From 09bd04c4206bab230aff0cee54e25a2d6c01228f Mon Sep 17 00:00:00 2001 From: Lessley Date: Fri, 19 Apr 2024 13:52:02 -0600 Subject: [PATCH 1/9] release: capture nuget signing cert NuGet requires that signed packages have a matching registered signing certificate [1]. Update release workflow to capture this certificate from the Sign CLI tool and upload it as a release artifact. 1: https://learn.microsoft.com/en-us/nuget/create-packages/sign-a-package#register-the-certificate-on-nugetorg --- .github/workflows/release.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4cdda4e4a..28858d7c1 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -464,13 +464,18 @@ jobs: -u "https://github.com/git-ecosystem/git-credential-manager" ` -acst $env:ACST ` -acsi $env:ACSI ` - -acss $env:ACSS + -acss $env:ACSS ` + -acsc nuget-signing-certificate.cer + + mv nupkg/* . - - name: Publish signed package + - name: Publish signed package and certificate uses: actions/upload-artifact@v4 with: name: dotnet-tool-sign - path: nupkg/*.nupkg + path: | + *.nupkg + *.cer # ================================ # Validate From 85dab25e2a2dd10defc15e8679dd58982c532f2b Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Wed, 22 May 2024 12:19:11 -0700 Subject: [PATCH 2/9] docs: update MISP docs with open issue Update the Managed Identity and Service Principal docs to include the reference to a known issue with some MI formats. --- docs/azrepos-misp.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/azrepos-misp.md b/docs/azrepos-misp.md index 6c4c508fe..60a3c3e2b 100644 --- a/docs/azrepos-misp.md +++ b/docs/azrepos-misp.md @@ -49,12 +49,15 @@ Value|Description -|- `system`|System-Assigned Managed Identity `[guid]`|User-Assigned Managed Identity with the specified client ID -`id://[guid]`|User-Assigned Managed Identity with the specified client ID -`resource://[guid]`|User-Assigned Managed Identity for the associated resource +`id://[guid]` **|User-Assigned Managed Identity with the specified client ID +`resource://[guid]` **|User-Assigned Managed Identity for the associated resource You can obtain the `[guid]` from the Azure Portal or by using the Azure CLI to inspect the Managed Identity or resource. +** Note there is an open issue that prevents successfull authentication when +using these formats: https://github.com/git-ecosystem/git-credential-manager/issues/1570 + ## Service Principals Azure Service Principals are used to authenticate and authorize applications and From c7d3b5b277e8374de7fed230181a710d36ce3e01 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Wed, 19 Jun 2024 10:07:14 -0700 Subject: [PATCH 3/9] core: update all dependencies Update all our dependencies to the latest verisons: - MSAL 4.61.3 - Avalonia 11.0.11 --- src/shared/Core/Core.csproj | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/shared/Core/Core.csproj b/src/shared/Core/Core.csproj index 9071b6f89..fb3a189d3 100644 --- a/src/shared/Core/Core.csproj +++ b/src/shared/Core/Core.csproj @@ -13,25 +13,25 @@ - - + + - + - - + + - - - + + + - + From c724c8d90695cf77ca62ac8c3812ed4e1a6b7d91 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 25 Jun 2024 15:14:35 -0700 Subject: [PATCH 4/9] release: use trusted-signing-action Use the new azure/trusted-signing-action in place of the now deprecated azure/azure-code-signing-action. https://github.com/azure/azure-code-signing-action https://github.com/azure/trusted-signing-action --- .github/workflows/release.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28858d7c1..6c83d7ba8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -177,10 +177,10 @@ jobs: subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - name: Sign payload files with Azure Code Signing - uses: azure/azure-code-signing-action@v0.3.1 + uses: azure/trusted-signing-action@v0.3.20 with: endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing + trusted-signing-account-name: git-fundamentals-signing certificate-profile-name: git-fundamentals-windows-signing files-folder: ${{ github.workspace }}\payload files-folder-filter: exe,dll @@ -204,10 +204,10 @@ jobs: -Destination $env:GITHUB_WORKSPACE\installers - name: Sign installers with Azure Code Signing - uses: azure/azure-code-signing-action@v0.3.1 + uses: azure/trusted-signing-action@v0.3.20 with: endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing + trusted-signing-account-name: git-fundamentals-signing certificate-profile-name: git-fundamentals-windows-signing files-folder: ${{ github.workspace }}\installers files-folder-filter: exe From e3facc5bf45b84a4ec346cf9398c3ffcc500cce0 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Wed, 26 Jun 2024 14:40:58 -0700 Subject: [PATCH 5/9] release: use custom Sign.Cli tool for signing Use our customised version of the dotnet/sign tool for Trusted Signing, including export of the certificate. --- .github/workflows/release.yml | 38 +++++++++++------------------------ 1 file changed, 12 insertions(+), 26 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6c83d7ba8..1f5df7936 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -353,27 +353,20 @@ jobs: env: AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: ${{ secrets.SIGN_CLI_TOOL }} + SCT: 'Sign.Cli-alpha.zip' run: | az storage blob download --file sign-cli.zip --auth-mode login ` --account-name $env:AST --container-name $env:ASC --name $env:SCT Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - name: Sign payload - env: - ACST: ${{ secrets.AZURE_TENANT_ID }} - ACSI: ${{ secrets.AZURE_CLIENT_ID }} - ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - ./sign-cli/sign.exe code azcodesign payload/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` + ./sign-cli/sign.exe code trusted-signing payload/* ` + -tse https://wus2.codesigning.azure.net/ ` + -tsa git-fundamentals-signing ` + -tscp git-fundamentals-windows-signing ` -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acst $env:ACST ` - -acsi $env:ACSI ` - -acss $env:ACSS + -u "https://github.com/git-ecosystem/git-credential-manager" - name: Lay out signed payload, images, and symbols shell: bash @@ -444,28 +437,21 @@ jobs: env: AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: ${{ secrets.SIGN_CLI_TOOL }} + SCT: 'Sign.Cli-alpha.zip' run: | az storage blob download --file sign-cli.zip --auth-mode login ` --account-name $env:AST --container-name $env:ASC --name $env:SCT Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - name: Sign package - env: - ACST: ${{ secrets.AZURE_TENANT_ID }} - ACSI: ${{ secrets.AZURE_CLIENT_ID }} - ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - ./sign-cli/sign.exe code azcodesign nupkg/* ` - -acsu https://wus2.codesigning.azure.net/ ` - -acsa git-fundamentals-signing ` - -acscp git-fundamentals-windows-signing ` + ./sign-cli/sign.exe code trusted-signing nupkg/* ` + -tse https://wus2.codesigning.azure.net/ ` + -tsa git-fundamentals-signing ` + -tscp git-fundamentals-windows-signing ` -d "Git Fundamentals Windows Signing Certificate" ` -u "https://github.com/git-ecosystem/git-credential-manager" ` - -acst $env:ACST ` - -acsi $env:ACSI ` - -acss $env:ACSS ` - -acsc nuget-signing-certificate.cer + -co nuget-signing-certificate.cer mv nupkg/* . From f8c2c34b61fa84c40b00f26d69f95f0c83eed176 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 13:48:06 -0700 Subject: [PATCH 6/9] release: use 3rd party tool to extract nuget cert Use a 3rd party tool to extract the NuGet signing certificate for upload rather than relying on an option added to the sign.exe tool in a private fork. --- .github/workflows/release.yml | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1f5df7936..af990154e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -450,11 +450,21 @@ jobs: -tsa git-fundamentals-signing ` -tscp git-fundamentals-windows-signing ` -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" ` - -co nuget-signing-certificate.cer + -u "https://github.com/git-ecosystem/git-credential-manager" mv nupkg/* . + # Remove this once NuGet supports the subscriber identity validation EKU: + # https://github.com/NuGet/NuGetGallery/issues/10027 + - name: Extract signing certificate from package + shell: pwsh + run: | + dotnet tool install --global Knapcode.CertificateExtractor + $nupkg = gci *.nupkg + nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf + $cert = gci certs\*.cer + mv $cert .\nuget-signing.cer + - name: Publish signed package and certificate uses: actions/upload-artifact@v4 with: From 5c6d8085d2058ee0a3831fad8baeac5c1a26307a Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 13:51:48 -0700 Subject: [PATCH 7/9] release: use dotnet tool install to get sign CLI Use the `dotnet tool install` command to acquire the code signing tool, rather than rely on our Azure blob store. --- .github/workflows/release.yml | 24 ++++++------------------ 1 file changed, 6 insertions(+), 18 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index af990154e..bc2114db4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -349,19 +349,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - env: - AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: 'Sign.Cli-alpha.zip' + - name: Install sign CLI tool run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AST --container-name $env:ASC --name $env:SCT - Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli + dotnet tool install -g --version 0.9.1-beta.24325.5 - name: Sign payload run: | - ./sign-cli/sign.exe code trusted-signing payload/* ` + sign.exe code trusted-signing payload/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` -tscp git-fundamentals-windows-signing ` @@ -433,19 +427,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Download/extract Sign CLI tool - env: - AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} - SCT: 'Sign.Cli-alpha.zip' + - name: Install sign CLI tool run: | - az storage blob download --file sign-cli.zip --auth-mode login ` - --account-name $env:AST --container-name $env:ASC --name $env:SCT - Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli + dotnet tool install -g --version 0.9.1-beta.24325.5 - name: Sign package run: | - ./sign-cli/sign.exe code trusted-signing nupkg/* ` + sign.exe code trusted-signing nupkg/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` -tscp git-fundamentals-windows-signing ` From ddba796d67250100cec6eb94e3ce8ff956b052d7 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 13:53:47 -0700 Subject: [PATCH 8/9] release: drop no longer required sign.exe options Drop the `-d` and `-u` options from the sign.exe CLI; they are no longer required. --- .github/workflows/release.yml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bc2114db4..8e44ea2e5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -358,9 +358,7 @@ jobs: sign.exe code trusted-signing payload/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` - -tscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" + -tscp git-fundamentals-windows-signing - name: Lay out signed payload, images, and symbols shell: bash @@ -436,9 +434,7 @@ jobs: sign.exe code trusted-signing nupkg/* ` -tse https://wus2.codesigning.azure.net/ ` -tsa git-fundamentals-signing ` - -tscp git-fundamentals-windows-signing ` - -d "Git Fundamentals Windows Signing Certificate" ` - -u "https://github.com/git-ecosystem/git-credential-manager" + -tscp git-fundamentals-windows-signing mv nupkg/* . From a3906376e674ccb595b4fbd31422da1ab36e84a5 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 2 Jul 2024 14:05:36 -0700 Subject: [PATCH 9/9] VERSION: update version to 2.5.1 --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index e975051fc..27c7c7b9d 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.5.0.0 +2.5.1.0