Skip to content

Commit

Permalink
Use published sign.exe CLI and 3rd part certificate extractor tools (g…
Browse files Browse the repository at this point in the history
…it-ecosystem#1647)

Use a 3rd party tool to extract the NuGet signing certificate for upload
rather than relying on an option added to the sign.exe tool in a private
fork. At the same time let's use the `dotnet tool install` command to
acquire the code signing tool, rather than rely on our Azure blob store.

Also let's drop the `-d` and `-u` options from the sign.exe CLI; they
are no longer required
([source](dotnet/sign#734 (comment))).
  • Loading branch information
mjcheetham authored Jul 2, 2024
2 parents 61000ad + ddba796 commit 07e579d
Showing 1 changed file with 19 additions and 25 deletions.
44 changes: 19 additions & 25 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -349,24 +349,16 @@ jobs:
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Download/extract Sign CLI tool
env:
AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
SCT: 'Sign.Cli-alpha.zip'
- name: Install sign CLI tool
run: |
az storage blob download --file sign-cli.zip --auth-mode login `
--account-name $env:AST --container-name $env:ASC --name $env:SCT
Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
dotnet tool install -g --version 0.9.1-beta.24325.5
- name: Sign payload
run: |
./sign-cli/sign.exe code trusted-signing payload/* `
sign.exe code trusted-signing payload/* `
-tse https://wus2.codesigning.azure.net/ `
-tsa git-fundamentals-signing `
-tscp git-fundamentals-windows-signing `
-d "Git Fundamentals Windows Signing Certificate" `
-u "https://github.com/git-ecosystem/git-credential-manager"
-tscp git-fundamentals-windows-signing
- name: Lay out signed payload, images, and symbols
shell: bash
Expand Down Expand Up @@ -433,28 +425,30 @@ jobs:
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Download/extract Sign CLI tool
env:
AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
SCT: 'Sign.Cli-alpha.zip'
- name: Install sign CLI tool
run: |
az storage blob download --file sign-cli.zip --auth-mode login `
--account-name $env:AST --container-name $env:ASC --name $env:SCT
Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
dotnet tool install -g --version 0.9.1-beta.24325.5
- name: Sign package
run: |
./sign-cli/sign.exe code trusted-signing nupkg/* `
sign.exe code trusted-signing nupkg/* `
-tse https://wus2.codesigning.azure.net/ `
-tsa git-fundamentals-signing `
-tscp git-fundamentals-windows-signing `
-d "Git Fundamentals Windows Signing Certificate" `
-u "https://github.com/git-ecosystem/git-credential-manager" `
-co nuget-signing-certificate.cer
-tscp git-fundamentals-windows-signing
mv nupkg/* .
# Remove this once NuGet supports the subscriber identity validation EKU:
# https://github.com/NuGet/NuGetGallery/issues/10027
- name: Extract signing certificate from package
shell: pwsh
run: |
dotnet tool install --global Knapcode.CertificateExtractor
$nupkg = gci *.nupkg
nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf
$cert = gci certs\*.cer
mv $cert .\nuget-signing.cer
- name: Publish signed package and certificate
uses: actions/upload-artifact@v4
with:
Expand Down

0 comments on commit 07e579d

Please sign in to comment.