@@ -60,19 +60,51 @@ jobs:
6060 name : package
6161 path : src/${{ inputs.projectName }}/package
6262 publish :
63- runs-on : ubuntu -latest
63+ runs-on : windows -latest
6464 if : inputs.publish
6565 needs : [build]
6666 steps :
67- - uses : actions/download-artifact@v3
68- with :
69- name : package
70- path : unsigned
71- - name : Save & verify certificate
72- run : |
73- echo ${{ secrets.nugetCertificate }} | base64 -d > cert.p12
74- openssl pkcs12 -in cert.p12 -nodes -legacy -passin pass:"${{ secrets.nugetCertificatePassword }}" | openssl x509 -noout -subject || "Certificate validation failed"
75- - name : Sign package
76- run : dotnet nuget sign unsigned/*.nupkg --certificate-path cert.p12 --certificate-password ${{ secrets.nugetCertificatePassword }} --timestamper http://timestamp.digicert.com --output signed
77- - name : Push package
78- run : dotnet nuget push signed/${{needs.build.outputs.nupkgFilename}} --api-key ${{ secrets.nugetApiKey }} --source https://api.nuget.org/v3/index.json
67+ - uses : actions/download-artifact@v3
68+ with :
69+ name : package
70+ path : unsigned
71+ - name : NuGet Install
72+ uses : NuGet/setup-nuget@v1.0.5
73+ with :
74+ nuget-version : latest
75+ - name : Setup Certificate
76+ run : |
77+ echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12
78+ shell : bash
79+ - name : Set variables
80+ id : variables
81+ run : |
82+ echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
83+ echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
84+ echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
85+ echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
86+ echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV"
87+ shell : bash
88+ - name : Configure Digicert Secure Software Manager
89+ uses : digicert/ssm-code-signing@v0.0.2
90+ env :
91+ SM_API_KEY : ${{ env.SM_API_KEY }}
92+ SM_CLIENT_CERT_PASSWORD : ${{ env.SM_CLIENT_CERT_PASSWORD }}
93+ SM_CLIENT_CERT_FILE : ${{ env.SM_CLIENT_CERT_FILE }}
94+ - name : Setup SSM KSP on windows latest
95+ run : |
96+ smksp_registrar.exe list
97+ smctl.exe keypair ls
98+ C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
99+ smksp_cert_sync.exe
100+ smctl.exe healthcheck
101+ shell : cmd
102+ - name : Signing using Nuget
103+ run : |
104+ dir "%cd%\unsigned"
105+ mkdir "%cd%\signed"
106+ nuget sign "%cd%\unsigned\*.nupkg" -Timestamper http://timestamp.digicert.com -outputdirectory "%cd%\signed" -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
107+ nuget verify -All "%cd%\signed\*.nupkg"
108+ shell : cmd
109+ - name : Push package
110+ run : dotnet nuget push signed/${{needs.build.outputs.nupkgFilename}} --api-key ${{ secrets.nugetApiKey }} --source https://api.nuget.org/v3/index.json
0 commit comments