Merge pull request #643 from joseph-flinn/master

Adding Windows Code Signing to GitHub Actions
2024-11-02 08:40:08 +01:00 · 2021-01-22 09:38:23 -08:00 · 2021-01-22 09:38:23 -08:00 · 03343bfd91
commit 03343bfd91
parent 2cbccecc3e 3678c2c783
5 changed files with 442 additions and 82 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -5,9 +5,6 @@ on:
    branches-ignore:
      - 'l10n_master'
      - 'gh-pages'
  release:
    types:
      - published
 jobs:
@ -44,12 +41,8 @@ jobs:
          sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev rpm
      - name: Set up snap
        if: github.event_name == 'release'
        run: |
          sudo snap install snapcraft --classic
          echo "$SNAP_TOKEN" | snapcraft login --with -
        env:
          SNAP_TOKEN: ${{ secrets.SNAP_TOKEN }}
      - name: Print environment
        run: |
@ -75,51 +68,49 @@ jobs:
        run: npm run dist:lin
      - name: Upload .deb artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-amd64.deb
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-amd64.deb
      - name: Upload .rpm artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-x86_64.rpm
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x86_64.rpm
      - name: Upload .freebsd artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-x64.freebsd
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64.freebsd
      - name: Upload .snap artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: bitwarden_${{ env.PACKAGE_VERSION }}_amd64.snap
          path: ./dist/bitwarden_${{ env.PACKAGE_VERSION }}_amd64.snap
      - name: Upload .AppImage artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-x86_64.AppImage
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x86_64.AppImage
      - name: Deploy to Snap Store
        if: github.event_name == 'release'
        run: |
          ./scripts/snap-update.ps1 -version $env:PACKAGE_VERSION
          snapcraft logout
        shell: pwsh
  windows:
    runs-on: windows-latest
    steps:
      - name: Set up dotnet
        uses: actions/setup-dotnet@v1
        with:
          dotnet-version: "3.1.x"
      - name: Set up Node
        uses: actions/setup-node@v1
        with:
@ -129,14 +120,30 @@ jobs:
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
        shell: pwsh
      - name: Install AST
        shell: pwsh
        run: |
          cd $HOME
          git clone https://github.com/vcsjones/AzureSignTool.git
          cd AzureSignTool
          $latest_head = $(git rev-parse HEAD)[0..9] -join ""
          $latest_version = "0.0.0-g$latest_head"
          Write-Host "--------"
          Write-Host "git commit - $(git rev-parse HEAD)"
          Write-Host "latest_head - $latest_head"
          Write-Host "PACKAGE VERSION TO BUILD - $latest_version"
          Write-Host "--------"
          dotnet restore
          dotnet pack --output ./nupkg
          dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool
      - name: Set up environment
        if: github.event_name == 'release'
        shell: pwsh
        run: |
          choco install checksum --no-progress
          choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/
        env:
          CHOCO_API_KEY: ${{ secrets.CHOCO_API_KEY }}
      - name: Print environment
        run: |
@ -157,9 +164,17 @@ jobs:
      - name: Run linter
        run: npm run lint
-      - name: Build application
+      - name: Build & Sign (dev)
-        shell: pwsh
+        run: |
-        run: npm run dist:win:ci
+          npm run build
          npm run pack:win
        env:
          ELECTRON_BUILDER_SIGN: 1
          SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }}
          SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }}
          SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
          SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }}
          SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }}
      - name: Rename appx files for store
        shell: pwsh
@ -169,63 +184,54 @@ jobs:
          Copy-Item "./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64.appx" `
            -Destination "./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64-store.appx"
      - name: Deploy to Chocolatey
        shell: pwsh
        run: |
          Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
          Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe -Destination ./dist/chocolatey
          $checksum = checksum -t sha256 ./dist/chocoloatey/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe
          $chocoInstall = "./dist/chocolatey/tools/chocolateyinstall.ps1"
          (Get-Content $chocoInstall).replace('__version__', "$env:PACKAGE_VERSION").replace('__checksum__', $checksum) | Set-Content $chocoInstall
          choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:PACKAGE_VERSION" --out ./dist/chocolatey
      - name: Upload portable exe artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Portable-${{ env.PACKAGE_VERSION }}.exe
