bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-06 00:13:28 +00:00
Code Issues Releases Wiki Activity

[BRE-610] - Sign windows CLI (#13542)

Browse Source 
* [BRE-610] - Sign windows CLI

* little fix

* testing path to script

* testing script path

* Testing windows signing script

* single line run

---------

Co-authored-by: Andy Pixley <3723676+pixman20@users.noreply.github.com>
This commit is contained in:
Opeyemi
2025-02-26 13:17:24 +00:00
committed by GitHub
parent cb028eadb5
commit 164f15d9f9
3 changed files with 78 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
.github/workflows/build-cli.yml vendored
View File

@@ -205,6 +205,9 @@ jobs:
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Install AST
run: dotnet tool install --global AzureSignTool --version 4.0.1
- name: Setup Windows builder
run: |
choco install checksum --no-progress
@@ -273,6 +276,24 @@ jobs:
ResourceHacker -open version-info.rc -save version-info.res -action compile
ResourceHacker -open %WIN_PKG_BUILT% -save %WIN_PKG_BUILT% -action addoverwrite -resource version-info.res
- name: Login to Azure
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "code-signing-vault-url,
code-signing-client-id,
code-signing-tenant-id,
code-signing-client-secret,
code-signing-cert-name"
- name: Install
run: npm ci
working-directory: ./
@@ -300,6 +321,18 @@ jobs:
- name: Build & Package Windows
run: npm run dist:${{ matrix.license_type.build_prefix }}:win --quiet
- name: Sign executable
if: ${{ needs.setup.outputs.has_secrets == 'true' }}
shell: pwsh
env:
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets.outputs.code-signing-vault-url }}
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets.outputs.code-signing-client-id }}
SIGNING_TENANT_ID: ${{ steps.retrieve-secrets.outputs.code-signing-tenant-id }}
SIGNING_CLIENT_SECRET: ${{ steps.retrieve-secrets.outputs.code-signing-client-secret }}
SIGNING_CERT_NAME: ${{ steps.retrieve-secrets.outputs.code-signing-cert-name }}
EXE_PATH: dist/${{ matrix.license_type.build_prefix }}/windows/bw.exe
run: . .\scripts\sign-cli.ps1
- name: Package Chocolatey
shell: pwsh
if: ${{ matrix.license_type.build_prefix == 'bit' }}

3
.github/workflows/build-desktop.yml vendored
View File

@@ -392,8 +392,7 @@ jobs:
run: node build.js cross-platform
- name: Build
run: |
npm run build
run: npm run build
- name: Pack
if: ${{ needs.setup.outputs.has_secrets == 'false' }}

44
apps/cli/scripts/sign-cli.ps1 Normal file
View File

@@ -0,0 +1,44 @@
function SignExe {
param (
[Parameter(Mandatory=$true)]
[ValidateScript({![string]::IsNullOrEmpty($_)})]
[string]$vaultUrl,
[Parameter(Mandatory=$false)]
[ValidateScript({![string]::IsNullOrEmpty($_)})]
[string]$clientId,
[Parameter(Mandatory=$false)]
[ValidateScript({![string]::IsNullOrEmpty($_)})]
[string]$tenantId,
[Parameter(Mandatory=$false)]
[ValidateScript({![string]::IsNullOrEmpty($_)})]
[string]$clientSecret,
[Parameter(Mandatory=$false)]
[ValidateScript({![string]::IsNullOrEmpty($_)})]
[string]$certName,
[Parameter(Mandatory=$false)]
[ValidateScript({Test-Path $_})]
[string] $exePath,
# [Parameter(Mandatory=$false)]
# [string] $hashAlgorithm, # -fd option
# [Parameter(Mandatory=$false)]
# [string] $site, # -du option
[Parameter(Mandatory=$false)]
[string] $timestampService = "http://timestamp.digicert.com"
)
echo "Signing $exePath ..."
azuresigntool sign -kvu $vaultUrl -kvi $clientId -kvt $tenantId -kvs $clientSecret -kvc $certName -tr $timestampService $exePath
}
SignExe -vaultUrl $env:SIGNING_VAULT_URL -clientId $env:SIGNING_CLIENT_ID -tenantId $env:SIGNING_TENANT_ID -clientSecret $env:SIGNING_CLIENT_SECRET -certName $env:SIGNING_CERT_NAME -exePath $env:EXE_PATH