diff --git a/.github/scripts/decrypt-secret.ps1 b/.github/scripts/decrypt-secret.ps1 new file mode 100644 index 0000000000..b5251d533a --- /dev/null +++ b/.github/scripts/decrypt-secret.ps1 @@ -0,0 +1,29 @@ +param ( + [Parameter(Mandatory=$true)] + [string] $filename, + [string] $output +) + +$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path +$rootPath = $env:GITHUB_WORKSPACE + +$secretInputPath = $rootPath + "/.github/secrets" +$input = $secretInputPath + "/" + $filename + +$passphrase = $env:DECRYPT_FILE_PASSWORD +$secretOutputPath = $homePath + "/secrets" + +if ([string]::IsNullOrEmpty($output)) { + if ($filename.EndsWith(".gpg")) { + $output = $secretOutputPath + "/" + $filename.TrimEnd(".gpg") + } else { + $output = $secretOutputPath + "/" + $filename + ".plaintext" + } +} + +if (!(Test-Path -Path $secretOutputPath)) +{ + New-Item -ItemType Directory -Path $secretOutputPath +} + +gpg --quiet --batch --yes --decrypt --passphrase="$passphrase" --output $output $input diff --git a/.github/scripts/macos/decrypt-secrets.ps1 b/.github/scripts/macos/decrypt-secrets.ps1 new file mode 100644 index 0000000000..8c1e83719a --- /dev/null +++ b/.github/scripts/macos/decrypt-secrets.ps1 @@ -0,0 +1,10 @@ +$rootPath = $env:GITHUB_WORKSPACE; + +$decryptSecretPath = $($rootPath + "/.github/scripts/decrypt-secret.ps1"); + +Invoke-Expression "& `"$decryptSecretPath`" -filename bitwarden-deskop-key.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename appstore-app-cert.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename appstore-installer-cert.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename devid-app-cert.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename devid-installer-cert.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename bitwarden_desktop_appstore.provisionprofile.gpg" diff --git a/.github/scripts/macos/increment-version.ps1 b/.github/scripts/macos/increment-version.ps1 new file mode 100644 index 0000000000..c21f9ea919 --- /dev/null +++ b/.github/scripts/macos/increment-version.ps1 @@ -0,0 +1,2 @@ +$rootPath = $env:GITHUB_WORKSPACE; +$buildNumber = 100 + [int]$env:GITHUB_RUN_NUMBER; diff --git a/.github/scripts/macos/setup-keychain.ps1 b/.github/scripts/macos/setup-keychain.ps1 new file mode 100644 index 0000000000..ce93464f90 --- /dev/null +++ b/.github/scripts/macos/setup-keychain.ps1 @@ -0,0 +1,19 @@ +$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path; +$secretsPath = $homePath + "/secrets" + +$desktopKeyPath = $($secretsPath + "/bitwarden-dekstop-key.p12"); +$devidAppCertPath = $($secretsPath + "/devid-app-cert.p12"); +$devidInstallerCertPath = $($secretsPath + "/devid-installer-cert.p12"); +$appstoreAppCertPath = $($secretsPath + "/appstore-app-cert.p12"); +$appstoreInstallerCertPath = $($secretsPath + "/appstore-installer-cert.p12"); + +security create-keychain -p $env:KEYCHAIN_PASSWORD build.keychain +security default-keychain -s build.keychain +security unlock-keychain -p $env:KEYCHAIN_PASSWORD build.keychain +security set-keychain-settings -lut 1200 build.keychain +security import $desktopKeyPath -k build.keychain -P $env:DESKTOP_KEY_PASSWORD -T /usr/bin/codesign -T /usr/bin/security +security import $devidAppCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security +security import $devidInstallerCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security +security import $appstoreAppCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security +security import $appstoreInstallerCertPath -k build.keychain -P $env:DIST_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security +security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $env:KEYCHAIN_PASSWORD build.keychain diff --git a/.github/scripts/macos/setup-profiles.ps1 b/.github/scripts/macos/setup-profiles.ps1 new file mode 100644 index 0000000000..1f454dc0fc --- /dev/null +++ b/.github/scripts/macos/setup-profiles.ps1 @@ -0,0 +1,6 @@ +$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path; +$secretsPath = $homePath + "/secrets" +$rootPath = $env:GITHUB_WORKSPACE +$pprofile = "bitwarden_desktop_appstore.provisionprofile" + +Copy-Item "$secretsPath/$pprofile" -destination "$rootPath/$pprofile" diff --git a/.github/secrets/appstore-app-cert.p12.gpg b/.github/secrets/appstore-app-cert.p12.gpg new file mode 100644 index 0000000000..0591712090 Binary files /dev/null and b/.github/secrets/appstore-app-cert.p12.gpg differ diff --git a/.github/secrets/appstore-installer-cert.p12.gpg b/.github/secrets/appstore-installer-cert.p12.gpg new file mode 100644 index 0000000000..7bf0edd454 Binary files /dev/null and b/.github/secrets/appstore-installer-cert.p12.gpg differ diff --git a/.github/secrets/bitwarden-deskop-key.p12.gpg b/.github/secrets/bitwarden-deskop-key.p12.gpg new file mode 100644 index 0000000000..e64f287392 Binary files /dev/null and b/.github/secrets/bitwarden-deskop-key.p12.gpg differ diff --git a/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg b/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg new file mode 100644 index 0000000000..bd7d01850f Binary files /dev/null and b/.github/secrets/bitwarden_desktop_appstore.provisionprofile.gpg differ diff --git a/.github/secrets/devid-app-cert.p12.gpg b/.github/secrets/devid-app-cert.p12.gpg new file mode 100644 index 0000000000..c445724ce9 Binary files /dev/null and b/.github/secrets/devid-app-cert.p12.gpg differ diff --git a/.github/secrets/devid-installer-cert.p12.gpg b/.github/secrets/devid-installer-cert.p12.gpg new file mode 100644 index 0000000000..7afdb2167d Binary files /dev/null and b/.github/secrets/devid-installer-cert.p12.gpg differ diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8559148db3..b8bc875aad 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -99,3 +99,59 @@ jobs: with: name: desktop-artifacts path: artifacts/* + + macos: + runs-on: macos-latest + + steps: + - name: Print environment + run: | + Write-Output "GitHub ref: $env:GITHUB_REF" + Write-Output "GitHub event: $env:GITHUB_EVENT" + shell: pwsh + env: + GITHUB_REF: ${{ github.ref }} + GITHUB_EVENT: ${{ github.event_name }} + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Decrypt secrets + run: ./.github/scripts/macos/decrypt-secrets.ps1 + shell: pwsh + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + + - name: Increment version + if: github.ref == 'refs/heads/master' || github.event_name == 'release' + run: ./.github/scripts/macos/increment-version.ps1 + shell: pwsh + + - name: Set up keychain + run: ./.github/scripts/macos/setup-keychain.ps1 + shell: pwsh + env: + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + DESKTOP_KEY_PASSWORD: ${{ secrets.DESKTOP_KEY_PASSWORD }} + DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} + APPSTORE_CERT_PASSWORD: ${{ secrets.APPSTORE_CERT_PASSWORD }} + + - name: Set up provisioning profiles + run: ./.github/scripts/macos/setup-profiles.ps1 + shell: pwsh + + - name: Build Safari extension for .dmg + shell: pwsh + run: ./scripts/safari-build.ps1 + + - name: Build application for .dmg + shell: pwsh + run: npm run dist:mac + + - name: Build Safari extension for App Store + shell: pwsh + run: ./scripts/safari-build.ps1 -mas + + - name: Build application for App Store + shell: pwsh + run: npm run dist:mac:mas