[DEVOPS-1333] Add code signing to the macOS bws CLI #3380
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Build CLI | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - "main" | |
| - "rc" | |
| - "hotfix-rc" | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| setup: | |
| name: Setup | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| package_version: ${{ steps.retrieve-version.outputs.package_version }} | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Get Package Version | |
| id: retrieve-version | |
| run: | | |
| VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") | |
| echo "package_version=$VERSION" >> $GITHUB_OUTPUT | |
| build-windows: | |
| name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
| runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
| needs: | |
| - setup | |
| env: | |
| _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - os: windows-2022 | |
| target: x86_64-pc-windows-msvc | |
| - os: windows-2022 | |
| target: aarch64-pc-windows-msvc | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Install rust | |
| uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
| with: | |
| toolchain: stable | |
| targets: ${{ matrix.settings.target }} | |
| - name: Cache cargo registry | |
| uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 | |
| with: | |
| key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
| - name: Build | |
| env: | |
| TARGET: ${{ matrix.settings.target }} | |
| run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
| - name: Login to Azure | |
| uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
| with: | |
| creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
| - name: Retrieve secrets | |
| id: retrieve-secrets-windows | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: "bitwarden-ci" | |
| secrets: "code-signing-vault-url, | |
| code-signing-client-id, | |
| code-signing-tenant-id, | |
| code-signing-client-secret, | |
| code-signing-cert-name" | |
| - name: Install AST | |
| run: dotnet tool install --global AzureSignTool --version 4.0.1 | |
| - name: Sign windows binary | |
| env: | |
| SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} | |
| SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} | |
| SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} | |
| SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} | |
| SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} | |
| run: | | |
| azuresigntool sign -v \ | |
| -kvu $SIGNING_VAULT_URL \ | |
| -kvi $SIGNING_CLIENT_ID \ | |
| -kvt $SIGNING_TENANT_ID \ | |
| -kvs $SIGNING_CLIENT_SECRET \ | |
| -kvc $SIGNING_CERT_NAME \ | |
| -fd sha256 \ | |
| -du https://bitwarden.com \ | |
| -tr http://timestamp.digicert.com \ | |
| ./target/${{ matrix.settings.target }}/release/bws.exe | |
| - name: Zip | |
| shell: cmd | |
| run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
| with: | |
| name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| if-no-files-found: error | |
| build-macos: | |
| name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
| runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
| needs: | |
| - setup | |
| env: | |
| _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - os: macos-12 | |
| target: x86_64-apple-darwin | |
| - os: macos-12 | |
| target: aarch64-apple-darwin | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Install rust | |
| uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
| with: | |
| toolchain: stable | |
| targets: ${{ matrix.settings.target }} | |
| - name: Cache cargo registry | |
| uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 | |
| with: | |
| key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
| - name: Build | |
| env: | |
| TARGET: ${{ matrix.settings.target }} | |
| run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
| - name: Login to Azure | |
| uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
| with: | |
| creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
| - name: Retrieve secrets macos | |
| id: retrieve-secrets-macos | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: "bitwarden-ci" | |
| secrets: "macos-bws-notarization-apple-id, | |
| macos-bws-notarization-team-id, | |
| macos-bws-notarization-password, | |
| macos-bws-certificate-name, | |
| macos-bws-installer-certificate-name" | |
| - name: Decrypt secrets | |
| env: | |
| DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
| run: | | |
| mkdir -p $HOME/secrets | |
| gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
| --output "$HOME/secrets/devid-app-cert.p12" \ | |
| "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
| - name: Set up keychain | |
| env: | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
| run: | | |
| security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
| security set-keychain-settings -lut 1200 build.keychain | |
| security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
| -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
| - name: Sign macos | |
| env: | |
| MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
| run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v | |
| - name: Notarize app macos | |
| env: | |
| MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
| MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
| MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
| MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
| run: | | |
| echo "Create keychain profile" | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
| echo "Creating notarization archive" | |
| ditto -c -k --keepParent ./target/${{ matrix.settings.target }}/release/bws ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip -v | |
| echo "Notarize app" | |
| xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
| with: | |
| name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| if-no-files-found: error | |
| build-linux: | |
| name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
| runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
| needs: | |
| - setup | |
| env: | |
| _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| settings: | |
| - os: ubuntu-22.04 | |
| target: x86_64-unknown-linux-gnu | |
| - os: ubuntu-22.04 | |
| target: aarch64-unknown-linux-gnu | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Install rust | |
| uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
| with: | |
| toolchain: stable | |
| targets: ${{ matrix.settings.target }} | |
| - name: Cache cargo registry | |
| uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
| with: | |
| key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
| - name: Install Cross (aarch64-unknown-linux-gnu) | |
| if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} | |
| run: cargo install cross --locked | |
| - name: Build | |
| if: ${{ matrix.settings.target != 'aarch64-unknown-linux-gnu' }} | |
| env: | |
| TARGET: ${{ matrix.settings.target }} | |
| run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
| - name: Build (aarch64-unknown-linux-gnu) | |
| if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} | |
| env: | |
| TARGET: ${{ matrix.settings.target }} | |
| run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
| - name: Zip linux | |
| run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
| with: | |
| name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
| if-no-files-found: error | |
| macos-universal-binary: | |
| name: Generate universal macOS binary | |
| runs-on: macos-12 | |
| needs: | |
| - setup | |
| - build-macos | |
| env: | |
| _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Download x86_64-apple-darwin artifact | |
| uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
| with: | |
| name: bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
| - name: Download aarch64-apple-darwin artifact | |
| uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
| with: | |
| name: bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
| - name: Unzip artifacts | |
| run: | | |
| unzip bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-x86_64-apple-darwin | |
| unzip bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-aarch64-apple-darwin | |
| - name: lipo create universal package | |
| run: | | |
| mkdir ./bws-macos-universal | |
| lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws | |
| - name: Login to Azure | |
| uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
| with: | |
| creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
| - name: Retrieve secrets | |
| id: retrieve-secrets-macos | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
| with: | |
| keyvault: "bitwarden-ci" | |
| secrets: "macos-bws-notarization-apple-id, | |
| macos-bws-notarization-team-id, | |
| macos-bws-notarization-password, | |
| macos-bws-certificate-name, | |
| macos-bws-installer-certificate-name" | |
| - name: Decrypt secrets | |
| env: | |
| DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
| run: | | |
| mkdir -p $HOME/secrets | |
| gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
| --output "$HOME/secrets/devid-app-cert.p12" \ | |
| "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
| - name: Set up keychain | |
| env: | |
| KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
| run: | | |
| security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
| security set-keychain-settings -lut 1200 build.keychain | |
| security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
| -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
| - name: Sign binary | |
| env: | |
| MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
| run: codesign -s "$MACOS_CERTIFICATE_NAME" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v | |
| - name: Create pkg | |
| env: | |
| MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }} | |
| run: /usr/bin/pkgbuild --identifier com.bitwarden.bwscli --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin/ ./bw.pkg | |
| # run: /usr/bin/pkgbuild --identifier com.bitwarden.bws --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws.pkg | |
| - name: Sign pkg | |
| env: | |
| MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
| run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws.pkg -v | |
| # - name: Create dmg | |
| # run: create-dmg ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.dmg ./bws-macos-universal | |
| # - name: Sign dmg | |
| # env: | |
| # MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
| # run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg -v | |
| - name: Notarize app | |
| env: | |
| MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
| MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
| MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
| run: | | |
| echo "Create keychain profile" | |
| xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
| echo "Creating temp notarization archive" | |
| ditto -c -k --keepParent "./bws-aarch64-apple-darwin/bws" "notarization.zip" | |
| echo "Notarize app" | |
| xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait | |
| rm notarization.zip | |
| echo "Notarize pkg" | |
| xcrun notarytool submit "./bws.pkg" --keychain-profile "notarytool-profile" --wait | |
| xcrun stapler staple "./bws.pkg" | |
| - name: Zip universal artifact | |
| run: | | |
| zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws | |
| zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws.pkg | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
| with: | |
| name: bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
| path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
| if-no-files-found: error | |
| - name: Upload pkg artifact | |
| uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
| with: | |
| name: bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip | |
| path: ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip | |
| if-no-files-found: error | |
| third_party: | |
| name: Generate THIRDPARTY.html | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - setup | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Install rust | |
| uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
| with: | |
| toolchain: stable | |
| - name: Cache cargo registry | |
| uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
| with: | |
| key: cargo-cli-about | |
| - name: Install cargo-about | |
| run: cargo install cargo-about | |
| - name: Generate THIRDPARTY.html | |
| working-directory: ./crates/bws | |
| run: | | |
| cargo about generate ../../about.hbs > THIRDPARTY.html | |
| sed -i.bak 's/\$NAME\$/Bitwarden Secrets Manager CLI/g' THIRDPARTY.html | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
| with: | |
| name: THIRDPARTY.html | |
| path: ./crates/bws/THIRDPARTY.html | |
| if-no-files-found: error |