release: migrate .net tool off esrp (#1571)

# Summary

This PR updates .NET tool payload/package signing to use the Sign CLI
tool instead of ESRP. The most significant changes include the addition
of a new step to download/extract the Sign CLI tool from Azure Blob
Storage, the modification of signing steps to use the downloaded tool,
and the removal of ESRP-related scripts.

# Benefits

Migrating away from ESRP comes with the following major benefits:

1. ESRP was designed for signing large-scale applications like Windows
and Office, not lightweight OSS like GCM. Thus, we were somewhat abusing
the ESRP service to make it work for our use case. Azure Trusted Signing
(previously known as Azure Code Signing) fully supports our needs out of
the box.
0. Speed - the end-to-end test runs I have completed have been running
in about half the time of the workflow that was using ESRP (~10 minutes
instead of ~20 minutes 🎉).

# Testing

I have successfully completed two end-to-end runs of the `release`
workflow with these updates [in my
fork](https://github.com/ldennington/git-credential-manager).

# Details

Changes to the release workflow:

*
[`.github/workflows/release.yml`](diffhunk://#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34L334):
Zipping/unzipping steps for the unsigned payload and package were
removed. The setup and running of the ESRP client were replaced with the
downloading and extraction of the Sign CLI tool and the signing of the
payload and package using this tool.

Scripts removed:

*
[`.github/run_esrp_signing.py`](diffhunk://#diff-f60e53cf3706460a8d644a811df8197038395559c28d2a1bb2cc56dd235552b3L1-L135):
The entire Python script for running the ESRP client has been removed.
*
[`.github/set_up_esrp.ps1`](diffhunk://#diff-14487115d5ba1dd214217419b4826e1789f7a917789eb0fccd90965a6510f5a0L1-L12):
The PowerShell script for setting up the ESRP client has been removed.

Author: ldennington

.github/run_esrp_signing.py

@@ -331,7 +331,6 @@ jobs:
 
   dotnet-tool-payload-sign:
     name: Sign .NET tool payload
-    # ESRP service requires signing to run on Windows
     runs-on: windows-latest
     environment: release
     needs: dotnet-tool-build
@@ -343,49 +342,44 @@ jobs:
       with:
         name: tmp.dotnet-tool-build
 
-    - name: Zip unsigned payload
-      shell: pwsh
-      run: |
-        Compress-Archive -Path payload payload/payload.zip
-        cd payload
-        Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
-
     - name: Log into Azure
       uses: azure/login@v1
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-    - name: Set up ESRP client
-      shell: pwsh
+    - name: Download/extract Sign CLI tool
       env:
-        AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
-        AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
-        AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
-        ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
-        AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
-        REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+        AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
+        ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
+        SCT: ${{ secrets.SIGN_CLI_TOOL }}
       run: |
-        .github\set_up_esrp.ps1
+        az storage blob download --file sign-cli.zip --auth-mode login `
+          --account-name $env:AST --container-name $env:ASC --name $env:SCT
+        Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
 
-    - name: Run ESRP client
-      shell: pwsh
+    - name: Sign payload
       env:
-        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
-        NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }}
-        NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }}
+        ACST: ${{ secrets.AZURE_TENANT_ID }}
+        ACSI: ${{ secrets.AZURE_CLIENT_ID }}
+        ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
       run: |
-        python .github\run_esrp_signing.py payload `
-         $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
+        ./sign-cli/sign.exe code azcodesign payload/* `
+          -acsu https://wus2.codesigning.azure.net/ `
+          -acsa git-fundamentals-signing `
+          -acscp git-fundamentals-windows-signing `
+          -d "Git Fundamentals Windows Signing Certificate" `
+          -u "https://github.com/git-ecosystem/git-credential-manager" `
+          -acst $env:ACST `
+          -acsi $env:ACSI `
+          -acss $env:ACSS
 
     - name: Lay out signed payload, images, and symbols
       shell: bash
       run: |
         mkdir dotnet-tool-payload-sign
-        rm -rf payload
-        mv images payload.sym -t dotnet-tool-payload-sign
-        unzip signed/payload.zip -d dotnet-tool-payload-sign
+        mv images payload.sym payload -t dotnet-tool-payload-sign
 
     - name: Upload signed payload
       uses: actions/upload-artifact@v4
@@ -427,7 +421,6 @@ jobs:
 
   dotnet-tool-sign:
     name: Sign .NET tool package
-    # ESRP service requires signing to run on Windows
     runs-on: windows-latest
     environment: release
     needs: dotnet-tool-pack
@@ -440,52 +433,44 @@ jobs:
         name: tmp.dotnet-tool-package-unsigned
         path: nupkg
 
-    - name: Zip unsigned package
-      shell: pwsh
-      run: |
-        Compress-Archive -Path nupkg/*.nupkg nupkg/gcm-nupkg.zip
-        cd nupkg
-        Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force
-
     - name: Log into Azure
       uses: azure/login@v1
       with:
         client-id: ${{ secrets.AZURE_CLIENT_ID }}
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-    - name: Set up ESRP client
-      shell: pwsh
+    - name: Download/extract Sign CLI tool
       env:
-        AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
-        AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
-        AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
-        ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
-        AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
-        REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+        AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
+        ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
+        SCT: ${{ secrets.SIGN_CLI_TOOL }}
       run: |
-        .github\set_up_esrp.ps1
+        az storage blob download --file sign-cli.zip --auth-mode login `
+          --account-name $env:AST --container-name $env:ASC --name $env:SCT
+        Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
 
     - name: Sign package
-      shell: pwsh
       env:
-        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
-        NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }}
-        NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }}
-      run: |
-        python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
-
-    - name: Unzip signed package
-      shell: pwsh
+        ACST: ${{ secrets.AZURE_TENANT_ID }}
+        ACSI: ${{ secrets.AZURE_CLIENT_ID }}
+        ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
       run: |
-        Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force
-        Remove-Item signed\gcm-nupkg.zip -Force
+        ./sign-cli/sign.exe code azcodesign nupkg/* `
+          -acsu https://wus2.codesigning.azure.net/ `
+          -acsa git-fundamentals-signing `
+          -acscp git-fundamentals-windows-signing `
+          -d "Git Fundamentals Windows Signing Certificate" `
+          -u "https://github.com/git-ecosystem/git-credential-manager" `
+          -acst $env:ACST `
+          -acsi $env:ACSI `
+          -acss $env:ACSS
 
     - name: Publish signed package
       uses: actions/upload-artifact@v4
       with:
         name: dotnet-tool-sign
-        path: signed/*.nupkg
+        path: nupkg/*.nupkg
 
 # ================================
 #           Validate