mobile
mobile copied to clipboard
Published
20 hours ago •
bitwarden
bitwarden
DEVOPS-1746 - Update iOS distribution certificate and profiles
Type of change
- [ ] Bug fix
- [ ] New feature development
- [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc)
- [X] Build/deploy pipeline (DevOps)
- [ ] Other
Objective
This PR updates the iOS distribution certificate and all of the provisioning profiles. I have also included moving all of the files from .github/secrets to an Azure Storage Account named bitwardenci.
Successful run here.
Code changes
-
.github/workflows/build.yml: Formatting. Changed
jksandmobileprovisionfiles to download from Storage Account. Download certificate from Key Vault. Remove extraechoandWrite-Outputto shorten file. Change any~to$HOMEfor consistency. Move some inline bash variables toenvkey. - .github/workflows/release.yml: Formatting. Download files from Storage Account.
Before you submit
- Please check for formatting errors (
dotnet format --verify-no-changes) (required) - Please add unit tests where it makes sense to do so (encouraged but not required)
- If this change requires a documentation update - notify the documentation team
- If this change has particular deployment requirements - notify the DevOps team
Checkmarx One – Scan Summary & Details – 54fd10e8-3c39-45da-aad0-6d9830476c93
New Issues
| Severity | Issue | Source File / Package | Checkmarx Insight |
|---|---|---|---|
 |
Unpinned Actions Full Length Commit SHA | /build.yml: 483 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 731 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 791 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
Fixed Issues
| Severity | Issue | Source File / Package |
|---|---|---|
|
Unpinned Actions Full Length Commit SHA | /build.yml: 769 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 493 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 829 |
This is a preserved comment from Pull Request Review https://github.com/bitwarden/mobile/pull/3018/files#pullrequestreview-1896206871 that could not be imported due to a INVALID_REVIEW_THREAD error.
fedemkr left a review with state commented at 2024-02-22 15:48:14 UTC with the following body:
created a review thread on lines 153-164 of .github/workflows/build.yml at 2024-02-22 15:48:14 UTC.
Click to expand review thread metadata
| Attribute | Value |
|---|---|
author |
|
created_at |
2024-02-22 15:48:14 UTC |
base_commit_id |
|
commit_id |
a914f155eed2d5af835d08fb57fc282bcba0b7d9 |
start_position_offset |
2 |
blob_position |
163 |
file_path |
.github/workflows/build.yml |
start_line |
153 |
end_line |
164 |
state |
PULL_REQUEST_REVIEW_THREAD_STATE_RESOLVED |
resolved_by_user_login |
uKP10A5zr4W8MgobLOI8X6lgaioJfIPOirzb4Dt |
position |
|
original_position |
70 |
subject_type |
PULL_REQUEST_REVIEW_SUBJECT_TYPE_LINE |
outdated |
true |
Click to expand review thread diff hunk
@@ -150,9 +159,6 @@ jobs:
- name: Restore tools
run: dotnet tool restore
- # - name: Verify Format
- # run: dotnet tool run dotnet-format --check
-
Click for comments on this review thread
fedemkr left a comment at 2024-02-22 15:48:15 UTC
⚠️ This shouldn't be removed, it's commented until we make a PR with all MAUI code formatted which will then enable (uncomment) this.
created a review thread on lines 566-558 of .github/workflows/build.yml at 2024-02-28 01:05:16 UTC.
Click to expand review thread metadata
| Attribute | Value |
|---|---|
author |
|
created_at |
2024-02-28 01:05:16 UTC |
base_commit_id |
|
commit_id |
fb0428f4c73659a61c2d8c13b6d591a3624c3ece |
start_position_offset |
6 |
blob_position |
557 |
file_path |
.github/workflows/build.yml |
start_line |
566 |
end_line |
558 |
state |
PULL_REQUEST_REVIEW_THREAD_STATE_RESOLVED |
resolved_by_user_login |
ScqrpzLHb34oTRHZUU1HuZDPgisC49072zobg8A |
position |
296 |
original_position |
296 |
subject_type |
PULL_REQUEST_REVIEW_SUBJECT_TYPE_LINE |
outdated |
false |
Click to expand review thread diff hunk
@@ -500,73 +489,73 @@ jobs:
keyvault: "bitwarden-ci"
secrets: "appcenter-ios-token"
- - name: Decrypt secrets
+ - name: Download Provisioning Profiles secrets
env:
- DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }}
- run: |
- mkdir -p ~/secrets
-
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/bitwarden-mobile-key.p12 ./.github/secrets/bitwarden-mobile-key.p12.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/iphone-distribution-cert.p12 ./.github/secrets/iphone-distribution-cert.p12.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/dist_autofill.mobileprovision ./.github/secrets/dist_autofill.mobileprovision.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/dist_bitwarden.mobileprovision ./.github/secrets/dist_bitwarden.mobileprovision.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/dist_extension.mobileprovision ./.github/secrets/dist_extension.mobileprovision.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/dist_share_extension.mobileprovision \
- ./.github/secrets/dist_share_extension.mobileprovision.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/dist_watch_app.mobileprovision \
- ./.github/secrets/dist_watch_app.mobileprovision.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output $HOME/secrets/dist_watch_app_extension.mobileprovision \
- ./.github/secrets/dist_watch_app_extension.mobileprovision.gpg
- gpg --quiet --batch --yes --decrypt --passphrase="$DECRYPT_FILE_PASSWORD" \
- --output ./src/watchOS/bitwarden/GoogleService-Info.plist ./.github/secrets/GoogleService-Info.plist.gpg
+ ACCOUNT_NAME: bitwardenci
+ CONTAINER_NAME: profiles
+ run: |
+ mkdir -p $HOME/secrets
+ profiles=(
+ "dist_autofill.mobileprovision"
+ "dist_bitwarden.mobileprovision"
+ "dist_extension.mobileprovision"
+ "dist_share_extension.mobileprovision"
+ "dist_bitwarden_watch_app.mobileprovision"
+ "dist_bitwarden_watch_app_extension.mobileprovision"
+ )
+
+ for FILE in "${profiles[@]}"
+ do
+ az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+ --file $HOME/secrets/$FILE --output none
+ done
+
+ - name: Download Google Services secret
+ env:
+ ACCOUNT_NAME: bitwardenci
+ CONTAINER_NAME: mobile
+ FILE: GoogleService-Info.plist
+ run: |
+ mkdir -p $HOME/secrets
+ az storage blob download --account-name $ACCOUNT_NAME --container-name $CONTAINER_NAME --name $FILE \
+ --file $HOME/secrets/$FILE --output none
- name: Increment version
run: |
BUILD_NUMBER=$((100 + $GITHUB_RUN_NUMBER))
- echo "########################################"
echo "##### Setting CFBundleVersion $BUILD_NUMBER"
- echo "########################################"
-
echo "### CFBundleVersion $BUILD_NUMBER" >> $GITHUB_STEP_SUMMARY
perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./${{ env.ios_folder_path }}/Info.plist
perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Extension/Info.plist
perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.Autofill/Info.plist
perl -0777 -pi.bak -e 's/<key>CFBundleVersion<\/key>\s*<string>1<\/string>/<key>CFBundleVersion<\/key>\n\t<string>'"$BUILD_NUMBER"'<\/string>/' ./src/iOS.ShareExtension/Info.plist
cd src/watchOS/bitwarden
- agvtool new-version -all $BUILD_NUMBER
+ agvtool new-version -all $BUILD_NUMBER
- name: Update Entitlements
run: |
- echo "########################################"
echo "##### Updating Entitlements"
- echo "########################################"
-
perl -0777 -pi.bak -e 's/<key>aps-environment<\/key>\s*<string>development<\/string>/<key>aps-environment<\/key>\n\t<string>production<\/string>/' ./${{ env.ios_folder_path }}/Entitlements.plist
+
+ - name: Get certificates
+ run: |
+ mkdir -p $HOME/certificates
+ az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution |
+ jq -r .value | base64 -d > $HOME/certificates/ios-distribution.p12
- name: Set up Keychain
env:
KEYCHAIN_PASSWORD: ${{ secrets.IOS_KEYCHAIN_PASSWORD }}
- MOBILE_KEY_PASSWORD: ${{ secrets.IOS_KEY_PASSWORD }}
- DIST_CERT_PASSWORD: ${{ secrets.IOS_DIST_CERT_PASSWORD }}
run: |
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
security set-keychain-settings -lut 1200 build.keychain
- security import ~/secrets/bitwarden-mobile-key.p12 -k build.keychain -P $MOBILE_KEY_PASSWORD \
- -T /usr/bin/codesign -T /usr/bin/security
- security import ~/secrets/iphone-distribution-cert.p12 -k build.keychain -P $DIST_CERT_PASSWORD \
- -T /usr/bin/codesign -T /usr/bin/security
+
+ security import $HOME/certificates/ios-distribution.p12 -k build.keychain -P "" -T /usr/bin/codesign \
+ -T /usr/bin/security
Click for comments on this review thread
fedemkr left a comment at 2024-02-28 01:05:16 UTC
🤔 Is
bitwarden-mobile-key.p12not needed anymore? And now the certs don't need password?
Eeebru left a comment at 2024-02-28 11:12:43 UTC
@fedemkr the
bitwarden-mobile-key.p12is downloaded in another step. Also, we don't need to decrypt them anymore because we deprecatedgpg, we now download all the profile and secrets files from our storage account.
vgrassia left a comment at 2024-02-28 12:47:56 UTC
The
bitwarden-mobile-key.p12was deleted because it was expired by a few months and I don’t think we use it.
Checkmarx One – Scan Summary & Details – 54fd10e8-3c39-45da-aad0-6d9830476c93
New Issues
| Severity | Issue | Source File / Package | Checkmarx Insight |
|---|---|---|---|
|
Unpinned Actions Full Length Commit SHA | /build.yml: 483 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 731 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 791 | Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps... |
Fixed Issues
| Severity | Issue | Source File / Package |
|---|---|---|
|
Unpinned Actions Full Length Commit SHA | /build.yml: 769 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 493 |
|
Unpinned Actions Full Length Commit SHA | /build.yml: 829 |
