From c724c8d90695cf77ca62ac8c3812ed4e1a6b7d91 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 25 Jun 2024 15:14:35 -0700 Subject: [PATCH 1/2] release: use trusted-signing-action Use the new azure/trusted-signing-action in place of the now deprecated azure/azure-code-signing-action. https://github.com/azure/azure-code-signing-action https://github.com/azure/trusted-signing-action --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28858d7c1..6c83d7ba8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -177,10 +177,10 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Sign payload files with Azure Code Signing - uses: azure/azure-code-signing-action@v0.3.1 + uses: azure/trusted-signing-action@v0.3.20 with: endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing + trusted-signing-account-name: git-fundamentals-signing certificate-profile-name: git-fundamentals-windows-signing files-folder: ${{ github.workspace }}\payload files-folder-filter: exe,dll @@ -204,10 +204,10 @@ jobs: -Destination $env:GITHUB_WORKSPACE\installers - name: Sign installers with Azure Code Signing - uses: azure/azure-code-signing-action@v0.3.1 + uses: azure/trusted-signing-action@v0.3.20 with: endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing + trusted-signing-account-name: git-fundamentals-signing certificate-profile-name: git-fundamentals-windows-signing files-folder: ${{ github.workspace }}\installers files-folder-filter: exe From e3facc5bf45b84a4ec346cf9398c3ffcc500cce0 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Wed, 26 Jun 2024 14:40:58 -0700 Subject: [PATCH 2/2] release: use custom Sign.Cli tool for signing Use our customised version of the dotnet/sign tool for Trusted Signing, including export of the certificate. --- .github/workflows/release.yml | 38 +++++++++++------------------------ 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6c83d7ba8..1f5df7936 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -353,27 +353,20 @@ jobs: env: AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: ${{ secrets.SIGN_CLI_TOOL }} + SCT: 'Sign.Cli-alpha.zip' run: | az storage blob download --file sign-cli.zip --auth-mode login ` --account-name $env:AST --container-name $env:ASC --name $env:SCT Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - name: Sign payload - env: - ACST: ${{ secrets.AZURE_TENANT_ID }} - ACSI: ${{ secrets.AZURE_CLIENT_ID }} - ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - ./sign-cli/sign.exe code azcodesign payload/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` + ./sign-cli/sign.exe code trusted-signing payload/* ` + -tse https://wus2.codesigning.azure.net/ ` + -tsa git-fundamentals-signing ` + -tscp git-fundamentals-windows-signing ` -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acst $env:ACST ` - -acsi $env:ACSI ` - -acss $env:ACSS + -u "https://github.com/git-ecosystem/git-credential-manager" - name: Lay out signed payload, images, and symbols shell: bash @@ -444,28 +437,21 @@ jobs: env: AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: ${{ secrets.SIGN_CLI_TOOL }} + SCT: 'Sign.Cli-alpha.zip' run: | az storage blob download --file sign-cli.zip --auth-mode login ` --account-name $env:AST --container-name $env:ASC --name $env:SCT Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - name: Sign package - env: - ACST: ${{ secrets.AZURE_TENANT_ID }} - ACSI: ${{ secrets.AZURE_CLIENT_ID }} - ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - ./sign-cli/sign.exe code azcodesign nupkg/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` + ./sign-cli/sign.exe code trusted-signing nupkg/* ` + -tse https://wus2.codesigning.azure.net/ ` + -tsa git-fundamentals-signing ` + -tscp git-fundamentals-windows-signing ` -d "Git Fundamentals Windows Signing Certificate" ` -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acst $env:ACST ` - -acsi $env:ACSI ` - -acss $env:ACSS ` - -acsc nuget-signing-certificate.cer + -co nuget-signing-certificate.cer mv nupkg/* .