6254c8252 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 12:55:36 +0100 Subject: [PATCH 21/51] Change way of signing universal binary --- .github/workflows/build-cli.yml | 44 ++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 20580082a..e3cd4eefb 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -393,22 +393,22 @@ jobs: - name: Sign binary env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-aarch64-apple-darwin/bws -v + run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws-v # - name: Create pkg # env: # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} # run: pkgbuild --root ./bws-aarch64-apple-darwin --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" - - name: Create dmg - run: | - hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./bws-aarch64-apple-darwin -ov -fs HFS+ - hdiutil convert ./tmp.dmg -format UDZO -o ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg + # - name: Create dmg + # run: | + # hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./bws-aarch64-apple-darwin -ov -fs HFS+ + # hdiutil convert ./tmp.dmg -format UDZO -o ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg - - name: Sign dmg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg -v + # - name: Sign dmg + # env: + # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg -v - name: Notarize app env: @@ -426,20 +426,20 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - rm notarization.zip + # rm notarization.zip - echo "Creating temp notarization archive" - ditto -c -k --keepParent "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" + # echo "Creating temp notarization archive" + # ditto -c -k --keepParent "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" - echo "Notarize dmg" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + # echo "Notarize dmg" + # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" + # xcrun stapler staple "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" - name: Zip universal artifact run: | zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws - zip ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg + # zip ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg - name: Upload artifact uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 @@ -448,12 +448,12 @@ jobs: path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - - name: Upload pkg artifact - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 - with: - name: bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip - path: ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip - if-no-files-found: error + # - name: Upload pkg artifact + # uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + # with: + # name: bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip + # path: ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip + # if-no-files-found: error third_party: name: Generate THIRDPARTY.html From c79611fb9082c6ad2aef866b64c503e22dac9e0c Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 13:14:07 +0100 Subject: [PATCH 22/51] fix --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index e3cd4eefb..e7c45a908 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -393,7 +393,7 @@ jobs: - name: Sign binary env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws-v + run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v # - name: Create pkg # env: From bec71283bf564aa4e94e232748879f28a680377b Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 13:22:38 +0100 Subject: [PATCH 23/51] Fix --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index e7c45a908..7b765257e 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -393,7 +393,7 @@ jobs: - name: Sign binary env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v + run: codesign -s "$MACOS_CERTIFICATE_NAME" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v # - name: Create pkg # env: From a893523b27923a9a471e0e1f7f1f60c2b095b92d Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 17:24:28 +0100 Subject: [PATCH 24/51] CHange entitlements --- crates/bws/entitlements.plist | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/crates/bws/entitlements.plist b/crates/bws/entitlements.plist index a472f51af..aeaa15049 100644 --- a/crates/bws/entitlements.plist +++ b/crates/bws/entitlements.plist @@ -2,9 +2,7 @@ - com.apple.security.files.user-selected.read-write - - com.apple.security.files.bookmarks.app-scope - + com.apple.security.cs.allow-unsigned-executable-memory + \ No newline at end of file From 4d420183fb314566c27c87a8299323eaf357f892 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 18:01:07 +0100 Subject: [PATCH 25/51] Try to build and sign pkg --- .github/secrets/devid-installer-cert.p12.gpg | Bin 0 -> 3333 bytes .github/workflows/build-cli.yml | 98 +++++++++++-------- 2 files changed, 55 insertions(+), 43 deletions(-) create mode 100644 .github/secrets/devid-installer-cert.p12.gpg diff --git a/.github/secrets/devid-installer-cert.p12.gpg b/.github/secrets/devid-installer-cert.p12.gpg new file mode 100644 index 0000000000000000000000000000000000000000..f379fc214febadd44e0e23a634c2540587f94a94 GIT binary patch literal 3333 zcmV+g4f^to4Fm}T0u)ajijrg67U=Gs<>Z+S)(5f&{O;KiC z40+MU{S*qg3+gq>pGb*^JFK=BR^SFJQ=1{gyJiWj#Jh$%KjK;!a~sF?(F))7H)Voy zgJ$ZD1GKU^uxxDmA-bF-S+4HYqa)T%2v3`xiRaiAU>$CmTQ~dnT&ZTu#~!`Brb^OE z+t3jSX5peK1__j0?PCnMve78(@LXUIl9c9CD~6Gyffm7Kg}M{p$FGNq&rx zK!X1|s;^sBB~2mG8*?*9geks+NDqz~n9$v(SVMSpm4ZV)@Tuhyv9F!VYm8g^3qh$B zd87n$D1cDe%~F=3@7CDW+FJf6p&Uk3YUS;sgKjLktoSEk&yX2+eWKo)SL!R$Y|&}? z%#Qc?+K_I>rp(vDt?