-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add package signing #1269
Add package signing #1269
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1269 +/- ##
=======================================
Coverage 83.33% 83.33%
=======================================
Files 270 270
Lines 6317 6317
Branches 981 981
=======================================
Hits 5264 5264
Misses 844 844
Partials 209 209
Flags with carried forward coverage won't be shown. Click here to find out more. |
78eaa67
to
ba44858
Compare
Validation is working too: logs |
Add package signing and validation before publishing to NuGet.org.
aa740a2
to
62353ff
Compare
- name: Checkout vcsjones/AuthenticodeLint | ||
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
with: | ||
path: AuthenticodeLint | ||
ref: ccfaec53ee5c1b14f029cb8156e0653c530f8b65 | ||
repository: vcsjones/AuthenticodeLint |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The version on NuGet targets .NET Core 2.1 but the latest code targets .NET 6 so I'm building the tool from source and running it inline.
If a newer version gets published (vcsjones/AuthenticodeLint#34) then I can rework this to use the .NET Global tool instead.
At the same time, I realised that the other NuGet validation tool doesn't check the signatures, but it could. I'm looking at seeing if I can add support for that in now. If that's doable (and we can get a new version with it published), then I can remove these custom steps completely and rely on the validation tool to check this too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried both dotnet verify
and NuGetKeyVaultSignTool verify
as a way to remove the need to compile this tool to do the validation, but neither work correctly for Authenticode signatures at this time unfortunately: NuGetPackageExplorer/NuGetPackageExplorer#1219 (comment)
Add Authenticode signing to the build process between publishing to GitHub Packages (effectively a staging area) and NuGet.org (being "production").
The signing job was adapted from this example and extended to validate that the packages and their contents were correctly signed.
I tested the signature validation using this PR in a branch of one of my own libraries which I don't Authenticode sign: martincostello/xunit-logging#438 (validation failure).