[DEVOPS-1333] Add code signing to the macOS bws CLI #3433
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build CLI | |
on: | |
pull_request: | |
push: | |
branches: | |
- "main" | |
- "rc" | |
- "hotfix-rc" | |
workflow_dispatch: | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
setup: | |
name: Setup | |
runs-on: ubuntu-22.04 | |
outputs: | |
package_version: ${{ steps.retrieve-version.outputs.package_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Get Package Version | |
id: retrieve-version | |
run: | | |
VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") | |
echo "package_version=$VERSION" >> $GITHUB_OUTPUT | |
build-windows: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: windows-2022 | |
target: x86_64-pc-windows-msvc | |
- os: windows-2022 | |
target: aarch64-pc-windows-msvc | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Build | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Login to Azure | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets-windows | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "code-signing-vault-url, | |
code-signing-client-id, | |
code-signing-tenant-id, | |
code-signing-client-secret, | |
code-signing-cert-name" | |
- name: Install AST | |
run: dotnet tool install --global AzureSignTool --version 4.0.1 | |
- name: Sign windows binary | |
env: | |
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} | |
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} | |
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} | |
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} | |
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} | |
run: | | |
azuresigntool sign -v \ | |
-kvu $SIGNING_VAULT_URL \ | |
-kvi $SIGNING_CLIENT_ID \ | |
-kvt $SIGNING_TENANT_ID \ | |
-kvs $SIGNING_CLIENT_SECRET \ | |
-kvc $SIGNING_CERT_NAME \ | |
-fd sha256 \ | |
-du https://bitwarden.com \ | |
-tr http://timestamp.digicert.com \ | |
./target/${{ matrix.settings.target }}/release/bws.exe | |
- name: Zip | |
shell: cmd | |
run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe | |
- name: Upload artifact | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
build-macos: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: macos-12 | |
target: x86_64-apple-darwin | |
- os: macos-12 | |
target: aarch64-apple-darwin | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Build | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Login to Azure | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets macos | |
id: retrieve-secrets-macos | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "macos-bws-notarization-apple-id, | |
macos-bws-notarization-team-id, | |
macos-bws-notarization-password, | |
macos-bws-certificate-name, | |
macos-bws-installer-certificate-name" | |
- name: Get p12 signing cert | |
run: | | |
mkdir -p $HOME/secrets | |
az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 | |
# - name: Decrypt secrets | |
# env: | |
# DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
# run: | | |
# mkdir -p $HOME/secrets | |
# gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
# --output "$HOME/secrets/devid-app-cert.p12" \ | |
# "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
ls $HOME/secrets | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Sign macos | |
env: | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./target/${{ matrix.settings.target }}/release/bws | |
- name: Notarize app macos | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating notarization archive" | |
zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws | |
codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
echo "Notarize app" | |
xcrun notarytool submit ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait | |
- name: Upload artifact | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
build-linux: | |
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} | |
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} | |
needs: | |
- setup | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- os: ubuntu-22.04 | |
target: x86_64-unknown-linux-gnu | |
- os: ubuntu-22.04 | |
target: aarch64-unknown-linux-gnu | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
with: | |
toolchain: stable | |
targets: ${{ matrix.settings.target }} | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} | |
- name: Install Cross (aarch64-unknown-linux-gnu) | |
if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} | |
run: cargo install cross --locked | |
- name: Build | |
if: ${{ matrix.settings.target != 'aarch64-unknown-linux-gnu' }} | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Build (aarch64-unknown-linux-gnu) | |
if: ${{ matrix.settings.target == 'aarch64-unknown-linux-gnu' }} | |
env: | |
TARGET: ${{ matrix.settings.target }} | |
run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} | |
- name: Zip linux | |
run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws | |
- name: Upload artifact | |
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
with: | |
name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
macos-universal-binary: | |
name: Generate universal macOS binary | |
runs-on: macos-12 | |
needs: | |
- setup | |
- build-macos | |
env: | |
_PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Download x86_64-apple-darwin artifact | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
- name: Download aarch64-apple-darwin artifact | |
uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1 | |
with: | |
name: bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip | |
- name: Unzip artifacts | |
run: | | |
unzip bws-x86_64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-x86_64-apple-darwin | |
unzip bws-aarch64-apple-darwin-${{ env._PACKAGE_VERSION }}.zip -d ./bws-aarch64-apple-darwin | |
- name: lipo create universal package | |
run: | | |
mkdir ./bws-macos-universal | |
lipo -create -output ./bws-macos-universal/bws ./bws-x86_64-apple-darwin/bws ./bws-aarch64-apple-darwin/bws | |
- name: Login to Azure | |
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 | |
with: | |
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} | |
- name: Retrieve secrets | |
id: retrieve-secrets-macos | |
uses: bitwarden/gh-actions/get-keyvault-secrets@main | |
with: | |
keyvault: "bitwarden-ci" | |
secrets: "macos-bws-notarization-apple-id, | |
macos-bws-notarization-team-id, | |
macos-bws-notarization-password, | |
macos-bws-certificate-name, | |
macos-bws-installer-certificate-name" | |
- name: Get p12 signing cert | |
run: | | |
mkdir -p $HOME/secrets | |
az keyvault certificate download --vault-name bitwarden-ci --name macos-bws-certificate-devid-app-cert-p12 --file $HOME/secrets/devid-app-cert.p12 | |
# - name: Decrypt secrets | |
# env: | |
# DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} | |
# run: | | |
# mkdir -p $HOME/secrets | |
# gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ | |
# --output "$HOME/secrets/devid-app-cert.p12" \ | |
# "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" | |
- name: Set up keychain | |
env: | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} | |
run: | | |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain | |
security set-keychain-settings -lut 1200 build.keychain | |
security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ | |
-T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain | |
- name: Sign binary | |
env: | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-aarch64-apple-darwin/bws | |
- name: Notarize app | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-apple-id }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-team-id }} | |
MACOS_NOTARIZATION_PWD: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-notarization-password }} | |
MACOS_CERTIFICATE_NAME: ${{ steps.retrieve-secrets-macos.outputs.macos-bws-certificate-name }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating notarization archive" | |
zip -j ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip ./bws-aarch64-apple-darwin/bws | |
codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --timestamp ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
echo "Notarize app" | |
xcrun notarytool submit ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait | |
- name: Upload artifact | |
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
with: | |
name: bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
path: ./bws-macos-universal-${{ env._PACKAGE_VERSION }}.zip | |
if-no-files-found: error | |
third_party: | |
name: Generate THIRDPARTY.html | |
runs-on: ubuntu-22.04 | |
needs: | |
- setup | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install rust | |
uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable | |
with: | |
toolchain: stable | |
- name: Cache cargo registry | |
uses: Swatinem/rust-cache@23bce251a8cd2ffc3c1075eaa2367cf899916d84 # v2.7.3 | |
with: | |
key: cargo-cli-about | |
- name: Install cargo-about | |
run: cargo install cargo-about | |
- name: Generate THIRDPARTY.html | |
working-directory: ./crates/bws | |
run: | | |
cargo about generate ../../about.hbs > THIRDPARTY.html | |
sed -i.bak 's/\$NAME\$/Bitwarden Secrets Manager CLI/g' THIRDPARTY.html | |
- name: Upload artifact | |
uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0 | |
with: | |
name: THIRDPARTY.html | |
path: ./crates/bws/THIRDPARTY.html | |
if-no-files-found: error |