Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

release: migrate .net tool off esrp #1571

Merged
merged 2 commits into from
Apr 8, 2024

Conversation

ldennington
Copy link
Contributor

Summary

This PR updates .NET tool payload/package signing to use the Sign CLI tool instead of ESRP. The most significant changes include the addition of a new step to download/extract the Sign CLI tool from Azure Blob Storage, the modification of signing steps to use the downloaded tool, and the removal of ESRP-related scripts.

Benefits

Migrating away from ESRP comes with the following major benefits:

  1. ESRP was designed for signing large-scale applications like Windows and Office, not lightweight OSS like GCM. Thus, we were somewhat abusing the ESRP service to make it work for our use case. Azure Trusted Signing (previously known as Azure Code Signing) fully supports our needs out of the box.
  2. Speed - the end-to-end test runs I have completed have been running in about half the time of the workflow that was using ESRP (~10 minutes instead of ~20 minutes 🎉).

Testing

I have successfully completed two end-to-end runs of the release workflow with these updates in my fork.

Details

Changes to the release workflow:

  • .github/workflows/release.yml: Zipping/unzipping steps for the unsigned payload and package were removed. The setup and running of the ESRP client were replaced with the downloading and extraction of the Sign CLI tool and the signing of the payload and package using this tool.

Scripts removed:

Migrate .NET tool from using ESRP to using the Sign CLI tool for signing. This
tool is a fork of [1] that was set up to support Trusted Signing (previously
known as Azure Code Signing).

1: https://github.com/dotnet/sign
Remove ESRP-related scripts, as we are no longer using this tool for signing.
Copy link
Collaborator

@dscho dscho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wonderful!

@ldennington ldennington merged commit fd05865 into git-ecosystem:main Apr 8, 2024
6 checks passed
@ldennington ldennington deleted the dotnet-tool-signing branch April 8, 2024 21:33
Copy link

@Moazzem-Hossain-pixel Moazzem-Hossain-pixel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for supporting

@DevLeonPortee
Copy link

@ldennington thanks for that information. When I feel I have so much to learn when it comes to codes itself, I see it's still so much deeper than that. Obtaining a lot since being here!

@mjcheetham mjcheetham mentioned this pull request Apr 16, 2024
mjcheetham added a commit that referenced this pull request Apr 16, 2024
**Changes:**

- Fixes to install from source script (#1469)
- Use Avalonia generated view code (#14790
- Various GitHub Actions updates (#1473, #1483, #1487, #1486, #1488,
#1528, #1547)
- Fix bug in Azure Repos URL handling (#1522)
- Add Azure Managed Identity and SP docs (#1548)
- Fix error messages when using GCM outside of repo (#1561, #1583)
- Remove ESRP (#1571)
- Update to .NET 8 for Mac and Linux (#1579, #1580)
- Fix Alpine install from source script (#1582)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants