Add package signing #1269
Add package signing #1269
Conversation
martincostello
added
CI/build
v8
Codecov Report
@@ Coverage Diff @@
## main #1269 +/- ##
=======================================
Coverage 83.33% 83.33%
=======================================
Files 270 270
Lines 6317 6317
Branches 981 981
=======================================
Hits 5264 5264
Misses 844 844
Partials 209 209
Flags with carried forward coverage won't be shown. Click here to find out more. |
martincostello
force-pushed
the
package-signing
branch
from
78eaa67
to
ba44858
Compare
|
Looks like this is working 🎉 I'm just working on an extra bit of the workflow to validate this non-manually.
|
|
Validation is working too: logs |
Add package signing and validation before publishing to NuGet.org.
martincostello
force-pushed
the
package-signing
branch
from
aa740a2
to
62353ff
Compare
| - name: Checkout vcsjones/AuthenticodeLint | ||
| uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
| with: | ||
| path: AuthenticodeLint | ||
| ref: ccfaec53ee5c1b14f029cb8156e0653c530f8b65 | ||
| repository: vcsjones/AuthenticodeLint |
There was a problem hiding this comment.
The version on NuGet targets .NET Core 2.1 but the latest code targets .NET 6 so I'm building the tool from source and running it inline.
If a newer version gets published (vcsjones/AuthenticodeLint#34) then I can rework this to use the .NET Global tool instead.
At the same time, I realised that the other NuGet validation tool doesn't check the signatures, but it could. I'm looking at seeing if I can add support for that in now. If that's doable (and we can get a new version with it published), then I can remove these custom steps completely and rely on the validation tool to check this too.
There was a problem hiding this comment.
I tried both dotnet verify and NuGetKeyVaultSignTool verify as a way to remove the need to compile this tool to do the validation, but neither work correctly for Authenticode signatures at this time unfortunately: NuGetPackageExplorer/NuGetPackageExplorer#1219 (comment)
Add Authenticode signing to the build process between publishing to GitHub Packages (effectively a staging area) and NuGet.org (being "production").
The signing job was adapted from this example and extended to validate that the packages and their contents were correctly signed.
I tested the signature validation using this PR in a branch of one of my own libraries which I don't Authenticode sign: martincostello/xunit-logging#438 (validation failure).