diff --git a/.github/run_esrp_signing.py b/.github/run_esrp_signing.py deleted file mode 100644 index be5a0f222..000000000 --- a/.github/run_esrp_signing.py +++ /dev/null @@ -1,135 +0,0 @@ -import argparse -import json -import os -import glob -import pprint -import subprocess -import sys -import re - -parser = argparse.ArgumentParser(description='Sign binaries for Windows, macOS, and Linux') -parser.add_argument('path', help='Path to file for signing') -parser.add_argument('keycode', help='Platform-specific key code for signing') -parser.add_argument('opcode', help='Platform-specific operation code for signing') -# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--` -parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing') -args = parser.parse_args() - -esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe") - -aad_id = os.environ['AZURE_AAD_ID'].strip() -workspace = os.environ['GITHUB_WORKSPACE'].strip() - -source_location = args.path -files = glob.glob(os.path.join(source_location, "*")) - -print("Found files:") -pprint.pp(files) - -auth_json = { - "Version": "1.0.0", - "AuthenticationType": "AAD_CERT", - "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", - "ClientId": f"{aad_id}", - "AuthCert": { - "SubjectName": f"CN={aad_id}.microsoft.com", - "StoreLocation": "LocalMachine", - "StoreName": "My", - "SendX5c" : "true" - }, - "RequestSigningCert": { - "SubjectName": f"CN={aad_id}", - "StoreLocation": "LocalMachine", - "StoreName": "My" - } -} - -input_json = { - "Version": "1.0.0", - "SignBatches": [ - { - "SourceLocationType": "UNC", - "SourceRootDirectory": source_location, - "DestinationLocationType": "UNC", - "DestinationRootDirectory": workspace, - "SignRequestFiles": [], - "SigningInfo": { - "Operations": [ - { - "KeyCode": f"{args.keycode}", - "OperationCode": f"{args.opcode}", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0", - } - ] - } - } - ] -} - -# add files to sign -for f in files: - name = os.path.basename(f) - input_json["SignBatches"][0]["SignRequestFiles"].append( - { - "SourceLocation": name, - "DestinationLocation": os.path.join("signed", name), - } - ) - -# add parameters to input.json (e.g. enabling the hardened runtime for macOS) -if args.params is not None: - i = 0 - while i < len(args.params): - input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1] - i += 2 - -policy_json = { - "Version": "1.0.0", - "Intent": "production release", - "ContentType": "binary", -} - -configs = [ - ("auth.json", auth_json), - ("input.json", input_json), - ("policy.json", policy_json), -] - -for filename, data in configs: - with open(filename, 'w') as fp: - json.dump(data, fp) - -# Run ESRP Client -esrp_out = "esrp_out.json" -result = subprocess.run( - [esrp_tool, "sign", - "-a", "auth.json", - "-i", "input.json", - "-p", "policy.json", - "-o", esrp_out, - "-l", "Verbose"], - capture_output=True, - text=True, - cwd=workspace) - -# Scrub log before printing -log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$', - '***', - result.stdout, - flags=re.IGNORECASE|re.MULTILINE) -print(log) - -if result.returncode != 0: - print("Failed to run ESRPClient.exe") - sys.exit(1) - -if os.path.isfile(esrp_out): - print("ESRP output json:") - with open(esrp_out, 'r') as fp: - pprint.pp(json.load(fp)) - -for file in files: - if os.path.isfile(os.path.join("signed", file)): - print(f"Success!\nSigned {file}") \ No newline at end of file diff --git a/.github/set_up_esrp.ps1 b/.github/set_up_esrp.ps1 deleted file mode 100644 index abe9183e0..000000000 --- a/.github/set_up_esrp.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -# Install ESRP client -az storage blob download --file esrp.zip --auth-mode login --account-name $env:AZURE_STORAGE_ACCOUNT --container $env:AZURE_STORAGE_CONTAINER --name $env:ESRP_TOOL -Expand-Archive -Path esrp.zip -DestinationPath .\esrp - -# Install certificates -az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx -certutil -f -importpfx out.pfx -Remove-Item out.pfx - -az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx -certutil -f -importpfx out.pfx -Remove-Item out.pfx \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 124350066..81af37da3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -331,7 +331,6 @@ jobs: dotnet-tool-payload-sign: name: Sign .NET tool payload - # ESRP service requires signing to run on Windows runs-on: windows-latest environment: release needs: dotnet-tool-build @@ -343,13 +342,6 @@ jobs: with: name: tmp.dotnet-tool-build - - name: Zip unsigned payload - shell: pwsh - run: | - Compress-Archive -Path payload payload/payload.zip - cd payload - Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force - - name: Log into Azure uses: azure/login@v1 with: @@ -357,35 +349,37 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Set up ESRP client - shell: pwsh + - name: Download/extract Sign CLI tool env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }} - ESRP_TOOL: ${{ secrets.ESRP_TOOL }} - AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} - REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} + AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} + ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} + SCT: ${{ secrets.SIGN_CLI_TOOL }} run: | - .github\set_up_esrp.ps1 + az storage blob download --file sign-cli.zip --auth-mode login ` + --account-name $env:AST --container-name $env:ASC --name $env:SCT + Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - - name: Run ESRP client - shell: pwsh + - name: Sign payload env: - AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} - NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }} - NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }} + ACST: ${{ secrets.AZURE_TENANT_ID }} + ACSI: ${{ secrets.AZURE_CLIENT_ID }} + ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - python .github\run_esrp_signing.py payload ` - $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE + ./sign-cli/sign.exe code azcodesign payload/* ` + -acsu https://wus2.codesigning.azure.net/ ` + -acsa git-fundamentals-signing ` + -acscp git-fundamentals-windows-signing ` + -d "Git Fundamentals Windows Signing Certificate" ` + -u "https://github.com/git-ecosystem/git-credential-manager" ` + -acst $env:ACST ` + -acsi $env:ACSI ` + -acss $env:ACSS - name: Lay out signed payload, images, and symbols shell: bash run: | mkdir dotnet-tool-payload-sign - rm -rf payload - mv images payload.sym -t dotnet-tool-payload-sign - unzip signed/payload.zip -d dotnet-tool-payload-sign + mv images payload.sym payload -t dotnet-tool-payload-sign - name: Upload signed payload uses: actions/upload-artifact@v4 @@ -427,7 +421,6 @@ jobs: dotnet-tool-sign: name: Sign .NET tool package - # ESRP service requires signing to run on Windows runs-on: windows-latest environment: release needs: dotnet-tool-pack @@ -440,13 +433,6 @@ jobs: name: tmp.dotnet-tool-package-unsigned path: nupkg - - name: Zip unsigned package - shell: pwsh - run: | - Compress-Archive -Path nupkg/*.nupkg nupkg/gcm-nupkg.zip - cd nupkg - Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force - - name: Log into Azure uses: azure/login@v1 with: @@ -454,38 +440,37 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Set up ESRP client - shell: pwsh + - name: Download/extract Sign CLI tool env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }} - ESRP_TOOL: ${{ secrets.ESRP_TOOL }} - AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} - REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} + AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} + ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} + SCT: ${{ secrets.SIGN_CLI_TOOL }} run: | - .github\set_up_esrp.ps1 + az storage blob download --file sign-cli.zip --auth-mode login ` + --account-name $env:AST --container-name $env:ASC --name $env:SCT + Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - name: Sign package - shell: pwsh env: - AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} - NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }} - NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }} - run: | - python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE - - - name: Unzip signed package - shell: pwsh + ACST: ${{ secrets.AZURE_TENANT_ID }} + ACSI: ${{ secrets.AZURE_CLIENT_ID }} + ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force - Remove-Item signed\gcm-nupkg.zip -Force + ./sign-cli/sign.exe code azcodesign nupkg/* ` + -acsu https://wus2.codesigning.azure.net/ ` + -acsa git-fundamentals-signing ` + -acscp git-fundamentals-windows-signing ` + -d "Git Fundamentals Windows Signing Certificate" ` + -u "https://github.com/git-ecosystem/git-credential-manager" ` + -acst $env:ACST ` + -acsi $env:ACSI ` + -acss $env:ACSS - name: Publish signed package uses: actions/upload-artifact@v4 with: name: dotnet-tool-sign - path: signed/*.nupkg + path: nupkg/*.nupkg # ================================ # Validate