From 4d420183fb314566c27c87a8299323eaf357f892 Mon Sep 17 00:00:00 2001
From: Michal Checinski <mchecinski@bitwarden.com>
Date: Wed, 31 Jan 2024 18:01:07 +0100
Subject: [PATCH] Try to build and sign pkg

---
 .github/secrets/devid-installer-cert.p12.gpg | Bin 0 -> 3333 bytes
 .github/workflows/build-cli.yml              |  98 +++++++++++--------
 2 files changed, 55 insertions(+), 43 deletions(-)
 create mode 100644 .github/secrets/devid-installer-cert.p12.gpg

diff --git a/.github/secrets/devid-installer-cert.p12.gpg b/.github/secrets/devid-installer-cert.p12.gpg
new file mode 100644
index 0000000000000000000000000000000000000000..f379fc214febadd44e0e23a634c2540587f94a94
GIT binary patch
literal 3333
zcmV+g4f^to4Fm}T0u)ajijrg67U<IJ0W*M0-Wukfu$@Iq>=Gs<>Z+S)(5f&{O;KiC
z40+MU{S*qg3+gq>pGb*^JFK=BR^SFJQ=1{gyJiWj#Jh$%KjK;!a~sF?(F))7H)Voy
zgJ$ZD1GKU^uxxDmA-bF-S+4HYqa)T%2v3`xiRaiAU>$CmTQ~dnT&ZTu#~!`Brb^OE
z+t3jSX5peK1__j0?PCnM<g0}K6>ve78(@LXUIl9c9CD~6Gyffm7Kg}M{p$FGNq&rx
zK!X1|s;^sBB~2mG8*?*9geks+NDqz~n9$v(SVMSpm4ZV)@Tuhyv9F!VYm8g^3qh$B
zd87n$D1cDe%~F=3@7CDW+FJf6p&Uk3YUS;sgKjLktoSEk&yX2+eWKo)SL!R$Y|&}?
z%#Qc?+K_I>rp(vDt?|4*4!2fF>k461^w4X=*C!sv!g7;<B+bwX`K-Z|tWbyNE7WwW
z?%Xu4De~B`4oN4^rYptIl=~zFRe{qEeau|Y79e#`ro3WtFt-x`H!J1#7o9x=9hy7}
zu_Ys!K>B8%9g_>F>0yhL?CBXlzQ40hxcOSZuV?;R{FvV1iEEqXV(+L@&cL32iT4_b
z77sovq;QgN(Q#yKVS>l#Lo3Hgo5tG^AY3eAf0}=$N@tR(UJCh~6=y}2MKC>!sLi-Y
zCFD5Mf+57xUXHAMNLOUcdm02C=pFtdNfMmhta}l@r=Iwid%+HBH@jO-5vFW67J&vO
zZv<?{t^@@C2ZUY&>lAJ5xqUYutSWCm<UcNEE^0m9|0WL)=&p48lq;{g45{$)ZQTjF
zHW4X|$NO;3o_r5euu%F)aH0SO_+A@^iHSN4T-oXg*eom}E&C()rd5Yz?a~~F)w@YP
zc9By!e@c%Aku|N{gCjdOxDWJpvUXxM<#hlTN5EfNRJghNyclOX#kJf#5(3#P!=Oqy
zP69Y0-e#gL|C7z^J8y=tTWU|3hzKa1_{j+a?8}|M;$k}9<jXG$u2p?mQ?sa+W=>?*
z60gGIHU3~!){W(`K#-9t2_>eF52;NLxiCwqw1jw}F-ar$3^sZb81l1RSkX<Y&A8}C
zq_wmoQBiG3bfv%;pzHxx@z%Ml4+$hB<B@VaNd2r%>!(yo2f%WnXwWDPskS1>w>ITB
zMNOZ(qe^-M0SnV@<H)h{>0qP-Z~eR75toHA2%7j>u{<fRO>o2wC;&rc2NQodk#LXB
zqdUV~S4xdclZwXKY<_f!J`EvTBlXhm701xVz;zrXg684*yME0QJfxomgrtx3_Ckw`
zAZ<E>MXjkIYfYQzy{tFBfI5uIZGaxL`h3@6?m>C1QaDGuDQCnrm*AiT;XMSi;o7m&
z-E`KS!iGjN+T(!IW-zJrBNQoc<)a6w@ImLSI(4~b;v<gI$9{ww#E*$}{N2J<pb;o}
z9t~xSEcc@d&66yJu1Nm_$e^3lrRa8^)usO}*VU$63OKLz05QygrsEqO^~)#VI)Qvf
z+OG_hmnxd0{F*un&@f!kaOjC_plD&sYKB>lwb?!39Dltr(z73$%=E_B4IaSc@G-<c
zE0`QQEWeB6x<U5chN%54nbvgg(zZj4<%9bEH=4qr9y}inwJp~>u997#gJGW={N$T|
zH0ss`Z94nSHfNC5qeF;#2w$YMfsLcDT2}Dc&u5<P(Av6S#9GSh?W~ig-=^D0XzznX
zZd?LtuBs!H=>;k;)7|fj`%>hz`5AXPm_<<4c=hIkRTE8GI<u0QGe`oi*8I-Ki;{e<
zyF|;M(^B8?wr)vTosgjKO76k({R%EW1@2#P{u7^~`Uups1-|`u2_$ZraGE4vE8v0N
z8IL~ZCjLz=SrUjJGH<$8uVSp0(SKsuQJn2g@?Ikj($-u)JQ}fb9~N{#i-fDtLbPUm
zr!^aDUP$>arBq#^(i_tMIdm)Skv(9@K<=|)kCOQ#H*QK8)`fqP;l8V^%p^f!FF8XX
z96uCz12cCL8ZR2h1I72?CLnBM{_x}%3=`=C?4zjsj0>`zo2dx^O&a&wZLF!84Ue%`
zJX2k~hY+VScDL#xAG#+HJsN6Ew83y)=d~?uWf`hNtaGsMYv;0C+F=+24=P6|*0<pL
zH7nG`$Tb@dD%8sJ#%`gs?Iitzs(=mGtThsjGMHYekVb5VG(@+!UK_9TBb=;}M`5je
z;iG*Q*pj~<H_e6$(~*J(fFM90>xMqxQ*h#N09L8$jNMIia=dLTP9=pWAGz*aS+n%d
z$i>n<tifIAcvWstUUI}9KK)Yf^LMAOE?m4r=SNTpgm^X*LM4|h)RnaiDfFTUT!Qro
zUPcLAbV)2xfIBcci~OJC<%a|vZzj(9i#L&F1-m+BGmSmIWIlN#7u}7QDb+L+bZvtE
zs@35THDj4!dGO!(rVDP!w1ofF;p@M)A@*}%H@&C0$8YXUt@I*XI~SLB+F|qlvTIv7
zbl++<G(I6pWk>Qvjy_9->bi#GbM9b4pD6^{QOLwr9xRntsnT6HK>1Vk7%PNQRXd3H
z00tnKek5jMC)2_2iBy1ALyk=uD|D8NL^q`hZYIFcRaG}31=ENA%_8hI5D2n)*p$kf
zGGJ?9r{|Wt(EM(UN-{!m(A&q?AGUe@2*)LfK29A|fk@WtfdTv=96%A}KaN!(bNUag
zI*$eWvP{;=CQ~#R8Sycw{cIx*=RB8UD3P)h(KnFhiP@ZKgvn*6c4Vs!>I;11|0Eq*
zbVlzh{$~c4jbc`ftI01QI5q4VbP}jo;`%f}hKskSRl1Xh;AcjExuUFP>cWV43xZfZ
zah;S8^LaPPhhDD_1&I==y?YlVSvm&6Tpq-)VtIF2z+$HF*o}{L2d~Y9%sLQ~J+^q4
zu)~prkaMlbiI)3;8H?s=Rakekty5VPANO+SwiC-ZB#P9Pj^F%wo5_Ik)@m-C9aX~j
zcTG*F#N7zFLIIaWC{;@^AG|x2x$b<n1EV!IXCm?sh^O@cCSu>0n8!Byz9yyI^D1a*
zzxXArK#OI9$BQG?x@}0?Hcli#lXxE(Q&l#LUPjO)>&+W4LHmaV=JMO1ia?RLL(Yzd
zHh1UO&RltHGg!5Y&yzKb6~p{YBh4DSgRz?9VJ{?cv|beAzhvH-HIouG$xO-2b`uKp
zhf;t(ZPT0}Bf!^rJtp&9slz^NHiqK;Z9o#;teebIZ8j~!CLaml`rJqV!2h5Pqx&_~
z?FbA&3jh2PHrI_VZwQ;8KFbl3K_rt^*ouiyx-~PD&N)Qko-ZZCInQZmk7iA;ddmbM
z0$rP{+OX+J^_x1#0UBRGP!+ep60u8N21h(8(hkfmO@w}e+pL-kO8D+Z!kjq=aT3K_
zxh*QgAxeKQf_9zBQASO4di=T!`v(N$Dd3ZF<p_A)3tqRt9Gt0aE=kWQA;x=31j{8B
z2>~DLWAB@a)nZyHs~jM>>o1<ezt0)Q3bHDS7g0GmBrr;_&E{?1XzZ>{Ky2QY(~V0_
z`yi*^9YzHZ_$VOF)=Gz(hPh}iZ!qMLBnG%C<h>6JMb<87dYS%<`5Y6a7ZTQ1flzuf
z8X3bi1<zge>XKG5XvILF#Ly_vdmu4?!8Yp3R`GPJM&kC@o5$rkhk7j`7H3VzkWI8l
zO!Gm~1H4#oqRG=k5x8?{hBd&Hl5CGa@Y+Wz_jAeYpr3O6qP33<Kz0}2ed2t2+okL6
zKa_|(-C6!CpM_vdhed!BrZ|~!R53$^rlxsow*|UTB7+)apT`y!i6>x_@JhFn6MtwF
zdp+av{9Lu+98`4|R8<pw0+^D}*YOjU<Cpr6a{xySa<hF^TCOGM$x_Da+8iO_21;z!
ztrnodUNaez0Qg0pN;1fVk_0>aefAKXD{RIVJWcc6`aS0H{s%&>?a%RXthBMz1St8%
zH63lFP8b9y5e0r}1C@bUxU-ibT6m=BlS~UIpAQ1$gAx|cBSgTqnM)p1wK!t>Gekt+
zQI#ivi5=6#01-ogw9$=}_|qH-Zk?<3WFtk7Ad@dZ2X}8Ejh-srL{|DcJyxbssvM*j
zKxS<Ia^~xI98|!&!^0~XiQDZv=zFR}xt5=FUBEFZgSh!XtMgxHXcXoEU*@eu^&*ta
zk!HuzQ374AT*B2WL-Ukw=6A6dEEI6fR|=dezW=<jtMF}9n~et*eg-Bw_>UAtL!A7=
zH8l>MA62fduoz&$Y*WQZP<(hQ%<v5A8^d$abcg6A&8N$#0ZJTi=Y#Rf$7+_|&Z<=l
z)(g*bKJJn}NY}{|U8o%u`y1rTJC^bqmv}vb3f}MvwE~T%0Aps|uK7xhha;CTvN~S<
z&LsvTDA}%W&?)bmZqB@$N!B}YO5sL6AzOu><|8okLC}H=o-NBna(3ejh+vxl0ITGm
PE<#H7)~fjH$Vgv{flXp3

