Skip to content

Commit af0f5df

Browse files
leastprivilegeleastprivilege
committed
update signing cert
1 parent 0c88e1a commit af0f5df

4 files changed

Lines changed: 20 additions & 28 deletions

File tree

.config/dotnet-tools.json

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,10 @@
22
"version": 1,
33
"isRoot": true,
44
"tools": {
5-
"signclient": {
6-
"version": "1.2.17",
5+
"NuGetKeyVaultSignTool": {
6+
"version": "3.1.6",
77
"commands": [
8-
"SignClient"
8+
"NuGetKeyVaultSignTool"
99
]
1010
}
1111
}

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -37,7 +37,7 @@ jobs:
3737
run: ./build.cmd
3838
- if: (matrix.runs-on == 'windows-latest') && (github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags/'))
3939
env:
40-
SignClientSecret: ${{ secrets.SIGNCLIENT }}
40+
SignClientSecret: ${{ secrets.SIGNCLIENTSECRET }}
4141
run: |
4242
./build.cmd sign
4343
dotnet nuget push .\artifacts\*.nupkg -s https://www.myget.org/F/identity/api/v2/package -k ${{ secrets.MYGET }}

build/Program.cs

Lines changed: 16 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -39,11 +39,6 @@ internal static void Main(string[] args)
3939
Run("dotnet", "build -c Release --nologo");
4040
});
4141

42-
Target(Targets.SignBinary, DependsOn(Targets.Build, Targets.RestoreTools), () =>
43-
{
44-
Sign("./src/bin/Release", "IdentityModel.AspNetCore.OAuth2Introspection.dll");
45-
});
46-
4742
Target(Targets.Test, DependsOn(Targets.Build), () =>
4843
{
4944
Run("dotnet", "test -c Release --no-build --nologo");
@@ -64,17 +59,17 @@ internal static void Main(string[] args)
6459

6560
Target(Targets.SignPackage, DependsOn(Targets.Pack, Targets.RestoreTools), () =>
6661
{
67-
Sign(packOutput, "*.nupkg");
62+
SignNuGet();
6863
});
6964

7065
Target("default", DependsOn(Targets.Test, Targets.Pack));
7166

72-
Target("sign", DependsOn(Targets.SignBinary, Targets.Test, Targets.SignPackage));
67+
Target("sign", DependsOn(Targets.Test, Targets.SignPackage));
7368

7469
RunTargetsAndExit(args, ex => ex is SimpleExec.NonZeroExitCodeException || ex.Message.EndsWith(envVarMissing));
7570
}
7671

77-
private static void Sign(string path, string searchTerm)
72+
private static void SignNuGet()
7873
{
7974
var signClientSecret = Environment.GetEnvironmentVariable("SignClientSecret");
8075

@@ -83,10 +78,21 @@ private static void Sign(string path, string searchTerm)
8378
throw new Exception($"SignClientSecret{envVarMissing}");
8479
}
8580

86-
foreach (var file in Directory.GetFiles(path, searchTerm, SearchOption.AllDirectories))
81+
foreach (var file in Directory.GetFiles(packOutput, "*.nupkg", SearchOption.AllDirectories))
8782
{
8883
Console.WriteLine($" Signing {file}");
89-
Run("dotnet", $"SignClient sign -c signClient.json -i {file} -r sc-ids@dotnetfoundation.org -s \"{signClientSecret}\" -n 'IdentityServer4'", noEcho: true);
84+
85+
Run("dotnet",
86+
"NuGetKeyVaultSignTool " +
87+
$"sign {file} " +
88+
"--file-digest sha256 " +
89+
"--timestamp-rfc3161 http://timestamp.digicert.com " +
90+
"--azure-key-vault-url https://duendecodesigning.vault.azure.net/ " +
91+
"--azure-key-vault-client-id 18e3de68-2556-4345-8076-a46fad79e474 " +
92+
"--azure-key-vault-tenant-id ed3089f0-5401-4758-90eb-066124e2d907 " +
93+
$"--azure-key-vault-client-secret {signClientSecret} " +
94+
"--azure-key-vault-certificate CodeSigning"
95+
,noEcho: true);
9096
}
9197
}
9298
}

signClient.json

Lines changed: 0 additions & 14 deletions
This file was deleted.

0 commit comments

Comments
 (0)