BRE-243 - Fix credentials used for Desktop upload to App Store (#10503)

.github/workflows/build-desktop.yml

@@ -776,10 +776,18 @@ jobs:
           mkdir PlugIns
           cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/dmg/build/Release/safari.appex PlugIns/safari.appex
 
+      - name: Set up private auth key
+        run: |
+          mkdir ~/private_keys
+          cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8
+          ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }}
+          EOF
+
       - name: Build application (dist)
         env:
-          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
+          APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP
+          APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8
           CSC_FOR_PULL_REQUEST: true
         run: npm run pack:mac
 
@@ -985,12 +993,20 @@ jobs:
           mkdir PlugIns
           cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/mas/build/Release/safari.appex PlugIns/safari.appex
 
+      - name: Set up private auth key
+        run: |
+          mkdir ~/private_keys
+          cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8
+          ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }}
+          EOF
+
       - name: Build application for App Store
-        run: npm run pack:mac:mas
         env:
-          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
+          APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP
+          APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8
           CSC_FOR_PULL_REQUEST: true
+        run: npm run pack:mac:mas
 
       - name: Upload .pkg artifact
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
@@ -1000,15 +1016,15 @@ jobs:
           if-no-files-found: error
 
       - name: Deploy to TestFlight
-        env:
-          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
         if: |
             (github.ref == 'refs/heads/main'
               && needs.setup.outputs.rc_branch_exists == 0
               && needs.setup.outputs.hotfix_branch_exists == 0)
             || (github.ref == 'refs/heads/rc' && needs.setup.outputs.hotfix_branch_exists == 0)
             || github.ref == 'refs/heads/hotfix-rc-desktop'
+        env:
+          APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
+          APP_STORE_CONNECT_AUTH_KEY: 6TV9MKN3GP
         run: npm run upload:mas
 
 
@@ -1180,11 +1196,18 @@ jobs:
           mkdir PlugIns
           cp -r $GITHUB_WORKSPACE/browser-build-artifacts/Safari/masdev/build/Release/safari.appex PlugIns/safari.appex
 
+      - name: Set up private auth key
+        run: |
+          mkdir ~/private_keys
+          cat << EOF > ~/private_keys/AuthKey_6TV9MKN3GP.p8
+          ${{ secrets.APP_STORE_CONNECT_AUTH_KEY }}
+          EOF
+
       - name: Build dev application for App Store
-        run: npm run pack:mac:masdev
         env:
-          APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }}
-          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
+          APP_STORE_CONNECT_TEAM_ISSUER: ${{ secrets.APP_STORE_CONNECT_TEAM_ISSUER }}
+          APP_STORE_CONNECT_AUTH_KEY_PATH: ~/private_keys/AuthKey_6TV9MKN3GP.p8
+        run: npm run pack:mac:masdev
 
       - name: Zip masdev asset
         run: |

apps/desktop/package.json

@@ -52,7 +52,7 @@
     "publish:mac:mas": "npm run dist:mac:mas && npm run upload:mas",
     "publish:win": "npm run build && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always -c.win.certificateSubjectName=\"8bit Solutions LLC\"",
     "publish:win:dev": "npm run build && npm run clean:dist && electron-builder --win --x64 --arm64 --ia32 -p always",
-    "upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --username $APPLE_ID_USERNAME --password $APPLE_ID_PASSWORD",
+    "upload:mas": "xcrun altool --upload-app --type osx --file \"$(find ./dist/mas-universal/Bitwarden*.pkg)\" --apiKey $APP_STORE_CONNECT_AUTH_KEY --apiIssuer $APP_STORE_CONNECT_TEAM_ISSUER",
     "test": "jest",
     "test:watch": "jest --watch",
     "test:watch:all": "jest --watchAll"

apps/desktop/scripts/after-sign.js

@@ -50,14 +50,27 @@ async function run(context) {
 
   if (macBuild) {
     console.log("### Notarizing " + appPath);
-    const appleId = process.env.APPLE_ID_USERNAME || process.env.APPLEID;
-    const appleIdPassword = process.env.APPLE_ID_PASSWORD || `@keychain:AC_PASSWORD`;
-    return await notarize({
-      tool: "notarytool",
-      appPath: appPath,
-      teamId: "LTZ2PFU5D6",
-      appleId: appleId,
-      appleIdPassword: appleIdPassword,
-    });
+    if (process.env.APP_STORE_CONNECT_TEAM_ISSUER) {
+      const appleApiIssuer = process.env.APP_STORE_CONNECT_TEAM_ISSUER;
+      const appleApiKey = process.env.APP_STORE_CONNECT_AUTH_KEY_PATH;
+      const appleApiKeyId = process.env.APP_STORE_CONNECT_AUTH_KEY;
+      return await notarize({
+        tool: "notarytool",
+        appPath: appPath,
+        appleApiIssuer: appleApiIssuer,
+        appleApiKey: appleApiKey,
+        appleApiKeyId: appleApiKeyId,
+      });
+    } else {
+      const appleId = process.env.APPLE_ID_USERNAME || process.env.APPLEID;
+      const appleIdPassword = process.env.APPLE_ID_PASSWORD || `@keychain:AC_PASSWORD`;
+      return await notarize({
+        tool: "notarytool",
+        appPath: appPath,
+        teamId: "LTZ2PFU5D6",
+        appleId: appleId,
+        appleIdPassword: appleIdPassword,
+      });
+    }
   }
 }