|4*4!2fF>k461^w4X=*C!sv!g7;B8%9g_>F>0yhL?CBXlzQ40hxcOSZuV?;R{FvV1iEEqXV(+L@&cL32iT4_b z77sovq;QgN(Q#yKVS>l#Lo3Hgo5tG^AY3eAf0}=$N@tR(UJCh~6=y}2MKC>!sLi-Y zCFD5Mf+57xUXHAMNLOUcdm02C=pFtdNfMmhta}l@r=Iwid%+HBH@jO-5vFW67J&vO zZvlAJ5xqUYutSWCm?* z60gGIHU3~!){W(`K#-9t2_>eF52;NLxiCwqw1jw}F-ar$3^sZb81l1RSkX!(yo2f%WnXwWDPskS1>w>ITB zMNOZ(qe^-M0SnV@0qP-Z~eR75toHA2%7j>u{o2wC;&rc2NQodk#LXB zqdUV~S4xdclZwXKY<_f!J`EvTBlXhm701xVz;zrXg684*yME0QJfxomgrtx3_Ckw` zAZMXjkIYfYQzy{tFBfI5uIZGaxL`h3@6?m>C1QaDGuDQCnrm*AiT;XMSi;o7m& z-E`KS!iGjN+T(!IW-zJrBNQoc<)a6w@ImLSI(4~b;vlwb?!39Dltr(z73$%=E_B4IaSc@G-u997#gJGW={N$T| zH0ss`Z94nSHfNC5qeF;#2w$YMfsLcDT2}Dc&u5;k;)7|fj`%>hz`5AXPm_<<4c=hIkRTE8GIarBq#^(i_tMIdm)Skv(9@K<=|)kCOQ#H*QK8)`fqP;l8V^%p^f!FF8XX z96uCz12cCL8ZR2h1I72?CLnBM{_x}%3=`=C?4zjsj0>`zo2dx^O&a&wZLF!84Ue%` zJX2k~hY+VScDL#xAG#+HJsN6Ew83y)=d~?uWf`hNtaGsMYv;0C+F=+24=P6|*0xMqxQ*h#N09L8$jNMIia=dLTP9=pWAGz*aS+n%d z$i>nQvjy_9->bi#GbM9b4pD6^{QOLwr9xRntsnT6HK>1Vk7%PNQRXd3H z00tnKek5jMC)2_2iBy1ALyk=uD|D8NL^q`hZYIFcRaG}31=ENA%_8hI5D2n)*p$kf zGGJ?9r{|Wt(EM(UN-{!m(A&q?AGUe@2*)LfK29A|fk@WtfdTv=96%A}KaN!(bNUag zI*$eWvP{;=CQ~#R8Sycw{cIx*=RB8UD3P)h(KnFhiP@ZKgvn*6c4Vs!>I;11|0Eq* zbVlzh{$~c4jbc`ftI01QI5q4VbP}jo;`%f}hKskSRl1Xh;AcjExuUFP>cWV43xZfZ zah;S8^LaPPhhDD_1&I==y?YlVSvm&6Tpq-)VtIF2z+$HF*o}{L2d~Y9%sLQ~J+^q4 zu)~prkaMlbiI)3;8H?s=Rakekty5VPANO+SwiC-ZB#P9Pj^F%wo5_Ik)@m-C9aX~j zcTG*F#N7zFLIIaWC{;@^AG|x2x$b0n8!Byz9yyI^D1a* zzxXArK#OI9$BQG?x@}0?Hcli#lXxE(Q&l#LUPjO)>&+W4LHmaV=JMO1ia?RLL(Yzd zHh1UO&RltHGg!5Y&yzKb6~p{YBh4DSgRz?9VJ{?cv|beAzhvH-HIouG$xO-2b`uKp zhf;t(ZPT0}Bf!^rJtp&9slz^NHiqK;Z9o#;teebIZ8j~!CLaml`rJqV!2h5Pqx&_~ z?FbA&3jh2PHrI_VZwQ;8KFbl3K_rt^*ouiyx-~PD&N)Qko-ZZCInQZmk7iA;ddmbM z0$rP{+OX+J^_x1#0UBRGP!+ep60u8N21h(8(hkfmO@w}e+pL-kO8D+Z!kjq=aT3K_ zxh*QgAxeKQf_9zBQASO4di=T!`v(N$Dd3ZF~DLWAB@a)nZyHs~jM>>o1{Ky2QY(~V0_ z`yi*^9YzHZ_$VOF)=Gz(hPh}iZ!qMLBnG%C6JMb<87dYS%<`5Y6a7ZTQ1flzuf z8X3bi1XKG5XvILF#Ly_vdmu4?!8Yp3R`GPJM&kC@o5$rkhk7j`7H3VzkWI8l zO!Gm~1H4#oqRG=k5x8?{hBd&Hl5CGa@Y+Wz_jAeYpr3O6qP33x_@JhFn6MtwF zdp+av{9Lu+98`4|R8aefAKXD{RIVJWcc6`aS0H{s%&>?a%RXthBMz1St8% zH63lFP8b9y5e0r}1C@bUxU-ibT6m=BlS~UIpAQ1$gAx|cBSgTqnM)p1wK!t>Gekt+ zQI#ivi5=6#01-ogw9$=}_|qH-Zk?<3WFtk7Ad@dZ2X}8Ejh-srL{|DcJyxbssvM*j zKxSUAtL!A7= zH8l>MA62fduoz&$Y*WQZP<(hQ%<|8okLC}H=o-NBna(3ejh+vxl0ITGm PE<#H7)~fjH$Vgv{flXp3 literal 0 HcmV?d00001 diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 7b765257e..1ecff12ca 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -166,7 +166,8 @@ jobs: secrets: "macos-bws-notarization-apple-id, macos-bws-notarization-team-id, macos-bws-notarization-password, - macos-bws-certificate-name" + macos-bws-certificate-name, + macos-bws-installer-certificate-name" - name: Decrypt secrets env: @@ -178,6 +179,10 @@ jobs: --output "$HOME/secrets/devid-app-cert.p12" \ "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + --output "$HOME/secrets/devid-installer-cert.p12" \ + "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" + - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} @@ -190,20 +195,25 @@ jobs: security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - + security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Sign macos env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} - run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./target/${{ matrix.settings.target }}/release/bws -v - # /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v - # - name: Create pkg - # env: - # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - # run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + - name: Create pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} + run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + + - name: Sign pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg -v # - name: Create dmg # run: | @@ -231,19 +241,17 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - # rm notarization.zip + rm notarization.zip - # echo "Creating temp notarization archive" - # ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" + echo "Notarize dmg" + xcrun notarytool submit "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" --keychain-profile "notarytool-profile" --wait - # echo "Notarize dmg" - # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - # xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" + xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" - name: Zip macos - run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - # zip ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg + run: | + zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws + zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 @@ -252,12 +260,12 @@ jobs: path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - # - name: Upload dmg artifact - # uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 - # with: - # name: bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip - # path: ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip - # if-no-files-found: error + - name: Upload dmg artifact + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error build-linux: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} @@ -363,7 +371,8 @@ jobs: secrets: "macos-bws-notarization-apple-id, macos-bws-notarization-team-id, macos-bws-notarization-password, - macos-bws-certificate-name" + macos-bws-certificate-name, + macos-bws-installer-certificate-name" - name: Decrypt secrets env: @@ -395,10 +404,16 @@ jobs: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: codesign -s "$MACOS_CERTIFICATE_NAME" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v - # - name: Create pkg - # env: - # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - # run: pkgbuild --root ./bws-aarch64-apple-darwin --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + - name: Create pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} + run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg + # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg + + - name: Sign pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg -v # - name: Create dmg # run: | @@ -426,20 +441,17 @@ jobs: echo "Notarize app" xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - # rm notarization.zip - - # echo "Creating temp notarization archive" - # ditto -c -k --keepParent "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip" + rm notarization.zip - # echo "Notarize dmg" - # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + echo "Notarize pkg" + xcrun notarytool submit "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" --keychain-profile "notarytool-profile" --wait - # xcrun stapler staple "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" + xcrun stapler staple "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" - name: Zip universal artifact run: | zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws - # zip ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg + zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg - name: Upload artifact uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 @@ -448,12 +460,12 @@ jobs: path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - # - name: Upload pkg artifact - # uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 - # with: - # name: bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip - # path: ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip - # if-no-files-found: error + - name: Upload pkg artifact + uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 + with: + name: bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error third_party: name: Generate THIRDPARTY.html From 7265f9c24f79c0e9b69cf057715bffc1600a8da9 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 18:23:45 +0100 Subject: [PATCH 26/51] Try to fix --- .github/workflows/build-cli.yml | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 1ecff12ca..d4eaa2622 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -207,13 +207,13 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg - # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws.pkg + # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws.pkg - name: Sign pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg -v + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/{{ matrix.settings.target }}/bws.pkg -v # - name: Create dmg # run: | @@ -243,15 +243,15 @@ jobs: rm notarization.zip - echo "Notarize dmg" - xcrun notarytool submit "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" --keychain-profile "notarytool-profile" --wait + echo "Notarize pkg" + xcrun notarytool submit "./target/{{ matrix.settings.target }}/bws.pkg" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" + xcrun stapler staple "./target/{{ matrix.settings.target }}/bws.pkg" - name: Zip macos run: | zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg + zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws.pkg - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 @@ -407,18 +407,16 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg - # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg + run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin ./bws-aarch64-apple-darwin/bws.pkg + # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - name: Sign pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg -v + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v # - name: Create dmg - # run: | - # hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./bws-aarch64-apple-darwin -ov -fs HFS+ - # hdiutil convert ./tmp.dmg -format UDZO -o ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg + # run: create-dmg ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.dmg ./bws-macos-universal # - name: Sign dmg # env: @@ -444,14 +442,14 @@ jobs: rm notarization.zip echo "Notarize pkg" - xcrun notarytool submit "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" --keychain-profile "notarytool-profile" --wait + xcrun notarytool submit "./bws-aarch64-apple-darwin/bws.pkg" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" + xcrun stapler staple "./bws-aarch64-apple-darwin/bws.pkg" - name: Zip universal artifact run: | zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws - zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg + zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws.pkg - name: Upload artifact uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 From 22fdeea4ea9dcd9e2a7e6d87b52b5827c3a707b5 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 31 Jan 2024 18:37:49 +0100 Subject: [PATCH 27/51] Try to fix #2 --- .github/workflows/build-cli.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index d4eaa2622..c8a073675 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -407,8 +407,8 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin ./bws-aarch64-apple-darwin/bws.pkg - # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg + run: pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg + # run: pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - name: Sign pkg env: @@ -442,9 +442,9 @@ jobs: rm notarization.zip echo "Notarize pkg" - xcrun notarytool submit "./bws-aarch64-apple-darwin/bws.pkg" --keychain-profile "notarytool-profile" --wait + xcrun notarytool submit "./bws.pkg" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./bws-aarch64-apple-darwin/bws.pkg" + xcrun stapler staple "./bws.pkg" - name: Zip universal artifact run: | From 539aee274ce97e5af99107d5684ef122e9589af5 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 1 Feb 2024 13:16:35 +0100 Subject: [PATCH 28/51] Change pkgbuild --- .github/workflows/build-cli.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index c8a073675..bd39d4e21 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -207,8 +207,8 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws.pkg - # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws.pkg - name: Sign pkg env: @@ -407,8 +407,8 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg - # run: pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - name: Sign pkg env: From 4e571c2b67873d403843018cc2452b5696143fc1 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 1 Feb 2024 13:25:08 +0100 Subject: [PATCH 29/51] Change output of pkg --- .github/workflows/build-cli.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index bd39d4e21..9fa6c2ac8 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -207,13 +207,13 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws.pkg - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg - name: Sign pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/{{ matrix.settings.target }}/bws.pkg -v + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/bws.pkg -v # - name: Create dmg # run: | @@ -244,14 +244,14 @@ jobs: rm notarization.zip echo "Notarize pkg" - xcrun notarytool submit "./target/{{ matrix.settings.target }}/bws.pkg" --keychain-profile "notarytool-profile" --wait + xcrun notarytool submit "./target/bws.pkg" --keychain-profile "notarytool-profile" --wait - xcrun stapler staple "./target/{{ matrix.settings.target }}/bws.pkg" + xcrun stapler staple "./target/bws.pkg" - name: Zip macos run: | zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws.pkg + zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/bws.pkg - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 From 58031a2d32c1e99d9374630d672feff10a149340 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 1 Feb 2024 13:38:28 +0100 Subject: [PATCH 30/51] Sign during pkgbuild --- .github/workflows/build-cli.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 9fa6c2ac8..c9b309fdc 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -207,8 +207,8 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg - name: Sign pkg env: @@ -407,8 +407,8 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - name: Sign pkg env: From 53fc3d018e73689b7d3c8ebe633c11d98d67b4c2 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 1 Feb 2024 13:44:28 +0100 Subject: [PATCH 31/51] Not dign pkg in another step --- .github/workflows/build-cli.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index c9b309fdc..6681b10a0 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -210,10 +210,10 @@ jobs: # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg - - name: Sign pkg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/bws.pkg -v + # - name: Sign pkg + # env: + # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} + # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/bws.pkg -v # - name: Create dmg # run: | @@ -410,10 +410,10 @@ jobs: # run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - - name: Sign pkg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v + # - name: Sign pkg + # env: + # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} + # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v # - name: Create dmg # run: create-dmg ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.dmg ./bws-macos-universal From efeecd6d3385f899847d92cf58fe9da794842c84 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 1 Feb 2024 14:20:34 +0100 Subject: [PATCH 32/51] Try another cert to sign pkg --- .github/workflows/build-cli.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 6681b10a0..e06e6d3da 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -207,13 +207,13 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg - run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg - # - name: Sign pkg - # env: - # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/bws.pkg -v + - name: Sign pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/bws.pkg -v # - name: Create dmg # run: | @@ -407,13 +407,13 @@ jobs: - name: Create pkg env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg - run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg + run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg + # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - # - name: Sign pkg - # env: - # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v + - name: Sign pkg + env: + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v # - name: Create dmg # run: create-dmg ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.dmg ./bws-macos-universal From 8b6220cf1b50cde31db6b2454b4297f567842fdd Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 13:22:56 +0100 Subject: [PATCH 33/51] Sign zip before notarization --- .github/workflows/build-cli.yml | 48 ++++----------------------------- 1 file changed, 5 insertions(+), 43 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index e06e6d3da..25a0cde46 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -204,27 +204,6 @@ jobs: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v - - name: Create pkg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/bws.pkg - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/bws.pkg - - - name: Sign pkg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/bws.pkg -v - - # - name: Create dmg - # run: | - # hdiutil create ./tmp.dmg -volname "Bitwarden Secrets Manager CLI" -srcfolder ./target/${{ matrix.settings.target }}/release -ov -fs HFS+ - # hdiutil convert -format UDZO -o './target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg' ./tmp.dmg - - # - name: Sign dmg - # env: - # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg -v - - name: Notarize app macos env: MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} @@ -235,23 +214,13 @@ jobs: echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - echo "Creating temp notarization archive" - ditto -c -k --keepParent "./target/${{ matrix.settings.target }}/release/bws" "notarization.zip" - - echo "Notarize app" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - rm notarization.zip - - echo "Notarize pkg" - xcrun notarytool submit "./target/bws.pkg" --keychain-profile "notarytool-profile" --wait + echo "Creating notarization archive" + ditto -c -k --keepParent ./target/${{ matrix.settings.target }}/release/bws ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip - xcrun stapler staple "./target/bws.pkg" + /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip -v - - name: Zip macos - run: | - zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/bws.pkg + echo "Notarize app" + xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait - name: Upload artifact uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 @@ -260,13 +229,6 @@ jobs: path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - - name: Upload dmg artifact - uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 - with: - name: bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip - path: ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip - if-no-files-found: error - build-linux: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} From 6799afd4cc98212edcf53bf4af5f1a2a34f87a65 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 13:23:42 +0100 Subject: [PATCH 34/51] Remove installer cert --- .github/secrets/devid-installer-cert.p12.gpg | Bin 3333 -> 0 bytes .github/workflows/build-cli.yml | 7 +------ 2 files changed, 1 insertion(+), 6 deletions(-) delete mode 100644 .github/secrets/devid-installer-cert.p12.gpg diff --git a/.github/secrets/devid-installer-cert.p12.gpg b/.github/secrets/devid-installer-cert.p12.gpg deleted file mode 100644 index f379fc214febadd44e0e23a634c2540587f94a94..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3333 zcmV+g4f^to4Fm}T0u)ajijrg67U=Gs<>Z+S)(5f&{O;KiC z40+MU{S*qg3+gq>pGb*^JFK=BR^SFJQ=1{gyJiWj#Jh$%KjK;!a~sF?(F))7H)Voy zgJ$ZD1GKU^uxxDmA-bF-S+4HYqa)T%2v3`xiRaiAU>$CmTQ~dnT&ZTu#~!`Brb^OE z+t3jSX5peK1__j0?PCnMve78(@LXUIl9c9CD~6Gyffm7Kg}M{p$FGNq&rx zK!X1|s;^sBB~2mG8*?*9geks+NDqz~n9$v(SVMSpm4ZV)@Tuhyv9F!VYm8g^3qh$B zd87n$D1cDe%~F=3@7CDW+FJf6p&Uk3YUS;sgKjLktoSEk&yX2+eWKo)SL!R$Y|&}? z%#Qc?+K_I>rp(vDt?|4*4!2fF>k461^w4X=*C!sv!g7;B8%9g_>F>0yhL?CBXlzQ40hxcOSZuV?;R{FvV1iEEqXV(+L@&cL32iT4_b z77sovq;QgN(Q#yKVS>l#Lo3Hgo5tG^AY3eAf0}=$N@tR(UJCh~6=y}2MKC>!sLi-Y zCFD5Mf+57xUXHAMNLOUcdm02C=pFtdNfMmhta}l@r=Iwid%+HBH@jO-5vFW67J&vO zZvlAJ5xqUYutSWCm?* z60gGIHU3~!){W(`K#-9t2_>eF52;NLxiCwqw1jw}F-ar$3^sZb81l1RSkX!(yo2f%WnXwWDPskS1>w>ITB zMNOZ(qe^-M0SnV@0qP-Z~eR75toHA2%7j>u{o2wC;&rc2NQodk#LXB zqdUV~S4xdclZwXKY<_f!J`EvTBlXhm701xVz;zrXg684*yME0QJfxomgrtx3_Ckw` zAZMXjkIYfYQzy{tFBfI5uIZGaxL`h3@6?m>C1QaDGuDQCnrm*AiT;XMSi;o7m& z-E`KS!iGjN+T(!IW-zJrBNQoc<)a6w@ImLSI(4~b;vlwb?!39Dltr(z73$%=E_B4IaSc@G-u997#gJGW={N$T| zH0ss`Z94nSHfNC5qeF;#2w$YMfsLcDT2}Dc&u5;k;)7|fj`%>hz`5AXPm_<<4c=hIkRTE8GIarBq#^(i_tMIdm)Skv(9@K<=|)kCOQ#H*QK8)`fqP;l8V^%p^f!FF8XX z96uCz12cCL8ZR2h1I72?CLnBM{_x}%3=`=C?4zjsj0>`zo2dx^O&a&wZLF!84Ue%` zJX2k~hY+VScDL#xAG#+HJsN6Ew83y)=d~?uWf`hNtaGsMYv;0C+F=+24=P6|*0xMqxQ*h#N09L8$jNMIia=dLTP9=pWAGz*aS+n%d z$i>nQvjy_9->bi#GbM9b4pD6^{QOLwr9xRntsnT6HK>1Vk7%PNQRXd3H z00tnKek5jMC)2_2iBy1ALyk=uD|D8NL^q`hZYIFcRaG}31=ENA%_8hI5D2n)*p$kf zGGJ?9r{|Wt(EM(UN-{!m(A&q?AGUe@2*)LfK29A|fk@WtfdTv=96%A}KaN!(bNUag zI*$eWvP{;=CQ~#R8Sycw{cIx*=RB8UD3P)h(KnFhiP@ZKgvn*6c4Vs!>I;11|0Eq* zbVlzh{$~c4jbc`ftI01QI5q4VbP}jo;`%f}hKskSRl1Xh;AcjExuUFP>cWV43xZfZ zah;S8^LaPPhhDD_1&I==y?YlVSvm&6Tpq-)VtIF2z+$HF*o}{L2d~Y9%sLQ~J+^q4 zu)~prkaMlbiI)3;8H?s=Rakekty5VPANO+SwiC-ZB#P9Pj^F%wo5_Ik)@m-C9aX~j zcTG*F#N7zFLIIaWC{;@^AG|x2x$b0n8!Byz9yyI^D1a* zzxXArK#OI9$BQG?x@}0?Hcli#lXxE(Q&l#LUPjO)>&+W4LHmaV=JMO1ia?RLL(Yzd zHh1UO&RltHGg!5Y&yzKb6~p{YBh4DSgRz?9VJ{?cv|beAzhvH-HIouG$xO-2b`uKp zhf;t(ZPT0}Bf!^rJtp&9slz^NHiqK;Z9o#;teebIZ8j~!CLaml`rJqV!2h5Pqx&_~ z?FbA&3jh2PHrI_VZwQ;8KFbl3K_rt^*ouiyx-~PD&N)Qko-ZZCInQZmk7iA;ddmbM z0$rP{+OX+J^_x1#0UBRGP!+ep60u8N21h(8(hkfmO@w}e+pL-kO8D+Z!kjq=aT3K_ zxh*QgAxeKQf_9zBQASO4di=T!`v(N$Dd3ZF~DLWAB@a)nZyHs~jM>>o1{Ky2QY(~V0_ z`yi*^9YzHZ_$VOF)=Gz(hPh}iZ!qMLBnG%C6JMb<87dYS%<`5Y6a7ZTQ1flzuf z8X3bi1XKG5XvILF#Ly_vdmu4?!8Yp3R`GPJM&kC@o5$rkhk7j`7H3VzkWI8l zO!Gm~1H4#oqRG=k5x8?{hBd&Hl5CGa@Y+Wz_jAeYpr3O6qP33x_@JhFn6MtwF zdp+av{9Lu+98`4|R8aefAKXD{RIVJWcc6`aS0H{s%&>?a%RXthBMz1St8% zH63lFP8b9y5e0r}1C@bUxU-ibT6m=BlS~UIpAQ1$gAx|cBSgTqnM)p1wK!t>Gekt+ zQI#ivi5=6#01-ogw9$=}_|qH-Zk?<3WFtk7Ad@dZ2X}8Ejh-srL{|DcJyxbssvM*j zKxSUAtL!A7= zH8l>MA62fduoz&$Y*WQZP<(hQ%<|8okLC}H=o-NBna(3ejh+vxl0ITGm PE<#H7)~fjH$Vgv{flXp3 diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 25a0cde46..97becc2ff 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -179,10 +179,6 @@ jobs: --output "$HOME/secrets/devid-app-cert.p12" \ "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} @@ -195,8 +191,7 @@ jobs: security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ - -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Sign macos From cc4202a5be74aa9a796a4c08b7928e8bc9264c11 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 13:47:22 +0100 Subject: [PATCH 35/51] Fix --- .github/workflows/build-cli.