DEVOPS-1746 - Update iOS distribution certificate and profiles (#3018)

2025-12-26 21:23:46 +00:00 · 2024-02-28 12:48:16 +00:00
parent 850a7e754a
commit c9fdfa7a15
17 changed files with 94 additions and 135 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -31,6 +31,7 @@ jobs:
      - name: Print lines of code
        run: cloc --vcs git --exclude-dir Resources,store,test,Properties --include-lang C#,XAML

+
  setup:
    name: Setup
    runs-on: ubuntu-22.04
@@ -58,6 +59,7 @@ jobs:
            echo "hotfix_branch_exists=0" >> $GITHUB_OUTPUT
          fi

+
  android:
    name: Android
    runs-on: windows-2022
@@ -111,32 +113,34 @@ jobs:
        with:
          fetch-depth: 0

-      - name: Decrypt secrets
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Download secrets
        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
        run: |
          mkdir -p $HOME/secrets

-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ${{ env.android_folder_path_bash }}/app_play-keystore.jks \
-            .github/secrets/app_play-keystore.jks.gpg
-
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ${{ env.android_folder_path_bash }}/app_upload-keystore.jks \
-            .github/secrets/app_upload-keystore.jks.gpg
-
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/play_creds.json \
-            .github/secrets/play_creds.json.gpg
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name app_play-keystore.jks --file ./${{ env.android_folder_path_bash }}/app_play-keystore.jks --output none
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name app_upload-keystore.jks --file ./${{ env.android_folder_path_bash }}/app_upload-keystore.jks --output none
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name play_creds.json --file $HOME/secrets/play_creds.json --output none
        shell: bash

-      - name: Decrypt secrets - Google Services
+      - name: Download secrets - Google Services
        if: ${{ matrix.variant == 'prod' }}
        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
        run: |
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ${{ env.android_folder_path_bash }}/google-services.json .github/secrets/google-services.json.gpg
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name google-services.json --file ./${{ env.android_folder_path_bash }}/google-services.json --output none
        shell: bash

      - name: Increment version
@@ -190,9 +194,7 @@ jobs:
          {
            $packageName = "com.x8bit.bitwarden.${{ matrix.variant }}";
          }
-          Write-Output "########################################"
          Write-Output "##### Sign Google Play Bundle Release Configuration"
-          Write-Output "########################################"

          $signingUploadKeyStore = "$($env:GITHUB_WORKSPACE)\${{ env.android_folder_path }}\app_upload-keystore.jks"
          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android `
@@ -203,17 +205,13 @@ jobs:
            /p:AndroidSigningKeyPass="$($env:UPLOAD_KEYSTORE_PASSWORD)" `
            /p:AndroidSigningStorePass="$($env:UPLOAD_KEYSTORE_PASSWORD)" --no-restore

-          Write-Output "########################################"
          Write-Output "##### Copy Google Play Bundle to project root"
-          Write-Output "########################################"

          $signedAabPath = "$($env:GITHUB_WORKSPACE)\${{ env.main_app_folder_path }}\bin\Release\${{ env.target-net-version }}-android\publish\$($packageName)-Signed.aab";
          $signedAabDestPath = "$($env:GITHUB_WORKSPACE)\$($packageName).aab";
          Copy-Item $signedAabPath $signedAabDestPath

-          Write-Output "########################################"
          Write-Output "##### Sign APK Release Configuration"
-          Write-Output "########################################"

          $signingPlayKeyStore = "$($env:GITHUB_WORKSPACE)\${{ env.android_folder_path }}\app_play-keystore.jks"
          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android `
@@ -223,9 +221,7 @@ jobs:
            /p:AndroidSigningKeyPass="$($env:PLAY_KEYSTORE_PASSWORD)" `
            /p:AndroidSigningStorePass="$($env:PLAY_KEYSTORE_PASSWORD)" --no-restore

-          Write-Output "########################################"
          Write-Output "##### Copy Release APK to project root"
-          Write-Output "########################################"

          $signedApkPath = "$($env:GITHUB_WORKSPACE)\${{ env.main_app_folder_path }}\bin\Release\${{ env.target-net-version }}-android\publish\$($packageName)-Signed.apk";
          $signedApkDestPath = "$($env:GITHUB_WORKSPACE)\$($packageName).apk";
@@ -343,23 +339,26 @@ jobs:
      - name: Checkout repo
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