          path: ./dist/Bitwarden-Portable-${{ env.PACKAGE_VERSION }}.exe
      - name: Upload installer exe artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe
          path: ./dist/nsis-web/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe
      - name: Upload store appx ia32 artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-ia32-store.appx
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-ia32-store.appx
      - name: Upload store appx x64 artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-x64-store.appx
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64-store.appx
-      - name: Deploy to Chocolatey
+      - name: Upload nupkg artifact
-        if: github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        run: ./scripts/choco-update.ps1 -version $env:PACKAGE_VERSION
        shell: pwsh
      - name: Upload Chocolatey nupkg artifact
        if: github.event_name == 'release'
        uses: actions/upload-artifact@v2
        with:
          name: bitwarden.${{ env.PACKAGE_VERSION }}.nupkg
          path: ./dist/chocolatey/bitwarden.${{ env.PACKAGE_VERSION }}.nupkg
      - name: Upload release assets
        if: github.event_name == 'release'
        run: |
          hub release edit `
            -a ./dist/chocolatey/bitwarden.${{ env.PACKAGE_VERSION }}.nupkg `
            -a ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-ia32-store.appx `
            -a ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64-store.appx `
            -m "$($env:RELEASE_TAG_NAME.TrimStart('v'))" `
            $env:RELEASE_TAG_NAME
        shell: pwsh
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
  macos:
    runs-on: macos-latest
    steps:
      - name: Set up Node
        uses: actions/setup-node@v1
@ -285,86 +291,67 @@ jobs:
        run: npm run lint
      - name: Create Safari directory
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        shell: pwsh
        run: New-Item ./dist-safari -ItemType Directory -ea 0
      - name: Checkout browser extension
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/checkout@v2
        with:
          repository: 'bitwarden/browser'
          path: 'dist-safari/browser'
      - name: Build Safari extension
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        shell: pwsh
        run: ./scripts/safari-build.ps1 -skipcheckout -skipoutcopy
      - name: Load Safari extension for .dmg
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        shell: pwsh
        run: ./scripts/safari-build.ps1 -copyonly
      - name: Build application (dev)
-        if: github.ref != 'refs/heads/master' && github.event_name != 'release'
+        if: github.ref != 'refs/heads/master'
        run: npm run build
      - name: Build application (dist)
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        run: npm run dist:mac
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Upload .zip artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}-mac.zip
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-mac.zip
      - name: Upload .dmg artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}.dmg
          path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}.dmg
      - name: Load Safari extension for App Store
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        shell: pwsh
        run: ./scripts/safari-build.ps1 -mas -copyonly
      - name: Build application for App Store
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        run: npm run dist:mac:mas
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Upload .pkg artifact
-        if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+        if: github.ref == 'refs/heads/master'
        uses: actions/upload-artifact@v2
        with:
          name: Bitwarden-${{ env.PACKAGE_VERSION }}.pkg
          path: ./dist/mas/Bitwarden-${{ env.PACKAGE_VERSION }}.pkg
      - name: Deploy to App Store
        if: github.event_name == 'release'
        run: npm run upload:mas
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Upload release assets
        if: github.event_name == 'release'
        run: |
          hub release edit `
            -a ./dist/mas/Bitwarden-${{ env.PACKAGE_VERSION }}.pkg `
            -m "$($env:RELEASE_TAG_NAME.TrimStart('v'))" `
            $env:RELEASE_TAG_NAME
        shell: pwsh
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -0,0 +1,348 @@
 name: Release
 on:
  workflow_dispatch:
    inputs:
      release_tag_name:
        description: 'Release Tag Name (vX.X.X)'
        required: true
 jobs:
  cloc:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Set up cloc
        run: |
          sudo apt-get update
          sudo apt-get -y install cloc
      - name: Print lines of code
        run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git
  setup:
    runs-on: ubuntu-latest
    outputs:
      release_upload_url: ${{ steps.create_release.outputs.upload_url }}
    steps:
