[PM-12416] Fix cli signing issues (#15132)

* Add macOS notarization and signing steps to CI workflow * Fix * Fix path * Test logic changes for signing * Test logic * feat: remove runtime hardening option * feat: try using entitlements instead * try removing unsigned memory entitlement * fix: revert changes, unsigned memory required --------- Co-authored-by: Michal Checinski <mchecinski@bitwarden.com> Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
8 months ago · 556ec500ff
parent 95841eb078
commit 556ec500ff
2 changed files with 82 additions and 14 deletions
--- a/.github/workflows/build-cli.yml
+++ b/.github/workflows/build-cli.yml
@ -52,7 +52,7 @@ permissions:
 jobs:
  setup:
    name: Setup
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    outputs:
      package_version: ${{ steps.retrieve-package-version.outputs.package_version }}
      node_version: ${{ steps.retrieve-node-version.outputs.node_version }}
@ -61,7 +61,7 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{  github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Get Package Version
        id: retrieve-package-version
@ -85,25 +85,25 @@ jobs:
          has_secrets=${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL != '' }}
          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT

+
  cli:
    name: CLI ${{ matrix.os.base }}${{ matrix.os.target_suffix }} - ${{ matrix.license_type.readable }}
    strategy:
      matrix:
        os:
-         [
-          { base: "linux", distro: "ubuntu-22.04", target_suffix: "" },
-          { base: "linux", distro: "ubuntu-22.04-arm", target_suffix: "-arm64" },
-          { base: "mac", distro: "macos-13", target_suffix: "" },
-          { base: "mac", distro: "macos-14", target_suffix: "-arm64" }
-         ]
+          [
+            { base: "linux", distro: "ubuntu-22.04", target_suffix: "" },
+            { base: "linux", distro: "ubuntu-22.04-arm", target_suffix: "-arm64" },
+            { base: "mac", distro: "macos-13", target_suffix: "" },
+            { base: "mac", distro: "macos-14", target_suffix: "-arm64" }
+          ]
        license_type:
          [
            { build_prefix: "oss", artifact_prefix: "-oss", readable: "open source license" },
            { build_prefix: "bit", artifact_prefix: "", readable: "commercial license" }
          ]
    runs-on: ${{ matrix.os.distro }}
-    needs:
-      - setup
+    needs: setup
    env:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
@ -113,7 +113,7 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
-          ref: ${{  github.event.pull_request.head.sha }}
+          ref: ${{ github.event.pull_request.head.sha }}

      - name: Setup Unix Vars
        run: |
@ -155,11 +155,69 @@ jobs:
      - name: Build & Package Unix
        run: npm run dist:${{ matrix.license_type.build_prefix }}:${{ env.SHORT_RUNNER_OS }}${{ matrix.os.target_suffix }} --quiet

+      - name: Login to Azure
+        if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }}
+        uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
+        with:
+          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
+
+      - name: Get certificates
+        if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }}
+        run: |
+          mkdir -p $HOME/certificates
+
+          az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/devid-app-cert |
+            jq -r .value | base64 -d > $HOME/certificates/devid-app-cert.p12
+
+      - name: Set up keychain
+        if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }}
+        env:
+          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+        run: |
+          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security default-keychain -s build.keychain
+          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security set-keychain-settings -lut 1200 build.keychain
+
+          security import "$HOME/certificates/devid-app-cert.p12" -k build.keychain -P "" \
+            -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild
+
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
+
+      - name: Sign binary
+        if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }}
+        env:
+          MACOS_CERTIFICATE_NAME: "Developer ID Application: 8bit Solutions LLC"
+        run: codesign --sign "$MACOS_CERTIFICATE_NAME" --verbose=3 --force --options=runtime --entitlements ./entitlements.plist --timestamp ./dist/${{ matrix.license_type.build_prefix }}/${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}/bw
+
      - name: Zip Unix
        run: |
          cd ./dist/${{ matrix.license_type.build_prefix }}/${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}
          zip ../../bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip ./bw

+      - name: Set up private auth key
+        if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }}
+        run: |
+          mkdir ~/private_keys
+          cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8
+          ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }}
+          EOF
+
+      - name: Notarize app
+        if: ${{ matrix.os.base == 'mac' && needs.setup.outputs.has_secrets == 'true' }}
+        env:
+          APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
+          APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP
+          APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8
+        run: |
+          echo "Create keychain profile"
+          xcrun notarytool store-credentials "notarytool-profile" --key-id "$APP_STORE_CONNECT_AUTH_KEY" --key "$APP_STORE_CONNECT_AUTH_KEY_PATH" --issuer "$APP_STORE_CONNECT_TEAM_ISSUER"
+
+          codesign --sign "Developer ID Application: 8bit Solutions LLC" --verbose=3 --force --options=runtime --timestamp ./dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip
+
+          echo "Notarize app"
+          xcrun notarytool submit ./dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip --keychain-profile "notarytool-profile" --wait
+
      - name: Version Test
        run: |
          unzip "./dist/bw${{ matrix.license_type.artifact_prefix }}-${{ env.LOWER_RUNNER_OS }}${{ matrix.os.target_suffix }}-${{ env._PACKAGE_VERSION }}.zip" -d "./test"
@ -193,6 +251,7 @@ jobs:
      - name: Output help
        run: node ./build/bw.js --help

+
  cli-windows:
    name: Windows - ${{ matrix.license_type.readable }}
    strategy:
@ -203,8 +262,7 @@ jobs:
            { build_prefix: "bit", artifact_prefix: "", readable: "commercial license" }
          ]
    runs-on: windows-2022
-    needs:
-      - setup
+    needs: setup
    env:
      _PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }}
      _NODE_VERSION: ${{ needs.setup.outputs.node_version }}
@ -462,7 +520,7 @@ jobs:
  check-failures:
    name: Check for failures
    if: always()
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    needs:
      - setup
      - cli
--- a/apps/cli/entitlements.plist
+++ b/apps/cli/entitlements.plist
@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+</dict>
+</plist>