diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4cdda4e4a..8e44ea2e5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -177,10 +177,10 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Sign payload files with Azure Code Signing - uses: azure/azure-code-signing-action@v0.3.1 + uses: azure/trusted-signing-action@v0.3.20 with: endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing + trusted-signing-account-name: git-fundamentals-signing certificate-profile-name: git-fundamentals-windows-signing files-folder: ${{ github.workspace }}\payload files-folder-filter: exe,dll @@ -204,10 +204,10 @@ jobs: -Destination $env:GITHUB_WORKSPACE\installers - name: Sign installers with Azure Code Signing - uses: azure/azure-code-signing-action@v0.3.1 + uses: azure/trusted-signing-action@v0.3.20 with: endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing + trusted-signing-account-name: git-fundamentals-signing certificate-profile-name: git-fundamentals-windows-signing files-folder: ${{ github.workspace }}\installers files-folder-filter: exe @@ -349,31 +349,16 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - env: - AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: ${{ secrets.SIGN_CLI_TOOL }} + - name: Install sign CLI tool run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AST --container-name $env:ASC --name $env:SCT - Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli + dotnet tool install -g --version 0.9.1-beta.24325.5 - name: Sign payload - env: - ACST: ${{ secrets.AZURE_TENANT_ID }} - ACSI: ${{ secrets.AZURE_CLIENT_ID }} - ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - ./sign-cli/sign.exe code azcodesign payload/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acst $env:ACST ` - -acsi $env:ACSI ` - -acss $env:ACSS + sign.exe code trusted-signing payload/* ` + -tse https://wus2.codesigning.azure.net/ ` + -tsa git-fundamentals-signing ` + -tscp git-fundamentals-windows-signing - name: Lay out signed payload, images, and symbols shell: bash @@ -440,37 +425,37 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - env: - AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: ${{ secrets.SIGN_CLI_TOOL }} + - name: Install sign CLI tool run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AST --container-name $env:ASC --name $env:SCT - Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli + dotnet tool install -g --version 0.9.1-beta.24325.5 - name: Sign package - env: - ACST: ${{ secrets.AZURE_TENANT_ID }} - ACSI: ${{ secrets.AZURE_CLIENT_ID }} - ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - ./sign-cli/sign.exe code azcodesign nupkg/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acst $env:ACST ` - -acsi $env:ACSI ` - -acss $env:ACSS - - - name: Publish signed package + sign.exe code trusted-signing nupkg/* ` + -tse https://wus2.codesigning.azure.net/ ` + -tsa git-fundamentals-signing ` + -tscp git-fundamentals-windows-signing + + mv nupkg/* . + + # Remove this once NuGet supports the subscriber identity validation EKU: + # https://github.com/NuGet/NuGetGallery/issues/10027 + - name: Extract signing certificate from package + shell: pwsh + run: | + dotnet tool install --global Knapcode.CertificateExtractor + $nupkg = gci *.nupkg + nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf + $cert = gci certs\*.cer + mv $cert .\nuget-signing.cer + + - name: Publish signed package and certificate uses: actions/upload-artifact@v4 with: name: dotnet-tool-sign - path: nupkg/*.nupkg + path: | + *.nupkg + *.cer # ================================ # Validate diff --git a/VERSION b/VERSION index e975051fc..27c7c7b9d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5.0.0 +2.5.1.0 diff --git a/docs/azrepos-misp.md b/docs/azrepos-misp.md index 6c4c508fe..60a3c3e2b 100644 --- a/docs/azrepos-misp.md +++ b/docs/azrepos-misp.md @@ -49,12 +49,15 @@ Value|Description -|- `system`|System-Assigned Managed Identity `[guid]`|User-Assigned Managed Identity with the specified client ID -`id://[guid]`|User-Assigned Managed Identity with the specified client ID -`resource://[guid]`|User-Assigned Managed Identity for the associated resource +`id://[guid]` **|User-Assigned Managed Identity with the specified client ID +`resource://[guid]` **|User-Assigned Managed Identity for the associated resource You can obtain the `[guid]` from the Azure Portal or by using the Azure CLI to inspect the Managed Identity or resource. +** Note there is an open issue that prevents successfull authentication when +using these formats: https://github.com/git-ecosystem/git-credential-manager/issues/1570 + ## Service Principals Azure Service Principals are used to authenticate and authorize applications and diff --git a/src/shared/Core/Core.csproj b/src/shared/Core/Core.csproj index 9071b6f89..fb3a189d3 100644 --- a/src/shared/Core/Core.csproj +++ b/src/shared/Core/Core.csproj @@ -13,25 +13,25 @@ - - + + - + - - + + - - - + + + - +