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Create Release Name
        run: |
          echo "RELEASE_NAME=${RELEASE_TAG_NAME:1}" >> $GITHUB_ENV
        env:
          RELEASE_TAG_NAME: ${{ github.event.inputs.release_tag_name }}
      - name: Create Draft Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: ${{ github.event.inputs.release_tag_name }}
          release_name: ${{ env.RELEASE_NAME }}
          draft: true
          prerelease: false
  linux:
    runs-on: ubuntu-latest
    needs: setup
    steps:
      - name: Set up Node
        uses: actions/setup-node@v1
        with:
          node-version: '10.x'
      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV
      - name: Set up environment
        run: |
          sudo apt-get update
          sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev rpm
      - name: Set up snap
        run: |
          sudo snap install snapcraft --classic
          echo "$SNAP_TOKEN" | snapcraft login --with -
        env:
          SNAP_TOKEN: ${{ secrets.SNAP_TOKEN }}
      - name: Print environment
        run: |
          node --version
          npm --version
          snap --version
          snapcraft --version || echo 'snapcraft unavailable'
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh
      - name: Install Node dependencies
        run: npm install
      - name: Run linter
        run: npm run lint
      - name: Build & Publish
        run: npm run publish:lin
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Deploy to Snap Store
        run: |
          ./scripts/snap-update.ps1 -version $env:PACKAGE_VERSION
          snapcraft logout
        shell: pwsh
  windows:
    runs-on: windows-latest
    needs: setup
    steps:
      - name: Set up dotnet
        uses: actions/setup-dotnet@v1
        with:
          dotnet-version: "3.1.x"
      - name: Set up Node
        uses: actions/setup-node@v1
        with:
          node-version: '10.x'
      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
        shell: pwsh
      - name: Install AST
        shell: pwsh
        run: |
          cd $HOME
          git clone https://github.com/vcsjones/AzureSignTool.git
          cd AzureSignTool
          $latest_head = $(git rev-parse HEAD)[0..9] -join ""
          $latest_version = "0.0.0-g$latest_head"
          Write-Host "--------"
          Write-Host "git commit - $(git rev-parse HEAD)"
          Write-Host "latest_head - $latest_head"
          Write-Host "PACKAGE VERSION TO BUILD - $latest_version"
          Write-Host "--------"
          dotnet restore
          dotnet pack --output ./nupkg
          dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool
      - name: Set up environment
        shell: pwsh
        run: |
          choco install checksum --no-progress
          choco apikey --key $env:CHOCO_API_KEY --source https://push.chocolatey.org/
        env:
          CHOCO_API_KEY: ${{ secrets.CHOCO_API_KEY }}
      - name: Print environment
        run: |
          node --version
          npm --version
          choco --version
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh
      - name: Install Node dependencies
        run: npm install
      - name: Run linter
        run: npm run lint
      - name: Build, Sign & Release
        run: npm run publish:win
        env:
          ELECTRON_BUILDER_SIGN: 1
          SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }}
          SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }}
          SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
          SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }}
          SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Rename appx files for store
        shell: pwsh
        run: |
          Copy-Item "./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-ia32.appx" `
            -Destination "./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-ia32-store.appx"
          Copy-Item "./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64.appx" `
            -Destination "./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x64-store.appx"
      - name: Deploy to Chocolatey
        shell: pwsh
        run: |
          Copy-Item -Path ./stores/chocolatey -Destination ./dist/chocolatey -Recurse
          Copy-Item -Path ./dist/nsis-web/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe -Destination ./dist/chocolatey
          $checksum = checksum -t sha256 ./dist/chocoloatey/Bitwarden-Installer-${{ env.PACKAGE_VERSION }}.exe
          $chocoInstall = "./dist/chocolatey/tools/chocolateyinstall.ps1"
          (Get-Content $chocoInstall).replace('__version__', "$env:PACKAGE_VERSION").replace('__checksum__', $checksum) | Set-Content $chocoInstall
          choco pack ./dist/chocolatey/bitwarden.nuspec --version "$env:PACKAGE_VERSION" --out ./dist/chocolatey
          cd ./dist/chocolatey
          choco push
      - name: Upload Chocolatey nupkg release asset
        id: upload-macos-checksum
