From f8c2c34b61fa84c40b00f26d69f95f0c83eed176 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 13:48:06 -0700 Subject: [PATCH 1/3] release: use 3rd party tool to extract nuget cert Use a 3rd party tool to extract the NuGet signing certificate for upload rather than relying on an option added to the sign.exe tool in a private fork. --- .github/workflows/release.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f5df7936..af990154e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -450,11 +450,21 @@ jobs: -tsa git-fundamentals-signing ` -tscp git-fundamentals-windows-signing ` -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -co nuget-signing-certificate.cer + -u "https://github.com/git-ecosystem/git-credential-manager" mv nupkg/* . + # Remove this once NuGet supports the subscriber identity validation EKU: + # https://github.com/NuGet/NuGetGallery/issues/10027 + - name: Extract signing certificate from package + shell: pwsh + run: | + dotnet tool install --global Knapcode.CertificateExtractor + $nupkg = gci *.nupkg + nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf + $cert = gci certs\*.cer + mv $cert .\nuget-signing.cer + - name: Publish signed package and certificate uses: actions/upload-artifact@v4 with: From 5c6d8085d2058ee0a3831fad8baeac5c1a26307a Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 13:51:48 -0700 Subject: [PATCH 2/3] release: use dotnet tool install to get sign CLI Use the `dotnet tool install` command to acquire the code signing tool, rather than rely on our Azure blob store. --- .github/workflows/release.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af990154e..bc2114db4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -349,19 +349,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - env: - AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: 'Sign.Cli-alpha.zip' + - name: Install sign CLI tool run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AST --container-name $env:ASC --name $env:SCT - Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli + dotnet tool install -g --version 0.9.1-beta.24325.5 - name: Sign payload run: | - ./sign-cli/sign.exe code trusted-signing payload/* ` + sign.exe code trusted-signing payload/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` -tscp git-fundamentals-windows-signing ` @@ -433,19 +427,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - env: - AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: 'Sign.Cli-alpha.zip' + - name: Install sign CLI tool run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AST --container-name $env:ASC --name $env:SCT - Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli + dotnet tool install -g --version 0.9.1-beta.24325.5 - name: Sign package run: | - ./sign-cli/sign.exe code trusted-signing nupkg/* ` + sign.exe code trusted-signing nupkg/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` -tscp git-fundamentals-windows-signing ` From ddba796d67250100cec6eb94e3ce8ff956b052d7 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 13:53:47 -0700 Subject: [PATCH 3/3] release: drop no longer required sign.exe options Drop the `-d` and `-u` options from the sign.exe CLI; they are no longer required. --- .github/workflows/release.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc2114db4..8e44ea2e5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -358,9 +358,7 @@ jobs: sign.exe code trusted-signing payload/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` - -tscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" + -tscp git-fundamentals-windows-signing - name: Lay out signed payload, images, and symbols shell: bash @@ -436,9 +434,7 @@ jobs: sign.exe code trusted-signing nupkg/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` - -tscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" + -tscp git-fundamentals-windows-signing mv nupkg/* .