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 97becc2ff..b6a6653eb 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -204,6 +204,7 @@ jobs: MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: | echo "Create keychain profile" From b99bfc7f04032dc298c9f530a3043898eb4cad9b Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 13:50:17 +0100 Subject: [PATCH 36/51] sign zip before notarization universal --- .github/workflows/build-cli.yml | 47 +++++---------------------------- 1 file changed, 6 insertions(+), 41 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index b6a6653eb..aa75177ed 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -360,54 +360,26 @@ jobs: - name: Sign binary env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: codesign -s "$MACOS_CERTIFICATE_NAME" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v - - - name: Create pkg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} - run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg - # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg - - - name: Sign pkg - env: - MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v - - # - name: Create dmg - # run: create-dmg ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.dmg ./bws-macos-universal - - # - name: Sign dmg - # env: - # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg -v + run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-aarch64-apple-darwin/bws -v - name: Notarize app env: MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} + MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: | echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" echo "Creating temp notarization archive" - ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws" "notarization.zip" - - echo "Notarize app" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - - rm notarization.zip - - echo "Notarize pkg" - xcrun notarytool submit "./bws.pkg" --keychain-profile "notarytool-profile" --wait + ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws" ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip - xcrun stapler staple "./bws.pkg" + /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip -v - - name: Zip universal artifact - run: | - zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws - zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws.pkg + echo "Notarize app" + xcrun notarytool submit ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait - name: Upload artifact uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 @@ -416,13 +388,6 @@ jobs: path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - - name: Upload pkg artifact - uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 - with: - name: bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip - path: ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip - if-no-files-found: error - third_party: name: Generate THIRDPARTY.html runs-on: ubuntu-22.04 From 64204357b0fc38b60524a36c23ee28054f1ec6c3 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 14:01:33 +0100 Subject: [PATCH 37/51] Fix zip --- .github/workflows/build-cli.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index aa75177ed..90012bb24 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -211,7 +211,7 @@ jobs: xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" echo "Creating notarization archive" - ditto -c -k --keepParent ./target/${{ matrix.settings.target }}/release/bws ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip -v @@ -373,8 +373,8 @@ jobs: echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - echo "Creating temp notarization archive" - ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws" ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip + echo "Creating notarization archive" + zip -j /bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip -v From bd1b21b78a0a90ede1923d48aa9edd56b66a25c3 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 14:16:07 +0100 Subject: [PATCH 38/51] Add timestamp --- .github/workflows/build-cli.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 90012bb24..ce927c844 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -197,7 +197,7 @@ jobs: - name: Sign macos env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v + run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./target/${{ matrix.settings.target }}/release/bws - name: Notarize app macos env: @@ -213,7 +213,7 @@ jobs: echo "Creating notarization archive" zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip -v + codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip echo "Notarize app" xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait @@ -360,7 +360,7 @@ jobs: - name: Sign binary env: MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} - run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-aarch64-apple-darwin/bws -v + run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-aarch64-apple-darwin/bws - name: Notarize app env: @@ -376,7 +376,7 @@ jobs: echo "Creating notarization archive" zip -j /bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws - /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip -v + codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip echo "Notarize app" xcrun notarytool submit ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait From 61aa5400df7128099234ee63c78f13e4320797e9 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 14:17:58 +0100 Subject: [PATCH 39/51] FIx --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index ce927c844..1dd6a893b 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -213,7 +213,7 @@ jobs: echo "Creating notarization