diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4cdda4e4a..8e44ea2e5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -177,10 +177,10 @@ jobs:
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Sign payload files with Azure Code Signing
- uses: azure/azure-code-signing-action@v0.3.1
+ uses: azure/trusted-signing-action@v0.3.20
with:
endpoint: https://wus2.codesigning.azure.net/
- code-signing-account-name: git-fundamentals-signing
+ trusted-signing-account-name: git-fundamentals-signing
certificate-profile-name: git-fundamentals-windows-signing
files-folder: ${{ github.workspace }}\payload
files-folder-filter: exe,dll
@@ -204,10 +204,10 @@ jobs:
-Destination $env:GITHUB_WORKSPACE\installers
- name: Sign installers with Azure Code Signing
- uses: azure/azure-code-signing-action@v0.3.1
+ uses: azure/trusted-signing-action@v0.3.20
with:
endpoint: https://wus2.codesigning.azure.net/
- code-signing-account-name: git-fundamentals-signing
+ trusted-signing-account-name: git-fundamentals-signing
certificate-profile-name: git-fundamentals-windows-signing
files-folder: ${{ github.workspace }}\installers
files-folder-filter: exe
@@ -349,31 +349,16 @@ jobs:
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- - name: Download/extract Sign CLI tool
- env:
- AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
- ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
- SCT: ${{ secrets.SIGN_CLI_TOOL }}
+ - name: Install sign CLI tool
run: |
- az storage blob download --file sign-cli.zip --auth-mode login `
- --account-name $env:AST --container-name $env:ASC --name $env:SCT
- Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
+ dotnet tool install -g --version 0.9.1-beta.24325.5
- name: Sign payload
- env:
- ACST: ${{ secrets.AZURE_TENANT_ID }}
- ACSI: ${{ secrets.AZURE_CLIENT_ID }}
- ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
run: |
- ./sign-cli/sign.exe code azcodesign payload/* `
- -acsu https://wus2.codesigning.azure.net/ `
- -acsa git-fundamentals-signing `
- -acscp git-fundamentals-windows-signing `
- -d "Git Fundamentals Windows Signing Certificate" `
- -u "https://github.com/git-ecosystem/git-credential-manager" `
- -acst $env:ACST `
- -acsi $env:ACSI `
- -acss $env:ACSS
+ sign.exe code trusted-signing payload/* `
+ -tse https://wus2.codesigning.azure.net/ `
+ -tsa git-fundamentals-signing `
+ -tscp git-fundamentals-windows-signing
- name: Lay out signed payload, images, and symbols
shell: bash
@@ -440,37 +425,37 @@ jobs:
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- - name: Download/extract Sign CLI tool
- env:
- AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
- ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
- SCT: ${{ secrets.SIGN_CLI_TOOL }}
+ - name: Install sign CLI tool
run: |
- az storage blob download --file sign-cli.zip --auth-mode login `
- --account-name $env:AST --container-name $env:ASC --name $env:SCT
- Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
+ dotnet tool install -g --version 0.9.1-beta.24325.5
- name: Sign package
- env:
- ACST: ${{ secrets.AZURE_TENANT_ID }}
- ACSI: ${{ secrets.AZURE_CLIENT_ID }}
- ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
run: |
- ./sign-cli/sign.exe code azcodesign nupkg/* `
- -acsu https://wus2.codesigning.azure.net/ `
- -acsa git-fundamentals-signing `
- -acscp git-fundamentals-windows-signing `
- -d "Git Fundamentals Windows Signing Certificate" `
- -u "https://github.com/git-ecosystem/git-credential-manager" `
- -acst $env:ACST `
- -acsi $env:ACSI `
- -acss $env:ACSS
-
- - name: Publish signed package
+ sign.exe code trusted-signing nupkg/* `
+ -tse https://wus2.codesigning.azure.net/ `
+ -tsa git-fundamentals-signing `
+ -tscp git-fundamentals-windows-signing
+
+ mv nupkg/* .
+
+ # Remove this once NuGet supports the subscriber identity validation EKU:
+ # https://github.com/NuGet/NuGetGallery/issues/10027
+ - name: Extract signing certificate from package
+ shell: pwsh
+ run: |
+ dotnet tool install --global Knapcode.CertificateExtractor
+ $nupkg = gci *.nupkg
+ nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf
+ $cert = gci certs\*.cer
+ mv $cert .\nuget-signing.cer
+
+ - name: Publish signed package and certificate
uses: actions/upload-artifact@v4
with:
name: dotnet-tool-sign
- path: nupkg/*.nupkg
+ path: |
+ *.nupkg
+ *.cer
# ================================
# Validate
diff --git a/VERSION b/VERSION
index e975051fc..27c7c7b9d 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.5.0.0
+2.5.1.0
diff --git a/docs/azrepos-misp.md b/docs/azrepos-misp.md
index 6c4c508fe..60a3c3e2b 100644
--- a/docs/azrepos-misp.md
+++ b/docs/azrepos-misp.md
@@ -49,12 +49,15 @@ Value|Description
-|-
`system`|System-Assigned Managed Identity
`[guid]`|User-Assigned Managed Identity with the specified client ID
-`id://[guid]`|User-Assigned Managed Identity with the specified client ID
-`resource://[guid]`|User-Assigned Managed Identity for the associated resource
+`id://[guid]` **|User-Assigned Managed Identity with the specified client ID
+`resource://[guid]` **|User-Assigned Managed Identity for the associated resource
You can obtain the `[guid]` from the Azure Portal or by using the Azure CLI
to inspect the Managed Identity or resource.
+** Note there is an open issue that prevents successfull authentication when
+using these formats: https://github.com/git-ecosystem/git-credential-manager/issues/1570
+
## Service Principals
Azure Service Principals are used to authenticate and authorize applications and
diff --git a/src/shared/Core/Core.csproj b/src/shared/Core/Core.csproj
index 9071b6f89..fb3a189d3 100644
--- a/src/shared/Core/Core.csproj
+++ b/src/shared/Core/Core.csproj
@@ -13,25 +13,25 @@
-
-
+
+
-
+
-
-
+
+
-
-
-
+
+
+
-
+