-      - name: Decrypt secrets
-        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
-        run: |
-          mkdir -p ~/secrets
+      - name: Login to Azure - CI Subscription
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./${{ env.main_app_folder_path }}/app_fdroid-keystore.jks ./.github/secrets/app_fdroid-keystore.jks.gpg
+      - name: Download secrets
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+          FILE: app_fdroid-keystore.jks
+        run: |
+          mkdir -p $HOME/secrets
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+            --file $HOME/secrets/$FILE --output none
        shell: bash

      - name: Increment version
        run: |
          BUILD_NUMBER=$((3000 + $GITHUB_RUN_NUMBER))
-
-          echo "########################################"
          echo "##### Setting Version Code $BUILD_NUMBER"
-          echo "########################################"

          sed -i "s/android:versionCode=\"1\"/android:versionCode=\"$BUILD_NUMBER\"/" \
            ./${{ env.android_manifest_path }}
@@ -372,16 +371,12 @@ jobs:

          $androidManifest = $($env:GITHUB_WORKSPACE + "/${{ env.android_manifest_path }}");

-          Write-Output "########################################"
-          Write-Output "##### Backup project files"
-          Write-Output "########################################"
+          Write-Output "##### Back up project files"

          Copy-Item $androidManifest $($androidManifest + ".original");
          Copy-Item $appPath $($appPath + ".original");

-          Write-Output "########################################"
          Write-Output "##### Cleanup Android Manifest"
-          Write-Output "########################################"

          $xml=New-Object XML;
          $xml.Load($androidManifest);
@@ -399,9 +394,7 @@ jobs:
          $configuration = "Release";
          $projToBuild = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");

-          Write-Output "########################################"
-          Write-Output "##### Build $configuration FDROID
-          Write-Output "########################################"
+          Write-Output "##### Build $configuration FDROID"
          
          dotnet build $projToBuild -c $configuration -f ${{ env.target-net-version }}-android /p:CustomConstants="FDROID"

@@ -412,15 +405,11 @@ jobs:
          $projToBuild = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_project_path }}");
          $packageName = "com.x8bit.bitwarden";

-          Write-Output "########################################"
          Write-Output "##### Sign FDroid"
-          Write-Output "########################################"

          dotnet publish $projToBuild -c Release -f ${{ env.target-net-version }}-android /p:AndroidKeyStore=true /p:AndroidSigningKeyStore=$("app_fdroid-keystore.jks") /p:AndroidSigningKeyAlias=bitwarden /p:AndroidSigningKeyPass="$($env:FDROID_KEYSTORE_PASSWORD)" /p:AndroidSigningStorePass="$($env:FDROID_KEYSTORE_PASSWORD)" /p:CustomConstants="FDROID" --no-restore

-          Write-Output "########################################"
          Write-Output "##### Copy FDroid apk to project root"
-          Write-Output "########################################"

          $signedApkPath = $($env:GITHUB_WORKSPACE + "/${{ env.main_app_folder_path }}/bin/Release/${{ env.target-net-version }}-android/publish/$($packageName)-Signed.apk");
          $signedApkDestPath = $($env:GITHUB_WORKSPACE + "/com.x8bit.bitwarden-fdroid.apk");
@@ -500,42 +489,42 @@ jobs:
          keyvault: "bitwarden-ci"
          secrets: "appcenter-ios-token"

-      - name: Decrypt secrets
+      - name: Download Provisioning Profiles secrets
        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: profiles
        run: |
-          mkdir -p ~/secrets
+          mkdir -p $HOME/secrets
+          profiles=(
+              "dist_autofill.mobileprovision"
+              "dist_bitwarden.mobileprovision"
+              "dist_extension.mobileprovision"
+              "dist_share_extension.mobileprovision"
+              "dist_bitwarden_watch_app.mobileprovision"
+              "dist_bitwarden_watch_app_extension.mobileprovision"
+          )

-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/bitwarden-mobile-key.p12 ./.github/secrets/bitwarden-mobile-key.p12.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/iphone-distribution-cert.p12 ./.github/secrets/iphone-distribution-cert.p12.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_autofill.mobileprovision ./.github/secrets/dist_autofill.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_bitwarden.mobileprovision ./.github/secrets/dist_bitwarden.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_extension.mobileprovision ./.github/secrets/dist_extension.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_share_extension.mobileprovision \
-            ./.github/secrets/dist_share_extension.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_watch_app.mobileprovision \
-            ./.github/secrets/dist_watch_app.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output $HOME/secrets/dist_watch_app_extension.mobileprovision \
-            ./.github/secrets/dist_watch_app_extension.mobileprovision.gpg
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./src/watchOS/bitwarden/GoogleService-Info.plist ./.github/secrets/GoogleService-Info.plist.gpg
+          for FILE in "${profiles[@]}"
+          do
+            az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+              --file $HOME/secrets/$FILE --output none
+          done
+
+      - name: Download Google Services secret
+        env:
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
+          FILE: GoogleService-Info.plist
+        run: |
+          mkdir -p $HOME/secrets
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+            --file $HOME/secrets/$FILE --output none