archive" zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip echo "Notarize app" xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait From 45d893f3fd700f0257590cf53db5ceec32f5ac53 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Tue, 6 Feb 2024 14:19:56 +0100 Subject: [PATCH 40/51] Fix --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 1dd6a893b..91bdb84ef 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -374,7 +374,7 @@ jobs: xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" echo "Creating notarization archive" - zip -j /bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws + zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip From 0285746d6669530eef01a3efd934642f46bd6e85 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 7 Feb 2024 15:33:50 +0100 Subject: [PATCH 41/51] Get cert from kv --- .github/workflows/build-cli.yml | 43 ++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 91bdb84ef..3890bd415 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -169,15 +169,20 @@ jobs: macos-bws-certificate-name, macos-bws-installer-certificate-name" - - name: Decrypt secrets - env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} - run: | - mkdir -p $HOME/secrets + - name: Get p12 signing cert + uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9 + with: + inlineScript: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + # - name: Decrypt secrets + # env: + # DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + # run: | + # mkdir -p $HOME/secrets + + # gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + # --output "$HOME/secrets/devid-app-cert.p12" \ + # "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - name: Set up keychain env: @@ -206,7 +211,6 @@ jobs: MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} run: | - echo "Create keychain profile" xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" @@ -332,15 +336,20 @@ jobs: macos-bws-certificate-name, macos-bws-installer-certificate-name" - - name: Decrypt secrets - env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} - run: | - mkdir -p $HOME/secrets + - name: Get p12 signing cert + uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9 + with: + inlineScript: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 + + # - name: Decrypt secrets + # env: + # DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + # run: | + # mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + # gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + # --output "$HOME/secrets/devid-app-cert.p12" \ + # "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - name: Set up keychain env: From e0cdc574c83c97a8e27eba87375051af2fb80c4a Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 7 Feb 2024 15:42:02 +0100 Subject: [PATCH 42/51] Fix --- .github/workflows/build-cli.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 3890bd415..abb02fc07 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -170,9 +170,7 @@ jobs: macos-bws-installer-certificate-name" - name: Get p12 signing cert - uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9 - with: - inlineScript: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 + run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 # - name: Decrypt secrets # env: @@ -337,9 +335,7 @@ jobs: macos-bws-installer-certificate-name" - name: Get p12 signing cert - uses: azure/CLI@4db43908b9df2e7ac93c8275a8f9a448c59338dd # v1.0.9 - with: - inlineScript: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 + run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 # - name: Decrypt secrets # env: From 954cdfd3c5f3ba9733253ac0d6b71ff0bc877825 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 7 Feb 2024 17:12:58 +0100 Subject: [PATCH 43/51] FIx --- .github/workflows/build-cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index abb02fc07..0a72f3b84 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -170,7 +170,7 @@ jobs: macos-bws-installer-certificate-name" - name: Get p12 signing cert - run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 + run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 # - name: Decrypt secrets # env: @@ -335,7 +335,7 @@ jobs: macos-bws-installer-certificate-name" - name: Get p12 signing cert - run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12 + run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 # - name: Decrypt secrets # env: From 515150596bc1b381d698b1cdf6c821edaa8d43d7 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 7 Feb 2024 17:18:04 +0100 Subject: [PATCH 44/51] Crete dir for secrets from keyvault --- .github/workflows/build-cli.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 0a72f3b84..d465cd016 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -170,7 +170,9 @@ jobs: macos-bws-installer-certificate-name" - name: Get p12 signing cert - run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 + run: | + mkdir -p $HOME/secrets + az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 # - name: Decrypt secrets # env: @@ -335,7 +337,9 @@ jobs: macos-bws-installer-certificate-name" - name: Get p12 signing cert - run: az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 + run: | + mkdir -p $HOME/secrets + az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 # - name: Decrypt secrets # env: From 09f8963d91fa69ecfc91d3a3fb6263107c22f114 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 8 Feb 2024 18:00:26 +0100 Subject: [PATCH 45/51] Check the contents of $HOME/secrets/devid-app-cert.p12 --- .github/workflows/build-cli.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index d465cd016..49c412b7a 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -194,6 +194,8 @@ jobs: security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain + ls $HOME/secrets + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild From 65b766e0158f8f2bc9b266688c4c6bd728697cbd Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 9 Feb 2024 12:01:56 +0100 Subject: [PATCH 46/51] Download p12 cert --- .github/workflows/build-cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 49c412b7a..681c79d98 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -172,7 +172,7 @@ jobs: - name: Get p12 signing cert run: | mkdir -p $HOME/secrets - az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 + az keyvault secret download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 --encoding base64 # - name: Decrypt secrets # env: @@ -341,7 +341,7 @@ jobs: - name: Get p12 signing cert run: | mkdir -p $HOME/secrets - az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 + az keyvault secret download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 --encoding base64 # - name: Decrypt secrets # env: From d9e26b891a829b19731c01a6c5eb2ab576075a1b Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 9 Feb 2024 12:48:34 +0100 Subject: [PATCH 47/51] Maybe fix --- .github/workflows/build-cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 681c79d98..a07d2570c 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -196,7 +196,7 @@ jobs: ls $HOME/secrets - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain \ # -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain @@ -363,7 +363,7 @@ jobs: security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain \ # -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain From e754da90e200d02bb7c7e9384d49027739446f62 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 9 Feb 2024 13:21:25 +0100 Subject: [PATCH 48/51] Go back to get cert from github/secrets --- .github/workflows/build-cli.yml | 34 ++++++++++++--------------------- 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index a07d2570c..8bd728d8c 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -169,20 +169,15 @@ jobs: macos-bws-certificate-name, macos-bws-installer-certificate-name" - - name: Get p12 signing cert + - name: Decrypt secrets + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} run: | mkdir -p $HOME/secrets - az keyvault secret download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 --encoding base64 - - # - name: Decrypt secrets - # env: - # DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} - # run: | - # mkdir -p $HOME/secrets - # gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - # --output "$HOME/secrets/devid-app-cert.p12" \ - # "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + --output "$HOME/secrets/devid-app-cert.p12" \ + "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - name: Set up keychain env: @@ -338,20 +333,15 @@ jobs: macos-bws-certificate-name, macos-bws-installer-certificate-name" - - name: Get p12 signing cert + - name: Decrypt secrets + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} run: | mkdir -p $HOME/secrets - az keyvault secret download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 --encoding base64 - - # - name: Decrypt secrets - # env: - # DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} - # run: | - # mkdir -p $HOME/secrets - # gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - # --output "$HOME/secrets/devid-app-cert.p12" \ - # "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" + gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ + --output "$HOME/secrets/devid-app-cert.p12" \ + "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - name: Set up keychain env: From cad54998023a8ce2859bf7f68980d0442a79d55a Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 9 Feb 2024 13:25:04 +0100 Subject: [PATCH 49/51] FIx --- .github/workflows/build-cli.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 8bd728d8c..b8eed491f 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -191,7 +191,7 @@ jobs: ls $HOME/secrets - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain \ # -P $DEVID_CERT_PASSWORD \ + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain @@ -353,7 +353,7 @@ jobs: security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain \ # -P $DEVID_CERT_PASSWORD \ + security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain From d00b4f2bae72905d27dfd154b49eef897f7ade0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Thu, 22 Feb 2024 17:54:01 +0100 Subject: [PATCH 50/51] Update .github/workflows/build-cli.yml Co-authored-by: MtnBurrit0 <77340197+mimartin12@users.noreply.github.com> --- .github/workflows/build-cli.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index b8eed491f..4c9ed2162 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -33,8 +33,7 @@ jobs: build-windows: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} - needs: - - setup + needs: setup env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} strategy: From 2fb9426e2a6f648940d0457d6557b4e7ac27bf4a Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 22 Feb 2024 17:54:39 +0100 Subject: [PATCH 51/51] Ran prettier --- .github/workflows/build-cli.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 4c9ed2162..8f5777d14 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -114,7 +114,6 @@ jobs: path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip if-no-files-found: error - build-macos: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} @@ -236,7 +235,6 @@ jobs: fail-fast: false matrix: settings: - - os: ubuntu-22.04 target: x86_64-unknown-linux-gnu