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: bitwarden.${{ env.PACKAGE_VERSION }}.nupkg
          asset_path: ./dist/chocolatey/bitwarden.${{ env.PACKAGE_VERSION }}.nupkg
          asset_content_type: application
  macos:
    runs-on: macos-latest
    needs: setup
    steps:
      - name: Set up Node
        uses: actions/setup-node@v1
        with:
          node-version: '10.x'
      - name: Set Node options
        run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV
      - name: Print environment
        run: |
          node --version
          npm --version
          Write-Output "GitHub ref: $env:GITHUB_REF"
          Write-Output "GitHub event: $env:GITHUB_EVENT"
        shell: pwsh
        env:
          GITHUB_REF: ${{ github.ref }}
          GITHUB_EVENT: ${{ github.event_name }}
      - name: Checkout repo
        uses: actions/checkout@v2
      - name: Decrypt secrets
        run: ./.github/scripts/macos/decrypt-secrets.ps1
        shell: pwsh
        env:
          DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
      - name: Set up keychain
        run: ./.github/scripts/macos/setup-keychain.ps1
        shell: pwsh
        env:
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
          DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }}
          DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }}
          APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }}
          MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Set up provisioning profiles
        run: ./.github/scripts/macos/setup-profiles.ps1
        shell: pwsh
      - name: Increment version
        run: ./.github/scripts/macos/increment-version.ps1
        shell: pwsh
      - name: Load package version
        run: ./.github/scripts/load-version.ps1
        shell: pwsh
      - name: Install Node dependencies
        run: npm install
      - name: Run linter
        run: npm run lint
      - name: Create Safari directory
        shell: pwsh
        run: New-Item ./dist-safari -ItemType Directory -ea 0
      - name: Checkout browser extension
        uses: actions/checkout@v2
        with:
          repository: 'bitwarden/browser'
          path: 'dist-safari/browser'
      - name: Build Safari extension
        shell: pwsh
        run: ./scripts/safari-build.ps1 -skipcheckout -skipoutcopy
      - name: Load Safari extension for .dmg
        shell: pwsh
        run: ./scripts/safari-build.ps1 -copyonly
      - name: Build application (dist)
        run: npm run dist:mac
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Load Safari extension for App Store
        shell: pwsh
        run: ./scripts/safari-build.ps1 -mas -copyonly
      - name: Build application for App Store
        run: npm run dist:mac:mas
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Deploy to App Store
        run: npm run upload:mas
        env:
          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
      - name: Upload .pkg release asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}.pkg
          asset_path: ./dist/mas/Bitwarden-${{ env.PACKAGE_VERSION }}.pkg
          asset_content_type: application/vnd.apple.installer+xml
      - name: Upload zip release asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}-mac.zip
          asset_path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-mac.zip
          asset_content_type: application/zip
      - name: Upload .dmg release asset
        uses: actions/upload-release-asset@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          upload_url: ${{ needs.setup.outputs.release_upload_url }}
          asset_name: Bitwarden-${{ env.PACKAGE_VERSION }}.dmg
          asset_path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}.dmg
          asset_content_type: application/x-apple-diskimage
--- a/appveyor.yml.flagged-to-remove
+++ b/appveyor.yml.flagged-to-remove
--- a/package.json
+++ b/package.json
@ -121,6 +121,7 @@
        "nsis-web",
        "appx"
      ],
      "sign": "./sign.js",
      "extraResources": [
        {
          "from": "node_modules/regedit/vbs",
--- a/sign.js
+++ b/sign.js
@ -0,0 +1,24 @@
 exports.default = async function(configuration) {
  if (
    parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && 
    configuration.path.slice(-4) == ".exe" &&
    !(configuration.path.includes('win-unpacked') || configuration.path.includes('win-ia32-unpacked'))
  ) {
    console.log(`[*] Signing file: ${configuration.path}`)
    require("child_process").execSync(
      `azuresigntool sign ` +
      `-kvu ${process.env.SIGNING_VAULT_URL} ` +
      `-kvi ${process.env.SIGNING_CLIENT_ID} ` +
      `-kvt ${process.env.SIGNING_TENANT_ID} ` +
      `-kvs ${process.env.SIGNING_CLIENT_SECRET} ` +
      `-kvc ${process.env.SIGNING_CERT_NAME} ` +
      `-fd ${configuration.hash} ` +
      `-du ${configuration.site} ` +
      `-tr http://timestamp.digicert.com ` +
      `${configuration.path}`,
      {
        stdio: "inherit"
      }
    );
  }
 };