      - name: Increment version
        run: |
          BUILD_NUMBER=$((100 + $GITHUB_RUN_NUMBER))

-          echo "########################################"
          echo "##### Setting CFBundleVersion $BUILD_NUMBER"
-          echo "########################################"
-
          echo "### CFBundleVersion $BUILD_NUMBER" >> $GITHUB_STEP_SUMMARY

          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./${{ env.ios_folder_path }}/Info.plist
@@ -543,30 +532,30 @@ jobs:
          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Autofill/Info.plist
          perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist
          cd src/watchOS/bitwarden
-          agvtool new-version -all  $BUILD_NUMBER
+          agvtool new-version -all $BUILD_NUMBER

      - name: Update Entitlements
        run: |
-          echo "########################################"
          echo "##### Updating Entitlements"
-          echo "########################################"
-
          perl -0777 -pi.bak -e 's/<key>aps-environment<\/key>\s*<string>development<\/string>/<key>aps-environment<\/key>\n\t<string>production<\/string>/' ./${{ env.ios_folder_path }}/Entitlements.plist
+
+      - name: Get certificates
+        run: |
+          mkdir -p $HOME/certificates
+          az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution |
+            jq -r .value | base64 -d > $HOME/certificates/ios-distribution.p12
        
      - name: Set up Keychain
        env:
          KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }}
-          MOBILE_KEY_PASSWORD: ${{ secrets.IOS_KEY_PASSWORD }}
-          DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
        run: |
          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security set-keychain-settings -lut 1200 build.keychain
-          security import ~/secrets/bitwarden-mobile-key.p12 -k build.keychain -P $MOBILE_KEY_PASSWORD \
-            -T /usr/bin/codesign -T /usr/bin/security
-          security import ~/secrets/iphone-distribution-cert.p12 -k build.keychain -P $DIST_CERT_PASSWORD \
-            -T /usr/bin/codesign -T /usr/bin/security
+
+          security import $HOME/certificates/ios-distribution.p12 -k build.keychain -P "" -T /usr/bin/codesign \
+            -T /usr/bin/security
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain

      - name: Set up provisioning profiles
@@ -575,8 +564,8 @@ jobs:
          BITWARDEN_PROFILE_PATH=$HOME/secrets/dist_bitwarden.mobileprovision
          EXTENSION_PROFILE_PATH=$HOME/secrets/dist_extension.mobileprovision
          SHARE_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_share_extension.mobileprovision
-          WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_watch_app.mobileprovision
-          WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_watch_app_extension.mobileprovision
+          WATCH_APP_PROFILE_PATH=$HOME/secrets/dist_bitwarden_watch_app.mobileprovision
+          WATCH_APP_EXTENSION_PROFILE_PATH=$HOME/secrets/dist_bitwarden_watch_app_extension.mobileprovision
          PROFILES_DIR_PATH=$HOME/Library/MobileDevice/Provisioning\ Profiles

          mkdir -p "$PROFILES_DIR_PATH"
@@ -604,68 +593,44 @@ jobs:

      - name: Bulid WatchApp
        run: |
-          echo "########################################"
          echo "##### Build WatchApp with Release Configuration"
-          echo "########################################"
-
          xcodebuild archive -workspace ./src/watchOS/bitwarden/bitwarden.xcodeproj/project.xcworkspace -configuration Release -scheme bitwarden\ WatchKit\ App -archivePath ./src/watchOS/bitwarden

-          echo "########################################"
-          echo "##### Done"
-          echo "########################################"
-
      - name: Archive Build for App Store
        run: |
-          Write-Output "########################################"
-          Write-Output "##### Archive for Release ios-arm64
-          Write-Output "########################################"
-
+          echo "##### Archive for Release ios-arm64"
          dotnet publish ${{ env.main_app_project_path }} -c Release -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=ios-arm64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false

-          Write-Output "########################################"
-          Write-Output "##### Done"
-          Write-Output "########################################"
-        shell: pwsh
-
      - name: Archive Build for Mobile Automation
        run: |
-          Write-Output "########################################"
-          Write-Output "##### Archive Debug for iossimulator-x64
-          Write-Output "########################################"
-
+          echo "##### Archive Debug for iossimulator-x64"
          dotnet build ${{ env.main_app_project_path }} -c Debug -f ${{ env.target-net-version }}-ios /p:RuntimeIdentifier=iossimulator-x64 /p:ArchiveOnBuild=true /p:MtouchUseLlvm=false
-
-          Write-Output "########################################"
-          Write-Output "##### Done"
-          Write-Output "########################################"
-          ls ~/Library/Developer/Xcode/Archives
-        shell: pwsh
+          ls $HOME/Library/Developer/Xcode/Archives

      - name: Export .ipa for App Store
+        env:
+          EXPORT_OPTIONS_PATH: ./.github/resources/export-options-app-store.plist
+          EXPORT_PATH: ./bitwarden-export
        run: |
-          EXPORT_OPTIONS_PATH="./.github/resources/export-options-app-store.plist"
          ARCHIVE_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive"
-          EXPORT_PATH="./bitwarden-export"
-
          xcodebuild -exportArchive -archivePath $ARCHIVE_PATH -exportPath $EXPORT_PATH \
            -exportOptionsPlist $EXPORT_OPTIONS_PATH

      - name: Export .app for Automation CI
+        env:
+          ARCHIVE_PATH: ./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64
+          EXPORT_PATH: ./bitwarden-export
        run: |
-          ARCHIVE_PATH="./${{ env.main_app_folder_path }}/bin/Debug/${{ env.target-net-version }}-ios/iossimulator-x64"
-          EXPORT_PATH="./bitwarden-export"
-
          zip -r -q ${{ env.app_ci_output_filename }}.app.zip $ARCHIVE_PATH
          mv ${{ env.app_ci_output_filename }}.app.zip $EXPORT_PATH

      - name: Copy all dSYMs files to upload
+        env:
+          EXPORT_PATH: ./bitwarden-export
+          WATCH_ARCHIVE_DSYMS_PATH: ./src/watchOS/bitwarden.xcarchive/dSYMs/
+          WATCH_DSYMS_EXPORT_PATH: ./bitwarden-export/Watch_dSYMs
        run: |
          ARCHIVE_DSYMS_PATH="$HOME/Library/Developer/Xcode/Archives/*/*.xcarchive/dSYMs"
-          EXPORT_PATH="./bitwarden-export"
-
-          WATCH_ARCHIVE_DSYMS_PATH="./src/watchOS/bitwarden.xcarchive/dSYMs/"
-          WATCH_DSYMS_EXPORT_PATH="$EXPORT_PATH/Watch_dSYMs"
-
          cp -r -v $ARCHIVE_DSYMS_PATH $EXPORT_PATH
          mkdir $WATCH_DSYMS_EXPORT_PATH
          cp -r -v $WATCH_ARCHIVE_DSYMS_PATH $WATCH_DSYMS_EXPORT_PATH
@@ -714,10 +679,7 @@ jobs:
          || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0)
          || github.ref == 'refs/heads/hotfix-rc'
        run: |
-          echo "########################################"
          echo "##### Uploading Watch dSYMs to Firebase"
-          echo "########################################"
-
          find "$HOME/Library/Developer/XCode/DerivedData" -name "upload-symbols" -exec chmod +x {} \; -exec {} -gsp "./src/watchOS/bitwarden/GoogleService-Info.plist" -p ios "./bitwarden-export/Watch_dSYMs" \;

      - name: Validate app in App Store
@@ -733,7 +695,6 @@ jobs:
        run: |
          xcrun altool --validate-app --type ios --file "./bitwarden-export/Bitwarden.ipa" \
              --username "$APPLE_ID_USERNAME" --password "$APPLE_ID_PASSWORD"
-        shell: bash

      - name: Deploy to App Store
        if: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -176,13 +176,14 @@ jobs:
      - name: Install Node dependencies
        run: npm install

-      - name: Decrypt secrets
+      - name: Download secrets
        env:
-          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
+          ACCOUNT_NAME: bitwardenci
+          CONTAINER_NAME: mobile
        run: |
-          mkdir -p ~/secrets
-          gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
-            --output ./store/fdroid/keystore.jks ./.github/secrets/store_fdroid-keystore.jks.gpg
+          mkdir -p $HOME/secrets
+          az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME \
+          --name store_fdroid-keystore.jks --file ./store/fdroid/keystore.jks --output none

      - name: Compile for F-Droid Store
        env: