From 59d2dd4381a9565e5658b97c2ad8801253c2710d Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 12:34:59 +0100 Subject: [PATCH 01/14] Add cli singning for windows --- .github/workflows/build-cli.yml | 86 +++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 70922b786..178fa2982 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -30,6 +30,92 @@ jobs: VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") echo "package_version=$VERSION" >> $GITHUB_OUTPUT + build-windows: + name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} + runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} + needs: + - setup + env: + _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + strategy: + fail-fast: false + matrix: + settings: + - os: windows-2022 + target: x86_64-pc-windows-msvc + + - os: windows-2022 + target: aarch64-pc-windows-msvc + steps: + - name: Checkout repo + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Install rust + uses: dtolnay/rust-toolchain@be73d7920c329f220ce78e0234b8f96b7ae60248 # stable + with: + toolchain: stable + targets: ${{ matrix.settings.target }} + + - name: Cache cargo registry + uses: Swatinem/rust-cache@3cf7f8cc28d1b4e7d01e3783be10a97d55d483c8 # v2.7.1 + with: + key: ${{ matrix.settings.target }}-cargo-${{ matrix.settings.os }} + + - name: Build + env: + TARGET: ${{ matrix.settings.target }} + run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} + + - name: Login to Azure + uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Retrieve secrets + id: retrieve-secrets-windows + uses: bitwarden/gh-actions/get-keyvault-secrets@main + with: + keyvault: "bitwarden-ci" + secrets: "code-signing-vault-url, + code-signing-client-id, + code-signing-tenant-id, + code-signing-client-secret, + code-signing-cert-name" + + - name: Install AST + run: dotnet tool install --global AzureSignTool --version 4.0.1 + + - name: Sign windows binary + env: + SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} + SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} + SIGNING_TENANT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-tenant-id }} + SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-secret }} + SIGNING_CERT_NAME: ${{ steps.retrieve-secrets-windows.outputs.code-signing-cert-name }} + run: | + azuresigntool sign -v \ + -kvu $SIGNING_VAULT_URL \ + -kvi $SIGNING_CLIENT_ID \ + -kvt $SIGNING_TENANT_ID \ + -kvs $SIGNING_CLIENT_SECRET \ + -kvc $SIGNING_CERT_NAME \ + -fd sha256 \ + -du https://bitwarden.com \ + -tr http://timestamp.digicert.com \ + ./target/${{ matrix.settings.target }}/release/bws.exe + + - name: Zip + shell: cmd + if: runner.os == 'Windows' + run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe + + - name: Upload artifact + uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0 + with: + name: bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + path: ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip + if-no-files-found: error + build: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} From 1ccfd16fa931e58641ed7af79563d6a1b2a4c06c Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 12:36:56 +0100 Subject: [PATCH 02/14] Remove windows from build matrix --- .github/workflows/build-cli.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 178fa2982..a7cf895b7 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -133,12 +133,6 @@ jobs: - os: macos-12 target: aarch64-apple-darwin - - os: windows-2022 - target: x86_64-pc-windows-msvc - - - os: windows-2022 - target: aarch64-pc-windows-msvc - - os: ubuntu-22.04 target: x86_64-unknown-linux-gnu From 803b27ab6d2dbb9bb06ed1fc7eda751ccdba8bd4 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 12:38:05 +0100 Subject: [PATCH 03/14] Remove unnecessary ifs --- .github/workflows/build-cli.yml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index a7cf895b7..882cda1c3 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -106,7 +106,6 @@ jobs: - name: Zip shell: cmd - if: runner.os == 'Windows' run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe - name: Upload artifact @@ -169,13 +168,7 @@ jobs: TARGET: ${{ matrix.settings.target }} run: cross build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} - - name: Zip Windows - shell: cmd - if: runner.os == 'Windows' - run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe - - name: Zip Unix - if: runner.os != 'Windows' run: zip -j ./bws-${{ matrix.settings.target }}-${{ env._PACKAGE_VERSION }}.zip ./target/${{ matrix.settings.target }}/release/bws - name: Upload artifact From 404a2dfaf75a65e657c770f91660c08b79ef06fe Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 14:05:14 +0100 Subject: [PATCH 04/14] Display if the windows exe is signed --- .github/workflows/build-cli.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 882cda1c3..4afec4901 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -104,6 +104,9 @@ jobs: -tr http://timestamp.digicert.com \ ./target/${{ matrix.settings.target }}/release/bws.exe + signtool verify /pa /v ./target/${{ matrix.settings.target }}/release/bws.exe + if %ERRORLEVEL% GEQ 1 echo This file is not signed. + - name: Zip shell: cmd run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe From f0427b9b9ba3011ee11783b354e49b11eba71152 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 14:06:57 +0100 Subject: [PATCH 05/14] change signtool --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 4afec4901..874f6cd39 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -104,7 +104,7 @@ jobs: -tr http://timestamp.digicert.com \ ./target/${{ matrix.settings.target }}/release/bws.exe - signtool verify /pa /v ./target/${{ matrix.settings.target }}/release/bws.exe + & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' verify /pa /v ./target/${{ matrix.settings.target }}/release/bws.exe if %ERRORLEVEL% GEQ 1 echo This file is not signed. - name: Zip From 2db7183d6e6a4aed9d8b45741a1304473aee02fd Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 14:12:51 +0100 Subject: [PATCH 06/14] maybe fix check --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 874f6cd39..f23f58d07 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -104,7 +104,7 @@ jobs: -tr http://timestamp.digicert.com \ ./target/${{ matrix.settings.target }}/release/bws.exe - & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' verify /pa /v ./target/${{ matrix.settings.target }}/release/bws.exe + 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' verify /pa /v ./target/${{ matrix.settings.target }}/release/bws.exe if %ERRORLEVEL% GEQ 1 echo This file is not signed. - name: Zip From 54cb711eb841963805b9f839be5483726cd80f6f Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Wed, 24 Jan 2024 14:45:52 +0100 Subject: [PATCH 07/14] Remove cert check --- .github/workflows/build-cli.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index f23f58d07..882cda1c3 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -104,9 +104,6 @@ jobs: -tr http://timestamp.digicert.com \ ./target/${{ matrix.settings.target }}/release/bws.exe - 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x86/signtool.exe' verify /pa /v ./target/${{ matrix.settings.target }}/release/bws.exe - if %ERRORLEVEL% GEQ 1 echo This file is not signed. - - name: Zip shell: cmd run: 7z a ./bws-${{ matrix.settings.target }}-%_PACKAGE_VERSION%.zip ./target/${{ matrix.settings.target }}/release/bws.exe From 8600593532fd7131fd4945e7e1f7f1adceb0dd44 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 25 Jan 2024 15:59:41 +0100 Subject: [PATCH 08/14] Add conditional signing --- .github/workflows/build-cli.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 882cda1c3..739693e1b 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -20,6 +20,7 @@ jobs: runs-on: ubuntu-22.04 outputs: package_version: ${{ steps.retrieve-version.outputs.package_version }} + sign: ${{ steps.sign.outputs.sign }} steps: - name: Checkout repo uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 @@ -30,6 +31,16 @@ jobs: VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") echo "package_version=$VERSION" >> $GITHUB_OUTPUT + - name: Sign if branch is main or rc + id: sign + run: | + if [[ $GITHUB_REF == refs/heads/main || $GITHUB_REF == refs/heads/rc ]]; then + echo "sign=true" >> $GITHUB_OUTPUT + fi + echo "sign=false" >> $GITHUB_OUTPUT + + + build-windows: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} @@ -67,11 +78,13 @@ jobs: run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }} - name: Login to Azure + if: ${{ needs.setup.outputs.sign == 'true' }} uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets + if: ${{ needs.setup.outputs.sign == 'true' }} id: retrieve-secrets-windows uses: bitwarden/gh-actions/get-keyvault-secrets@main with: @@ -83,9 +96,11 @@ jobs: code-signing-cert-name" - name: Install AST + if: ${{ needs.setup.outputs.sign == 'true' }} run: dotnet tool install --global AzureSignTool --version 4.0.1 - name: Sign windows binary + if: ${{ needs.setup.outputs.sign == 'true' }} env: SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }} SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }} From 98d79634737ab24ad3e8b9f1f68c54144b0144e6 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Thu, 25 Jan 2024 16:01:29 +0100 Subject: [PATCH 09/14] Ran prettier --- .github/workflows/build-cli.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 739693e1b..d770d18fc 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -39,8 +39,6 @@ jobs: fi echo "sign=false" >> $GITHUB_OUTPUT - - build-windows: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} From ee90da787d693b89b476700e90f01267f1757775 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Fri, 26 Jan 2024 09:29:07 +0100 Subject: [PATCH 10/14] Update .github/workflows/build-cli.yml Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> --- .github/workflows/build-cli.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index d770d18fc..4c406a167 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -42,8 +42,7 @@ jobs: build-windows: name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }} runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }} - needs: - - setup + needs: setup env: _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} strategy: From 01bc7c3a4c16bd82e3cd489b395171a787c3cfb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Fri, 26 Jan 2024 09:31:52 +0100 Subject: [PATCH 11/14] change check for signing --- .github/workflows/build-cli.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 4c406a167..dfbf80102 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -33,8 +33,10 @@ jobs: - name: Sign if branch is main or rc id: sign + env: + REPO_OWNER: ${{ github.repository_owner }} run: | - if [[ $GITHUB_REF == refs/heads/main || $GITHUB_REF == refs/heads/rc ]]; then + if [[ $REPO_OWNER == bitwarden ]]; then echo "sign=true" >> $GITHUB_OUTPUT fi echo "sign=false" >> $GITHUB_OUTPUT From 04e745af6de962d5fb5a0171ec3b47f972456696 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Ch=C4=99ci=C5=84ski?= Date: Wed, 31 Jan 2024 17:32:05 +0100 Subject: [PATCH 12/14] Update .github/workflows/build-cli.yml Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com> --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index dfbf80102..9db7a91fc 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -31,7 +31,7 @@ jobs: VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") echo "package_version=$VERSION" >> $GITHUB_OUTPUT - - name: Sign if branch is main or rc + - name: Sign if repo is owned by Bitwarden id: sign env: REPO_OWNER: ${{ github.repository_owner }} From e9c7ff7fcb61e83022a4d7ea531ff71e39902c57 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 23 Feb 2024 15:17:32 +0100 Subject: [PATCH 13/14] Fix --- .github/workflows/build-cli.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 43b366b5e..138a047c2 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -146,12 +146,6 @@ jobs: - os: macos-12 target: aarch64-apple-darwin - - os: windows-2022 - target: x86_64-pc-windows-msvc - - - os: windows-2022 - target: aarch64-pc-windows-msvc - - os: ubuntu-20.04 target: x86_64-unknown-linux-gnu From a602d0ecb7c877c4a762555244fe0fad7ca7dc42 Mon Sep 17 00:00:00 2001 From: Michal Checinski Date: Fri, 23 Feb 2024 16:53:32 +0100 Subject: [PATCH 14/14] lint --- .github/workflows/build-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-cli.yml b/.github/workflows/build-cli.yml index 550a7e2da..e60928807 100644 --- a/.github/workflows/build-cli.yml +++ b/.github/workflows/build-cli.yml @@ -30,7 +30,7 @@ jobs: run: | VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+") echo "package_version=$VERSION" >> $GITHUB_OUTPUT - + - name: Sign if repo is owned by Bitwarden id: sign env: