Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DEVOPS-1333] Add code signing to the Windows bws CLI #534

Merged

Conversation

michalchecinski
Copy link
Contributor

Type of change

- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [x] Build/deploy pipeline (DevOps)
- [ ] Other

Objective

Digitally sign Windows CLI .exe executable to prevent warning showing up on clients' computers while running bws commands.

Code changes

  • .github/workflows/build-cli.yml:
    • split Windows and UNIX build jobs
    • add steps to windows build job to login to Azure, get secrets from KeyVault, install azuresigntool and use azuresigntool to sign windows CLI artifact.

Before you submit

  • Please add unit tests where it makes sense to do so

@michalchecinski michalchecinski requested a review from a team as a code owner January 24, 2024 11:44
Copy link

codecov bot commented Jan 24, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 59.40%. Comparing base (199851b) to head (a602d0e).
Report is 1 commits behind head on main.

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #534   +/-   ##
=======================================
  Coverage   59.40%   59.40%           
=======================================
  Files         171      171           
  Lines       10345    10345           
=======================================
  Hits         6145     6145           
  Misses       4200     4200           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@bitwarden-bot
Copy link

bitwarden-bot commented Jan 24, 2024

Logo
Checkmarx One – Scan Summary & Detailscbb94c53-a891-4622-a496-284fa6859b2d

New Issues

Severity Issue Source File / Package Checkmarx Insight
MEDIUM Unpinned Actions Full Length Commit SHA /build-cli.yml: 339 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-cli.yml: 88 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...
MEDIUM Unpinned Actions Full Length Commit SHA /build-cli.yml: 176 Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues

Severity Issue Source File / Package
MEDIUM Unpinned Actions Full Length Commit SHA /build-cli.yml: 324
MEDIUM Unpinned Actions Full Length Commit SHA /build-cli.yml: 161
MEDIUM Unpinned Actions Full Length Commit SHA /build-cli.yml: 75

Hinton
Hinton previously requested changes Jan 24, 2024
Copy link
Member

@Hinton Hinton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please ensure the secrets in the pipeline are optional by only requiring them if we're publishing or have the secrets set, this will ensure external PRs don't automatically fail.

I wonder if we could put the signing as a separate stage after the build which would avoid repeating the build command.

@michalchecinski
Copy link
Contributor Author

@Hinton The build command is not repeated. I split the Unix and Windows build - the steps to sign macOS and Windows are different, so to make it clear, I made different build jobs for each system. I'll make signing steps run only on main/rc branches to ensure they will work for the external PRs.

.github/workflows/build-cli.yml Outdated Show resolved Hide resolved
.github/workflows/build-cli.yml Outdated Show resolved Hide resolved
@Hinton Hinton dismissed their stale review January 25, 2024 16:31

Secrets are no longer required to build

@Hinton
Copy link
Member

Hinton commented Jan 25, 2024

Thanks for excluding the secrets. I'm still slightly concern with the duplication of steps, since it's easy to miss modifying one of the places, but not a blocker.

.github/workflows/build-cli.yml Outdated Show resolved Hide resolved
@michalchecinski michalchecinski enabled auto-merge (squash) January 31, 2024 16:32
mimartin12
mimartin12 previously approved these changes Feb 16, 2024
mimartin12
mimartin12 previously approved these changes Feb 23, 2024
@michalchecinski michalchecinski merged commit d1fe6b7 into main Feb 27, 2024
59 checks passed
@michalchecinski michalchecinski deleted the DEVOPS-1333-Add-code-signing-to-the-bws-CLI-windows branch February 27, 2024 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants