Code Signing Certificate Request: .NEXT #157
Comments
sakno
added
the
project support
|
Trade name registration has been submitted |
|
@ChrisSfanos , any updates on this? |
|
Hi @sakno - at this point it's out of my hands. Once I submit the Trade Name, @clairernovotny takes over and handles the rest. Looks like we are waiting on the certificate to come back. I know it can take a few weeks |
|
I'm following up with DigiCert on this -- it usually doesn't take this long. |
|
@clairernovotny , any news from DigiCert? |
|
Yeah--hopefully soon. Looks like things got snagged by recent baseline updates where key lengths had to be 3072 or greater. Took a while to get to the bottom of that and now they need to issue/update our intermediate root with a cert to match the new baseline. I've been on them about it. |
|
Any estimations about that? I'm stuck with release so I need to inform users about the delay. |
|
you should be able to release without it for now? |
|
Yes, I can do that, but also I can predict questions from users like why the package is not signed? |
|
I'm hoping it'll be done by next week, but it's been slow going with them. That said, everyone knows what needs to be done now. |
|
Sorry for how long it has taken -- the certificate was finally provisioned and I've shared the lastpass folder with the credentials. There's a sample pipeline here: https://github.com/novotnyllc/CodeSigningDemo |
|
Once you have your Pipeline configured, please let me know and I can accept the NuGet co-owner requests. The certificate will be recognized by NuGet then. |
|
Thanks @clairernovotny for good news! Unfortunately, automatic publishing to NuGet is not working in my case. The repo has several libraries with the dependencies between them. Azure Pipeline doesn't have a step that allows to wait for publication. When package gets published, it can be unavailable for download for some time (5-20 minutes). I think it happens because of CDN or caching on NuGet side. That's why I have to do this manually. |
|
Can you please be more specific? It's strongly recommended that all publishing to NuGet be automated. There is a few minutes after publish before it's indexed and available for download, but that's never really been an issue I've come across. For reference, I publish Humanizer, which has >50 packages that are tightly coupled (localization packages). |
|
Sure, the project has the following structure:
For instance, if I want to build and publish
|
|
Not sure I see what the issue is? Why wouldn't you build and publish them all at the same time? For example, we pack the packages here: Publish them to a build artifact: https://github.com/dotnet/reactive/blob/main/azure-pipelines.ix.yml#L100-L106 For non-PR builds, we code sign and publish the artifacts to a SignedPackages artifact: Then later, in a release management, we push the signedpackages to NuGet upon approval, when we want to publish a particular package. |
|
The issue that library B references A using |
|
Oh I see that build of related packages from the same repo is natively supported by NuGet according to this article: https://markheath.net/post/multiple-nuget-single-repo However,
That's very bad side effect of this approach. |
|
@clairernovotny I've fixed YML file according to recommendations but unable to create |
|
Using automated verisoning is recommended. don't version manually. I use Nerdbank.GitVersioning in all of my projects for that. |
|
Agree, but it requires a lot of effort at the moment because each library has its own version history so I need to configure |
|
@clairernovotny , code signing done without custom environment. Release build is possible only from |
|
The environment was there as an example as some people want to be able to approve the code signing stage. I don't tend to use approvals there, but do so with a release pipeline as you say. |
Please fill in the information below
Certificate onboarding checklist:
The text was updated successfully, but these errors were encountered: