-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Code Signing Certificate Request: .NEXT #157
Comments
Trade name registration has been submitted |
@ChrisSfanos , any updates on this? |
Hi @sakno - at this point it's out of my hands. Once I submit the Trade Name, @clairernovotny takes over and handles the rest. Looks like we are waiting on the certificate to come back. I know it can take a few weeks |
I'm following up with DigiCert on this -- it usually doesn't take this long. |
@clairernovotny , any news from DigiCert? |
Yeah--hopefully soon. Looks like things got snagged by recent baseline updates where key lengths had to be 3072 or greater. Took a while to get to the bottom of that and now they need to issue/update our intermediate root with a cert to match the new baseline. I've been on them about it. |
Any estimations about that? I'm stuck with release so I need to inform users about the delay. |
you should be able to release without it for now? |
Yes, I can do that, but also I can predict questions from users like why the package is not signed? |
I'm hoping it'll be done by next week, but it's been slow going with them. That said, everyone knows what needs to be done now. |
Sorry for how long it has taken -- the certificate was finally provisioned and I've shared the lastpass folder with the credentials. There's a sample pipeline here: https://github.com/novotnyllc/CodeSigningDemo |
Once you have your Pipeline configured, please let me know and I can accept the NuGet co-owner requests. The certificate will be recognized by NuGet then. |
Thanks @clairernovotny for good news! Unfortunately, automatic publishing to NuGet is not working in my case. The repo has several libraries with the dependencies between them. Azure Pipeline doesn't have a step that allows to wait for publication. When package gets published, it can be unavailable for download for some time (5-20 minutes). I think it happens because of CDN or caching on NuGet side. That's why I have to do this manually. |
Can you please be more specific? It's strongly recommended that all publishing to NuGet be automated. There is a few minutes after publish before it's indexed and available for download, but that's never really been an issue I've come across. For reference, I publish Humanizer, which has >50 packages that are tightly coupled (localization packages). |
Sure, the project has the following structure:
For instance, if I want to build and publish
|
Not sure I see what the issue is? Why wouldn't you build and publish them all at the same time? For example, we pack the packages here: Publish them to a build artifact: https://github.com/dotnet/reactive/blob/main/azure-pipelines.ix.yml#L100-L106 For non-PR builds, we code sign and publish the artifacts to a SignedPackages artifact: Then later, in a release management, we push the signedpackages to NuGet upon approval, when we want to publish a particular package. |
The issue that library B references A using |
Oh I see that build of related packages from the same repo is natively supported by NuGet according to this article: https://markheath.net/post/multiple-nuget-single-repo However,
That's very bad side effect of this approach. |
@clairernovotny I've fixed YML file according to recommendations but unable to create |
Using automated verisoning is recommended. don't version manually. I use Nerdbank.GitVersioning in all of my projects for that. |
Agree, but it requires a lot of effort at the moment because each library has its own version history so I need to configure |
@clairernovotny , code signing done without custom environment. Release build is possible only from |
The environment was there as an example as some people want to be able to approve the code signing stage. I don't tend to use approvals there, but do so with a release pipeline as you say. |
Please fill in the information below
Certificate onboarding checklist:
The text was updated successfully, but these errors were encountered: