diff --git a/.github/secrets/appstore-app-cert.p12.gpg b/.github/secrets/appstore-app-cert.p12.gpg deleted file mode 100644 index deecea1cd00..00000000000 Binary files a/.github/secrets/appstore-app-cert.p12.gpg and /dev/null differ diff --git a/.github/secrets/appstore-installer-cert.p12.gpg b/.github/secrets/appstore-installer-cert.p12.gpg deleted file mode 100644 index fbf0175c458..00000000000 Binary files a/.github/secrets/appstore-installer-cert.p12.gpg and /dev/null differ diff --git a/.github/secrets/bitwarden-desktop-key.p12.gpg b/.github/secrets/bitwarden-desktop-key.p12.gpg deleted file mode 100644 index c9de5100b5b..00000000000 Binary files a/.github/secrets/bitwarden-desktop-key.p12.gpg and /dev/null differ diff --git a/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg b/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg deleted file mode 100644 index 79d59fb9fbc..00000000000 Binary files a/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg and /dev/null differ diff --git a/.github/secrets/devid-app-cert.p12.gpg b/.github/secrets/devid-app-cert.p12.gpg deleted file mode 100644 index 8e2e2146e23..00000000000 Binary files a/.github/secrets/devid-app-cert.p12.gpg and /dev/null differ diff --git a/.github/secrets/devid-installer-cert.p12.gpg b/.github/secrets/devid-installer-cert.p12.gpg deleted file mode 100644 index f379fc214fe..00000000000 Binary files a/.github/secrets/devid-installer-cert.p12.gpg and /dev/null differ diff --git a/.github/secrets/macdev-cert.p12.gpg b/.github/secrets/macdev-cert.p12.gpg deleted file mode 100644 index 78e5914c1f2..00000000000 Binary files a/.github/secrets/macdev-cert.p12.gpg and /dev/null differ diff --git a/.github/workflows/build-browser.yml b/.github/workflows/build-browser.yml index 02c7f1b3363..0f7117aaf95 100644 --- a/.github/workflows/build-browser.yml +++ b/.github/workflows/build-browser.yml @@ -257,58 +257,72 @@ jobs: node --version npm --version - - name: Decrypt secrets + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: NPM setup diff --git a/.github/workflows/build-desktop.yml b/.github/workflows/build-desktop.yml index 03629aa5fd2..e285bec0f80 100644 --- a/.github/workflows/build-desktop.yml +++ b/.github/workflows/build-desktop.yml @@ -485,58 +485,72 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles @@ -632,58 +646,72 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles @@ -824,58 +852,72 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles @@ -1003,58 +1045,72 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles diff --git a/.github/workflows/release-desktop-beta.yml b/.github/workflows/release-desktop-beta.yml index 9a48e7247d6..d595a49d75e 100644 --- a/.github/workflows/release-desktop-beta.yml +++ b/.github/workflows/release-desktop-beta.yml @@ -436,58 +436,66 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles @@ -559,58 +567,72 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Login to Azure + uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 + with: + creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} + + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles @@ -755,58 +777,67 @@ jobs: path: apps/browser/dist/Safari key: ${{ runner.os }}-${{ github.run_id }}-safari-extension - - name: Decrypt secrets + - name: Download Provisioning Profiles secrets env: - DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + ACCOUNT_NAME: bitwardenci + CONTAINER_NAME: profiles run: | mkdir -p $HOME/secrets - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden-desktop-key.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden-desktop-key.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/appstore-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/appstore-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-app-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-app-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/devid-installer-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/devid-installer-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/macdev-cert.p12" \ - "$GITHUB_WORKSPACE/.github/secrets/macdev-cert.p12.gpg" - gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \ - --output "$HOME/secrets/bitwarden_desktop_appstore.provisionprofile" \ - "$GITHUB_WORKSPACE/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg" + + az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \ + --name bitwarden_desktop_appstore.provisionprofile \ + --file $HOME/secrets/bitwarden_desktop_appstore.provisionprofile \ + --output none + + - name: Get certificates + run: | + mkdir -p $HOME/certificates + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/bitwarden-desktop-key | + jq -r .value | base64 -d > $HOME/certificates/bitwarden-desktop-key.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-app-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/appstore-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/appstore-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-installer-cert | + jq -r .value | base64 -d > $HOME/certificates/devid-installer-cert.p12 + + az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/macdev-cert | + jq -r .value | base64 -d > $HOME/certificates/macdev-cert.p12 - name: Set up keychain env: KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} - DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} - APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} - MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} - APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} run: | security create-keychain -p $KEYCHAIN_PASSWORD build.keychain security default-keychain -s build.keychain security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain security set-keychain-settings -lut 1200 build.keychain - security import "$HOME/secrets/bitwarden-desktop-key.p12" -k build.keychain -P $DESKTOP_KEY_PASSWORD \ + + security import "$HOME/certificates/bitwarden-desktop-key.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-app-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/devid-installer-cert.p12" -k build.keychain -P $DEVID_CERT_PASSWORD \ + + security import "$HOME/certificates/devid-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-app-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-app-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/appstore-installer-cert.p12" -k build.keychain -P $APPSTORE_CERT_PASSWORD \ + + security import "$HOME/certificates/appstore-installer-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild - security import "$HOME/secrets/macdev-cert.p12" -k build.keychain -P $MACDEV_CERT_PASSWORD \ + + security import "$HOME/certificates/macdev-cert.p12" -k build.keychain -P "" \ -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain - name: Set up provisioning profiles