literal 0
HcmV?d00001

diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml
index 7b765257e..1ecff12ca 100644
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@@ -166,7 +166,8 @@ jobs:
           secrets: "macos-bws-notarization-apple-id,
             macos-bws-notarization-team-id,
             macos-bws-notarization-password,
-            macos-bws-certificate-name"
+            macos-bws-certificate-name,
+            macos-bws-installer-certificate-name"
 
       - name: Decrypt secrets
         env:
@@ -178,6 +179,10 @@ jobs:
             --output "$HOME/secrets/devid-app-cert.p12" \
             "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg"
 
+          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
+            --output "$HOME/secrets/devid-installer-cert.p12" \
+            "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg"
+
       - name: Set up keychain
         env:
           KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
@@ -190,20 +195,25 @@ jobs:
 
           security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \
             -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild
-
+          security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \
+            -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild
           security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
 
       - name: Sign macos
         env:
           MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
-          MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }}
-        run: codesign -s "$MACOS_NOTARIZATION_TEAM_ID" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./target/${{ matrix.settings.target }}/release/bws -v
-            # /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v
+        run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" --options runtime ./target/${{ matrix.settings.target }}/release/bws -v
 
-      # - name: Create pkg
-      #   env:
-      #     MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
-      #   run: pkgbuild --root ./target/${{ matrix.settings.target }}/release --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg"
+      - name: Create pkg
+        env:
+          MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }}
+        run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg
+        # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./target/${{ matrix.settings.target }}/release --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg
+
+      - name: Sign pkg
+        env:
+          MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }}
+        run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg -v
 
       # - name: Create dmg
       #   run: |
@@ -231,19 +241,17 @@ jobs:
           echo "Notarize app"
           xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
 
-          # rm notarization.zip
+          rm notarization.zip
 
-          # echo "Creating temp notarization archive"
-          # ditto -c -k --keepParent "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip"
+          echo "Notarize dmg"
+          xcrun notarytool submit "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg" --keychain-profile "notarytool-profile" --wait
 
-          # echo "Notarize dmg"
-          # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
-
-          # xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg"
+          xcrun stapler staple "./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg"
 
       - name: Zip macos
-        run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws
-          # zip ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.dmg
+        run: |
+          zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws
+          zip -j ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip ./target/{{ matrix.settings.target }}/bws-${{ env._PACKAGE_VERSION }}.pkg
 
       - name: Upload artifact
         uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
@@ -252,12 +260,12 @@ jobs:
           path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip
           if-no-files-found: error
 
-      # - name: Upload dmg artifact
-      #   uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
-      #   with:
-      #     name: bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip
-      #     path: ./bws-${{ matrix.settings.target }}-dmg-${{ env._PACKAGE_VERSION }}.zip
-      #     if-no-files-found: error
+      - name: Upload dmg artifact
+        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        with:
+          name: bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip
+          path: ./bws-${{ matrix.settings.target }}-pkg-${{ env._PACKAGE_VERSION }}.zip
+          if-no-files-found: error
 
   build-linux:
     name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
@@ -363,7 +371,8 @@ jobs:
           secrets: "macos-bws-notarization-apple-id,
             macos-bws-notarization-team-id,
             macos-bws-notarization-password,
-            macos-bws-certificate-name"
+            macos-bws-certificate-name,
+            macos-bws-installer-certificate-name"
 
       - name: Decrypt secrets
         env:
@@ -395,10 +404,16 @@ jobs:
           MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
         run: codesign -s "$MACOS_CERTIFICATE_NAME" -f --timestamp -o runtime -i "com.bitwarden.bws" --entitlements "./crates/bws/entitlements.plist" ./bws-aarch64-apple-darwin/bws -v
 
-      # - name: Create pkg
-      #   env:
-      #     MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }}
-      #   run: pkgbuild --root ./bws-aarch64-apple-darwin --identifier "com.bitwarden.bws.pkg" --install-location "/" --sign $MACOS_CERTIFICATE_NAME --version "${{ env._PACKAGE_VERSION }}" "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg"
+      - name: Create pkg
+        env:
+          MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }}
+        run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg
+        # run: pkgbuild --identifier com.bitwarden.bws.pkg --install-location /usr/local/bin/ --root ./bws-aarch64-apple-darwin --sign "$MACOS_CERTIFICATE_NAME" --version "${{ env._PACKAGE_VERSION }}" ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg
+
+      - name: Sign pkg
+        env:
+          MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-installer-certificate-name }}
+        run: /usr/bin/codesign --force -s "$MACOS_CERTIFICATE_NAME" ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg -v
 
       # - name: Create dmg
       #   run: |
@@ -426,20 +441,17 @@ jobs:
           echo "Notarize app"
           xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
 
-          # rm notarization.zip
-
-          # echo "Creating temp notarization archive"
-          # ditto -c -k --keepParent "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg" "notarization.zip"
+          rm notarization.zip
 
-          # echo "Notarize dmg"
-          # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
+          echo "Notarize pkg"
+          xcrun notarytool submit "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg" --keychain-profile "notarytool-profile" --wait
 
-          # xcrun stapler staple "./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg"
+          xcrun stapler staple "./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg"
 
       - name: Zip universal artifact
         run: |
           zip ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal/bws
-          # zip ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.dmg
+          zip ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws-${{ env._PACKAGE_VERSION }}.pkg
 
       - name: Upload artifact
         uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
@@ -448,12 +460,12 @@ jobs:
           path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip
           if-no-files-found: error
 
-      # - name: Upload pkg artifact
-      #   uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
-      #   with:
-      #     name: bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip
-      #     path: ./bws-macos-universal-dmg-${{ env._PACKAGE_VERSION }}.zip
-      #     if-no-files-found: error
+      - name: Upload pkg artifact
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        with:
+          name: bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip
+          path: ./bws-macos-universal-pkg-${{ env._PACKAGE_VERSION }}.zip
+          if-no-files-found: error
 
   third_party:
     name: Generate THIRDPARTY.html