Permalink
Browse files

Implement authenticode signing and package signing

  • Loading branch information...
natemcmaster committed Jul 2, 2018
1 parent f498cc7 commit 7d1a472462f86375226fb60904ce7e2116fcf1dd
Showing with 122 additions and 6 deletions.
  1. +3 −1 .appveyor.yml
  2. +7 −1 Directory.Build.props
  3. +4 −0 Directory.Build.targets
  4. +31 −3 build.ps1
  5. +1 −1 docs/push.ps1
  6. +66 −0 src/CodeSign.targets
  7. +10 −0 src/Directory.Build.targets
@@ -14,7 +14,9 @@ build_script:
- ps: .\build.ps1 -IsOfficialBuild
- ps: .\docs\generate.ps1 -NoBuild -Verbose
environment:
access_token:
KEYVAULT_CLIENT_SECRET:
secure: Y89qXSB30HLwCrA53cB7Tic3a8GxsTxv8SdhyvU96ROKS8zX9Lf1FWnhEMIal2mo
GITHUB_ACCESS_TOKEN:
secure: 7gza5cyC0Fwp5LcFPz9dGMcHXP2jxbrnu7er9R/HkdvnhzGJVADvOtfYO7+Vow5p
global:
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
@@ -4,6 +4,8 @@
<Import Project="releasenotes.props" />
<PropertyGroup>
<MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
<Authors>Nate McMaster</Authors>
<Product>CommandLineUtils</Product>
<Copyright>Copyright © Nate McMaster</Copyright>
@@ -20,7 +22,11 @@
<LangVersion>7.2</LangVersion>
<AssemblyOriginatorKeyFile>$(MSBuildThisFileDirectory)src\StrongName.snk</AssemblyOriginatorKeyFile>
<SignAssembly>true</SignAssembly>
<PublicSign Condition="'$(OS)' != 'Windows_NT'">true</PublicSign>
<AzureKeyVaultUrl>https://nmcmaster.vault.azure.net</AzureKeyVaultUrl>
<AzureKeyVaultClientId>6a27a2da-bb78-4baa-bd2b-150fe89ea039</AzureKeyVaultClientId>
<AzureKeyVaultClientSecret>$(KEYVAULT_CLIENT_SECRET)</AzureKeyVaultClientSecret>
<CodeSignCertName>DigiCertCodeSign</CodeSignCertName>
<CodeSign Condition=" '$(CI)' == 'true' ">true</CodeSign>
<TreatWarningsAsErrors>true</TreatWarningsAsErrors>
<GenerateFullPaths Condition="'$(VSCODE_PID)' != ''">true</GenerateFullPaths>
@@ -1,5 +1,9 @@
<Project>
<PropertyGroup>
<MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
</PropertyGroup>
<Target Name="UpdateBuildDetails" BeforeTargets="CollectPackageReferences" Condition="'$(APPVEYOR)' == 'true'">
<Exec Command="appveyor UpdateBuild -Version $(PackageVersion)"
IgnoreExitCode="true"
@@ -3,8 +3,8 @@
param(
[ValidateSet('Debug', 'Release')]
$Configuration = $null,
[switch]
$IsOfficialBuild,
[switch]
$IsOfficialBuild,
[Parameter(ValueFromRemainingArguments = $true)]
[string[]]$MSBuildArgs
)
@@ -23,7 +23,35 @@ if (!$Configuration) {
}
if ($IsOfficialBuild) {
$MSBuildArgs += '-p:CI=true'
$MSBuildArgs += '-p:CI=true'
$CodeSign = -not $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT
if ($CodeSign) {
$astDir = "$PSScriptRoot/.build/tools/store/AzureSignTool/1.0.1/"
$AzureSignToolPath = "$astDir/AzureSignTool.exe"
if (-not (Test-Path $AzureSignToolPath)) {
New-Item $astDir -ItemType Directory -ErrorAction Ignore | Out-Null
Invoke-WebRequest https://github.com/vcsjones/AzureSignTool/releases/download/1.0.1/AzureSignTool.zip `
-OutFile "$astDir/AzureSignTool.zip"
Expand-Archive "$astDir/AzureSignTool.zip" -DestinationPath $astDir
}
$nstDir = "$PSScriptRoot/.build/tools/store/NuGetKeyVaultSignTool/1.1.4/"
$NuGetKeyVaultSignTool = "$nstDir/tools/net471/NuGetKeyVaultSignTool.exe"
if (-not (Test-Path $NuGetKeyVaultSignTool)) {
New-Item $nstDir -ItemType Directory -ErrorAction Ignore | Out-Null
Invoke-WebRequest https://github.com/onovotny/NuGetKeyVaultSignTool/releases/download/v1.1.4/NuGetKeyVaultSignTool.1.1.4.nupkg `
-OutFile "$nstDir/NuGetKeyVaultSignTool.zip"
Expand-Archive "$nstDir/NuGetKeyVaultSignTool.zip" -DestinationPath $nstDir
}
$MSBuildArgs += "-p:AzureSignToolPath=$AzureSignToolPath"
$MSBuildArgs += "-p:NuGetKeyVaultSignTool=$NuGetKeyVaultSignTool"
}
else {
$MSBuildArgs += '-p:CodeSign=false'
}
}
$artifacts = "$PSScriptRoot/artifacts/"
@@ -16,7 +16,7 @@ try {
if ($AppVeyor) {
exec git config --global credential.helper store
Add-Content "$HOME\.git-credentials" "https://$($env:access_token):x-oauth-basic@github.com`n"
Add-Content "$HOME\.git-credentials" "https://$($env:GITHUB_ACCESS_TOKEN):x-oauth-basic@github.com`n"
exec git config --global user.email $env:APPVEYOR_REPO_COMMIT_AUTHOR
exec git config --global user.name $env:APPVEYOR_REPO_COMMIT_AUTHOR_EMAIL
$SourceCommit = $env:APPVEYOR_REPO_COMMIT
@@ -0,0 +1,66 @@
<Project>
<PropertyGroup>
<MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
<CodeSignCacheFile>$(IntermediateOutputPath)$(TargetFileName).codesign.cache</CodeSignCacheFile>
<PackageSignCacheFile>$(IntermediateOutputPath)$(PackageId)$(PackageVersion).packagesign.cache</PackageSignCacheFile>
</PropertyGroup>
<Target Name="CodeSign"
Condition=" '$(CodeSign)' == 'true' AND '$(NoBuild)' != 'true' AND '$(TargetFramework)' != '' "
DependsOnTargets="CoreCompile"
BeforeTargets="Build"
Inputs="$(TargetPath)"
Outputs="$(CodeSignCacheFile)">
<Error Text="Missing required property: AzureSignToolPath" Condition="'$(AzureSignToolPath)' == ''" />
<PropertyGroup>
<SignToolArgs>"$(AzureSignToolPath)" sign</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --file-digest sha256</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --description-url $(PackageProjectUrl)</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --no-page-hashing</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --timestamp-rfc3161 http://timestamp.digicert.com</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --timestamp-digest sha256</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --azure-key-vault-url $(AzureKeyVaultUrl)</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --azure-key-vault-client-id $(AzureKeyVaultClientId)</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --azure-key-vault-client-secret $(AzureKeyVaultClientSecret)</SignToolArgs>
<SignToolArgs>$(SignToolArgs) --azure-key-vault-certificate $(CodeSignCertName)</SignToolArgs>
<SignToolArgs>$(SignToolArgs) "$(TargetPath)"</SignToolArgs>
</PropertyGroup>
<WriteLinesToFile Lines="$([System.DateTime]::Now.ToString())" File="$(CodeSignCacheFile)" Overwrite="true" />
<Message Importance="High" Text="Code signing $(TargetPath)" />
<Exec Command="$(SignToolArgs)" />
</Target>
<Target Name="PackageSign"
Condition=" '$(CodeSign)' == 'true' "
DependsOnTargets="GenerateNuspec"
BeforeTargets="Pack"
Inputs="$(PackageOutputAbsolutePath)$(PackageId).$(PackageVersion).nupkg"
Outputs="$(PackageSignCacheFile)">
<Error Text="Missing required property: NuGetKeyVaultSignTool" Condition="'$(NuGetKeyVaultSignTool)' == ''" />
<WriteLinesToFile Lines="$([System.DateTime]::Now.ToString())" File="$(PackageSignCacheFile)" Overwrite="true" />
<PropertyGroup>
<NupkgTargetPath>$(PackageOutputAbsolutePath)$(PackageId).$(PackageVersion).nupkg</NupkgTargetPath>
<NupkgSignToolArgs>"$(NuGetKeyVaultSignTool)" sign</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --file-digest sha256</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --timestamp-rfc3161 http://timestamp.digicert.com</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --timestamp-digest sha256</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --azure-key-vault-url $(AzureKeyVaultUrl)</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --azure-key-vault-client-id $(AzureKeyVaultClientId)</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --azure-key-vault-client-secret $(AzureKeyVaultClientSecret)</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) --azure-key-vault-certificate $(CodeSignCertName)</NupkgSignToolArgs>
<NupkgSignToolArgs>$(NupkgSignToolArgs) "$(NupkgTargetPath)"</NupkgSignToolArgs>
</PropertyGroup>
<Message Importance="High" Text="Package signing $(NupkgTargetPath)" />
<Exec Command="$(NupkgSignToolArgs)" />
</Target>
</Project>
@@ -0,0 +1,10 @@
<Project>
<PropertyGroup>
<MSBuildAllProjects>$(MSBuildAllProjects);$(MSBuildThisFileFullPath)</MSBuildAllProjects>
</PropertyGroup>
<Import Project="..\Directory.Build.targets" />
<Import Project="CodeSign.targets" />
</Project>

0 comments on commit 7d1a472

Please sign in to comment.