Skip to content

Commit

Permalink
Merge pull request #4188 from devlead/feature/gh-4173
Browse files Browse the repository at this point in the history
GH4173: Switch to new SignTool
  • Loading branch information
devlead authored Jul 5, 2023
2 parents 4a07acf + 14c8459 commit 2cd8a60
Show file tree
Hide file tree
Showing 6 changed files with 96 additions and 58 deletions.
81 changes: 39 additions & 42 deletions build.cake
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@

// Install .NET Core Global tools.
#tool "dotnet:https://api.nuget.org/v3/index.json?package=GitVersion.Tool&version=5.12.0"
#tool "dotnet:https://api.nuget.org/v3/index.json?package=SignClient&version=1.3.155"
#tool "dotnet:https://api.nuget.org/v3/index.json?package=GitReleaseManager.Tool&version=0.13.0"
#tool "dotnet:https://api.nuget.org/v3/index.json?package=sign&version=0.9.1-beta.23274.1&prerelease"

// Load other scripts.
#load "./build/parameters.cake"
Expand All @@ -29,6 +29,11 @@ Setup<BuildParameters>(context =>
parameters.Version.CakeVersion,
parameters.IsTagged);

if (parameters.ShouldSignPackages && !parameters.CodeSigning.HasCredentials)
{
throw new CakeException("Code signing credentials are missing.");
}

foreach(var assemblyInfo in GetFiles("./src/**/AssemblyInfo.cs"))
{
CreateAssemblyInfo(
Expand Down Expand Up @@ -145,52 +150,44 @@ Task("Create-NuGet-Packages")

Task("Sign-Binaries")
.IsDependentOn("Create-NuGet-Packages")
.WithCriteria<BuildParameters>((context, parameters) =>
(parameters.ShouldPublish && !parameters.SkipSigning) ||
StringComparer.OrdinalIgnoreCase.Equals(EnvironmentVariable("SIGNING_TEST"), "True"))
.Does<BuildParameters>((context, parameters) =>
.WithCriteria<BuildParameters>(static (context, parameters) => parameters.ShouldSignPackages)
.Does<BuildParameters>(async static (context, parameters) =>
{
// Get the secret.
var secret = EnvironmentVariable("SIGNING_SECRET");
if(string.IsNullOrWhiteSpace(secret)) {
throw new InvalidOperationException("Could not resolve signing secret.");
}
// Get the user.
var user = EnvironmentVariable("SIGNING_USER");
if(string.IsNullOrWhiteSpace(user)) {
throw new InvalidOperationException("Could not resolve signing user.");
}

var settings = File("./signclient.json");
var filter = File("./signclient.filter");

// Get the files to sign.
var files = GetFiles(string.Concat(parameters.Paths.Directories.NuGetRoot, "/", "*.nupkg"));

foreach(var file in files)
{
Information("Signing {0}...", file.FullPath);
var files = context.GetFiles(string.Concat(parameters.Paths.Directories.NuGetRoot, "/", "*.nupkg"));
var commandSettings = new CommandSettings{
ToolExecutableNames = new [] { "sign", "sign.exe" },
ToolName = "sign",
ToolPath = parameters.Paths.SignClientPath.FullPath
};

Parallel.ForEach(
files,
file => {
context.Information("Signing {0}...", file.FullPath);

// Build the argument list.
var arguments = new ProcessArgumentBuilder()
.Append("sign")
.AppendSwitchQuoted("-c", MakeAbsolute(settings.Path).FullPath)
.AppendSwitchQuoted("-i", MakeAbsolute(file).FullPath)
.AppendSwitchQuoted("-f", MakeAbsolute(filter).FullPath)
.AppendSwitchQuotedSecret("-s", secret)
.AppendSwitchQuotedSecret("-r", user)
.AppendSwitchQuoted("-n", "Cake")
.AppendSwitchQuoted("-d", "Cake (C# Make) is a cross platform build automation system.")
.AppendSwitchQuoted("-u", "https://cakebuild.net");

// Sign the binary.
var result = StartProcess(parameters.Paths.SignClientPath.FullPath, new ProcessSettings { Arguments = arguments });
if(result != 0)
{
// We should not recover from this.
throw new InvalidOperationException("Signing failed!");
}
}
.Append("code")
.Append("azure-key-vault")
.AppendQuoted(file.FullPath)
.AppendSwitchQuoted("--file-list", parameters.Paths.SignFilterPath.FullPath)
.AppendSwitchQuoted("--publisher-name", "Cake")
.AppendSwitchQuoted("--description", "Cake (C# Make) is a cross platform build automation system.")
.AppendSwitchQuoted("--description-url", "https://cakebuild.net")
.AppendSwitchQuotedSecret("--azure-key-vault-tenant-id", parameters.CodeSigning.SignTenantId)
.AppendSwitchQuotedSecret("--azure-key-vault-client-id", parameters.CodeSigning.SignClientId)
.AppendSwitchQuotedSecret("--azure-key-vault-client-secret", parameters.CodeSigning.SignClientSecret)
.AppendSwitchQuotedSecret("--azure-key-vault-certificate", parameters.CodeSigning.SignKeyVaultCertificate)
.AppendSwitchQuotedSecret("--azure-key-vault-url", parameters.CodeSigning.SignKeyVaultUrl);

context.Command(
commandSettings,
arguments
);

context.Information("Done signing {0}.", file.FullPath);
});
});

Task("Upload-AppVeyor-Artifacts")
Expand Down
32 changes: 32 additions & 0 deletions build/credentials.cake
Original file line number Diff line number Diff line change
@@ -1,3 +1,35 @@
public record CodeSigningCredentials(
string SignTenantId,
string SignClientId,
string SignClientSecret,
string SignKeyVaultCertificate,
string SignKeyVaultUrl
)
{
public bool HasCredentials
{
get
{
return
!string.IsNullOrEmpty(SignTenantId) &&
!string.IsNullOrEmpty(SignClientId) &&
!string.IsNullOrEmpty(SignClientSecret) &&
!string.IsNullOrEmpty(SignKeyVaultCertificate) &&
!string.IsNullOrEmpty(SignKeyVaultUrl);
}
}

public static CodeSigningCredentials GetCodeSigningCredentials(ICakeContext context)
{
return new CodeSigningCredentials(
SignTenantId: context.EnvironmentVariable("SIGN_TENANT_ID"),
SignClientId: context.EnvironmentVariable("SIGN_CLIENT_ID"),
SignClientSecret: context.EnvironmentVariable("SIGN_CLIENT_SECRET"),
SignKeyVaultCertificate: context.EnvironmentVariable("SIGN_KEYVAULT_CERTIFICATE"),
SignKeyVaultUrl: context.EnvironmentVariable("SIGN_KEYVAULT_URL"));
}
}

public record BuildCredentials(string Token)
{
public static BuildCredentials GetGitHubCredentials(ICakeContext context)
Expand Down
12 changes: 12 additions & 0 deletions build/parameters.cake
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ public class BuildParameters
public BuildPackages Packages { get; }
public bool PublishingError { get; set; }
public DotNetMSBuildSettings MSBuildSettings { get; }
public CodeSigningCredentials CodeSigning { get; }

public bool ShouldPublish
{
Expand All @@ -47,6 +48,8 @@ public class BuildParameters
}
}


public bool ShouldSignPackages { get; }
public bool CanPostToTwitter
{
get
Expand Down Expand Up @@ -80,6 +83,7 @@ public class BuildParameters
IsTagged = IsBuildTagged(buildSystem);
GitHub = BuildCredentials.GetGitHubCredentials(context);
Twitter = TwitterCredentials.GetTwitterCredentials(context);
CodeSigning = CodeSigningCredentials.GetCodeSigningCredentials(context);
ReleaseNotes = context.ParseReleaseNotes("./ReleaseNotes.md");
IsPublishBuild = IsPublishing(context.TargetTask.Name);
IsReleaseBuild = IsReleasing(context.TargetTask.Name);
Expand Down Expand Up @@ -119,6 +123,14 @@ public class BuildParameters
{
MSBuildSettings.WithProperty("TemplateVersion", Version.SemVersion);
}


ShouldSignPackages = (!SkipSigning && ShouldPublish)
||
StringComparer.OrdinalIgnoreCase.Equals(
context.EnvironmentVariable("SIGNING_TEST"),
"True"
);
}

private static bool IsBuildTagged(BuildSystem buildSystem)
Expand Down
16 changes: 13 additions & 3 deletions build/paths.cake
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
public record BuildPaths(
BuildDirectories Directories,
FilePath SignClientPath
FilePath SignClientPath,
FilePath SignFilterPath
)
{
public static BuildPaths GetPaths(
Expand Down Expand Up @@ -38,11 +39,20 @@ public record BuildPaths(
nugetRoot,
integrationTestsBinTool);

var signClientPath = context.Tools.Resolve("SignClient.exe") ?? context.Tools.Resolve("SignClient") ?? throw new Exception("Failed to locate sign tool");
var signClientPath = context.Tools.Resolve("sign.exe")
?? context.Tools.Resolve("sign")
?? (
context.IsRunningOnWindows()
? throw new Exception("Failed to locate sign tool")
: null
);

var signFilterPath = context.MakeAbsolute(context.File("./build/signclient.filter"));

return new BuildPaths(
Directories: buildDirectories,
SignClientPath: signClientPath
SignClientPath: signClientPath,
SignFilterPath: signFilterPath
);
}
}
Expand Down
File renamed without changes.
13 changes: 0 additions & 13 deletions signclient.json

This file was deleted.

0 comments on commit 2cd8a60

Please sign in to comment.