Skip to content

Commit

Permalink
[DEVOPS-1333] Add code signing to the Windows bws CLI (#534)
Browse files Browse the repository at this point in the history
## Type of change

<!-- (mark with an `X`) -->

```
- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [x] Build/deploy pipeline (DevOps)
- [ ] Other
```

## Objective

<!--Describe what the purpose of this PR is. For example: what bug
you're fixing or what new feature you're adding-->

Digitally sign Windows CLI .exe executable to prevent warning showing up
on clients' computers while running `bws` commands.

## Code changes

<!--Explain the changes you've made to each file or major component.
This should help the reviewer understand your changes-->
<!--Also refer to any related changes or PRs in other repositories-->

- **.github/workflows/build-cli.yml:** 
  - split Windows and UNIX build jobs
- add steps to windows build job to login to Azure, get secrets from
KeyVault, install azuresigntool and use azuresigntool to sign windows
CLI artifact.

## Before you submit

- Please add **unit tests** where it makes sense to do so

---------

Co-authored-by: Vince Grassia <593223+vgrassia@users.noreply.github.com>
  • Loading branch information
michalchecinski and vgrassia authored Feb 27, 2024
1 parent aad7014 commit d1fe6b7
Showing 1 changed file with 15 additions and 0 deletions.
15 changes: 15 additions & 0 deletions .github/workflows/build-cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ jobs:
runs-on: ubuntu-22.04
outputs:
package_version: ${{ steps.retrieve-version.outputs.package_version }}
sign: ${{ steps.sign.outputs.sign }}
steps:
- name: Checkout repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand All @@ -30,6 +31,16 @@ jobs:
VERSION=$(grep -o '^version = ".*"' crates/bws/Cargo.toml | grep -Eo "[0-9]+\.[0-9]+\.[0-9]+")
echo "package_version=$VERSION" >> $GITHUB_OUTPUT
- name: Sign if repo is owned by Bitwarden
id: sign
env:
REPO_OWNER: ${{ github.repository_owner }}
run: |
if [[ $REPO_OWNER == bitwarden ]]; then
echo "sign=true" >> $GITHUB_OUTPUT
fi
echo "sign=false" >> $GITHUB_OUTPUT
build-windows:
name: Building CLI for - ${{ matrix.settings.os }} - ${{ matrix.settings.target }}
runs-on: ${{ matrix.settings.os || 'ubuntu-latest' }}
Expand Down Expand Up @@ -66,11 +77,13 @@ jobs:
run: cargo build ${{ matrix.features }} -p bws --release --target=${{ matrix.settings.target }}

- name: Login to Azure
if: ${{ needs.setup.outputs.sign == 'true' }}
uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

- name: Retrieve secrets
if: ${{ needs.setup.outputs.sign == 'true' }}
id: retrieve-secrets-windows
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
Expand All @@ -82,9 +95,11 @@ jobs:
code-signing-cert-name"

- name: Install AST
if: ${{ needs.setup.outputs.sign == 'true' }}
run: dotnet tool install --global AzureSignTool --version 4.0.1

- name: Sign windows binary
if: ${{ needs.setup.outputs.sign == 'true' }}
env:
SIGNING_VAULT_URL: ${{ steps.retrieve-secrets-windows.outputs.code-signing-vault-url }}
SIGNING_CLIENT_ID: ${{ steps.retrieve-secrets-windows.outputs.code-signing-client-id }}
Expand Down

0 comments on commit d1fe6b7

Please sign in to comment.