aws · rix0rrr · Sep 11, 2018 · Aug 27, 2018 · Aug 30, 2018 · Sep 5, 2018
diff --git a/buildspec.yaml b/buildspec.yaml
@@ -4,6 +4,9 @@ phases:
   install:
     commands:
       - /bin/bash ./install.sh
+  pre_build:
+    commands:
+      - /bin/bash ./fetch-dotnet-snk.sh
   build:
     commands:
       - /bin/bash ./build.sh

diff --git a/fetch-dotnet-snk.sh b/fetch-dotnet-snk.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+
+# This script retrieves the .snk file needed to create strong names for .NET assemblies.
+
+sudo apt install jq -y
+
+echo "Retrieving SNK..."
+ROLE=$(aws sts assume-role --region us-east-2 --role-arn ${DOTNET_STRONG_NAME_ROLE_ARN:-} --role-session-name "cdk-dotnet-snk")
+export AWS_ACCESS_KEY_ID=$(echo $ROLE | jq -r .Credentials.AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo $ROLE | jq -r .Credentials.SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo $ROLE | jq .Credentials.SessionToken)
+
+SNK_SECRET=$(aws secretsmanager get-secret-value --region us-east-2 --secret-id ${DOTNET_STRONG_NAME_SECRET_ID:-})
+TMP_DIR=$(mktemp -d)
+TMP_KEY="$TMP_DIR/key.snk"
+echo $SNK_SECRET | jq -r .SecretBinary | base64 --decode > $TMP_KEY
+
+for PACKAGE_PATH in packages/@aws-cdk/*; do
+    JSII_PROPERTY=$(cat "$PACKAGE_PATH/package.json" | jq -r .jsii)
+    if [ -z $JSII_PROPERTY ]; then
+        continue
+    fi
+
+    cp $TMP_KEY $PACKAGE_PATH
+done
+
+rm -rf $TMP_DIR
diff --git a/tools/pkglint/lib/rules.ts b/tools/pkglint/lib/rules.ts
@@ -256,6 +256,33 @@ export class JSIIDotNetNamespaceIsRequired extends ValidationRule {
     }
 }
 
+/**
+ * Strong-naming all .NET assemblies is required.
+ */
+export class JSIIDotNetStrongNameIsRequired extends ValidationRule {
+    public validate(pkg: PackageJson): void {
+        if (!isJSII(pkg)) { return; }
+
+        const signAssembly = deepGet(pkg.json, ['jsii', 'targets', 'dotnet', 'signAssembly']) as boolean | undefined;
+        const signAssemblyExpected = true;
+        if (signAssembly !== signAssemblyExpected) {
+            pkg.report({
+                message: `.NET packages must have strong-name signing enabled.`,
+                fix: () => deepSet(pkg.json, ['jsii', 'targets', 'dotnet', 'signAssembly'], signAssemblyExpected)
+            });
+        }
+
+        const assemblyOriginatorKeyFile = deepGet(pkg.json, ['jsii', 'targets', 'dotnet', 'assemblyOriginatorKeyFile']) as string | undefined;
+        const assemblyOriginatorKeyFileExpected = "../../key.snk";
+        if (assemblyOriginatorKeyFile !== assemblyOriginatorKeyFileExpected) {
+            pkg.report({
+                message: `.NET packages must use the strong name key fetched by fetch-dotnet-snk.sh`,
+                fix: () => deepSet(pkg.json, ['jsii', 'targets', 'dotnet', 'assemblyOriginatorKeyFile'], assemblyOriginatorKeyFileExpected)
+            });
+        }
+    }
+}
+
 /**
  * The package must depend on cdk-build-tools
  */