release: use 3rd party tool to extract nuget cert

Use a 3rd party tool to extract the NuGet signing certificate for upload rather than relying on an option added to the sign.exe tool in a private fork.
DitZii · Jul 2, 2024 · f8c2c34 · f8c2c34
1 parent 61000ad
commit f8c2c34
Showing 1 changed file with 12 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -450,11 +450,21 @@ jobs:
           -tsa git-fundamentals-signing `
           -tscp git-fundamentals-windows-signing `
           -d "Git Fundamentals Windows Signing Certificate" `
-          -u "https://github.com/git-ecosystem/git-credential-manager" `
-          -co nuget-signing-certificate.cer
+          -u "https://github.com/git-ecosystem/git-credential-manager"
 
         mv nupkg/* .
 
+    # Remove this once NuGet supports the subscriber identity validation EKU:
+    # https://github.com/NuGet/NuGetGallery/issues/10027
+    - name: Extract signing certificate from package
+      shell: pwsh
+      run: |
+        dotnet tool install --global Knapcode.CertificateExtractor
+        $nupkg = gci *.nupkg
+        nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf
+        $cert = gci certs\*.cer
+        mv $cert .\nuget-signing.cer
+
     - name: Publish signed package and certificate
       uses: actions/upload-artifact@v4
       with: