@@ -331,7 +331,6 @@ jobs:
331331
332332dotnet-tool-payload-sign :
333333 name : Sign .NET tool payload
334- # ESRP service requires signing to run on Windows
335334 runs-on : windows-latest
336335 environment : release
337336 needs : dotnet-tool-build
@@ -343,49 +342,44 @@ jobs:
343342 with :
344343 name : tmp.dotnet-tool-build
345344
346- - name : Zip unsigned payload
347- shell : pwsh
348- run : |
349- Compress-Archive -Path payload payload/payload.zip
350- cd payload
351- Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
352-
353345 - name : Log into Azure
354346 uses : azure/login@v1
355347 with :
356348 client-id : ${{ secrets.AZURE_CLIENT_ID }}
357349 tenant-id : ${{ secrets.AZURE_TENANT_ID }}
358350 subscription-id : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
359351
360- - name : Set up ESRP client
361- shell : pwsh
352+ - name : Download/extract Sign CLI tool
362353 env :
363- AZURE_VAULT : ${{ secrets.AZURE_VAULT }}
364- AZURE_STORAGE_ACCOUNT : ${{ secrets.AZURE_STORAGE_ACCOUNT }}
365- AZURE_STORAGE_CONTAINER : ${{ secrets.AZURE_STORAGE_CONTAINER }}
366- ESRP_TOOL : ${{ secrets.ESRP_TOOL }}
367- AUTH_CERT : ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
368- REQUEST_SIGNING_CERT : ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
354+ AST : ${{ secrets.AZURE_STORAGE_ACCOUNT }}
355+ ASC : ${{ secrets.AZURE_STORAGE_CONTAINER }}
356+ SCT : ${{ secrets.SIGN_CLI_TOOL }}
369357 run : |
370- .github\set_up_esrp.ps1
358+ az storage blob download --file sign-cli.zip --auth-mode login `
359+ --account-name $env:AST --container-name $env:ASC --name $env:SCT
360+ Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
371361
372- name : Run ESRP client
373- shell : pwsh
362+ name : Sign payload
374363 env :
375- AZURE_AAD_ID : ${{ secrets.AZURE_AAD_ID }}
376- NUGET_KEY_CODE : ${{ secrets.NUGET_KEY_CODE }}
377- NUGET_OPERATION_CODE : ${{ secrets.NUGET_OPERATION_CODE }}
364+ ACST : ${{ secrets.AZURE_TENANT_ID }}
365+ ACSI : ${{ secrets.AZURE_CLIENT_ID }}
366+ ACSS : ${{ secrets.AZURE_CLIENT_SECRET }}
378367 run : |
379- python .github\run_esrp_signing.py payload `
380- $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
368+ ./sign-cli/sign.exe code azcodesign payload/* `
369+ -acsu https://wus2.codesigning.azure.net/ `
370+ -acsa git-fundamentals-signing `
371+ -acscp git-fundamentals-windows-signing `
372+ -d "Git Fundamentals Windows Signing Certificate" `
373+ -u "https://github.com/git-ecosystem/git-credential-manager" `
374+ -acst $env:ACST `
375+ -acsi $env:ACSI `
376+ -acss $env:ACSS
381377
382378name : Lay out signed payload, images, and symbols
383379 shell : bash
384380 run : |
385381 mkdir dotnet-tool-payload-sign
386- rm -rf payload
387- mv images payload.sym -t dotnet-tool-payload-sign
388- unzip signed/payload.zip -d dotnet-tool-payload-sign
382+ mv images payload.sym payload -t dotnet-tool-payload-sign
389383
390384name : Upload signed payload
391385 uses : actions/upload-artifact@v4
@@ -427,7 +421,6 @@ jobs:
427421
428422dotnet-tool-sign :
429423 name : Sign .NET tool package
430- # ESRP service requires signing to run on Windows
431424 runs-on : windows-latest
432425 environment : release
433426 needs : dotnet-tool-pack
@@ -440,52 +433,44 @@ jobs:
440433 name : tmp.dotnet-tool-package-unsigned
441434 path : nupkg
442435
443- - name : Zip unsigned package
444- shell : pwsh
445- run : |
446- Compress-Archive -Path nupkg/*.nupkg nupkg/gcm-nupkg.zip
447- cd nupkg
448- Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force
449-
450436 - name : Log into Azure
451437 uses : azure/login@v1
452438 with :
453439 client-id : ${{ secrets.AZURE_CLIENT_ID }}
454440 tenant-id : ${{ secrets.AZURE_TENANT_ID }}
455441 subscription-id : ${{ secrets.AZURE_SUBSCRIPTION_ID }}
456442
457- - name : Set up ESRP client
458- shell : pwsh
443+ - name : Download/extract Sign CLI tool
459444 env :
460- AZURE_VAULT : ${{ secrets.AZURE_VAULT }}
461- AZURE_STORAGE_ACCOUNT : ${{ secrets.AZURE_STORAGE_ACCOUNT }}
462- AZURE_STORAGE_CONTAINER : ${{ secrets.AZURE_STORAGE_CONTAINER }}
463- ESRP_TOOL : ${{ secrets.ESRP_TOOL }}
464- AUTH_CERT : ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
465- REQUEST_SIGNING_CERT : ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
445+ AST : ${{ secrets.AZURE_STORAGE_ACCOUNT }}
446+ ASC : ${{ secrets.AZURE_STORAGE_CONTAINER }}
447+ SCT : ${{ secrets.SIGN_CLI_TOOL }}
466448 run : |
467- .github\set_up_esrp.ps1
449+ az storage blob download --file sign-cli.zip --auth-mode login `
450+ --account-name $env:AST --container-name $env:ASC --name $env:SCT
451+ Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
468452
469453name : Sign package
470- shell : pwsh
471454 env :
472- AZURE_AAD_ID : ${{ secrets.AZURE_AAD_ID }}
473- NUGET_KEY_CODE : ${{ secrets.NUGET_KEY_CODE }}
474- NUGET_OPERATION_CODE : ${{ secrets.NUGET_OPERATION_CODE }}
475- run : |
476- python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
477-
478- name : Unzip signed package
479- shell : pwsh
455+ ACST : ${{ secrets.AZURE_TENANT_ID }}
456+ ACSI : ${{ secrets.AZURE_CLIENT_ID }}
457+ ACSS : ${{ secrets.AZURE_CLIENT_SECRET }}
480458 run : |
481- Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force
482- Remove-Item signed\gcm-nupkg.zip -Force
459+ ./sign-cli/sign.exe code azcodesign nupkg/* `
460+ -acsu https://wus2.codesigning.azure.net/ `
461+ -acsa git-fundamentals-signing `
462+ -acscp git-fundamentals-windows-signing `
463+ -d "Git Fundamentals Windows Signing Certificate" `
464+ -u "https://github.com/git-ecosystem/git-credential-manager" `
465+ -acst $env:ACST `
466+ -acsi $env:ACSI `
467+ -acss $env:ACSS
483468
484469name : Publish signed package
485470 uses : actions/upload-artifact@v4
486471 with :
487472 name : dotnet-tool-sign
488- path : signed /*.nupkg
473+ path : nupkg /*.nupkg
489474
490475# ================================
491476# Validate
0 commit comments