Skip to content
This repository was archived by the owner on Jun 30, 2026. It is now read-only.

Commit 9eb42fa

Browse files
committed
ci: switch to signing nuget packages via DigiCert KeyLocker
1 parent a45e901 commit 9eb42fa

3 files changed

Lines changed: 55 additions & 17 deletions

File tree

.github/workflows/Allegro.CosmosDb.BatchUtilities.publish.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ jobs:
1313
publish: true
1414
tagName: ${{ github.ref_name }}
1515
secrets:
16-
nugetCertificate: ${{ secrets.NUGET_PRIVATE_KEY_P12 }}
17-
nugetCertificatePassword: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
16+
SM_CLIENT_CERT_PASSWORD: ${{ secrets.DIGICERT_SM_CLIENT_CERT_PASSWORD }}
17+
SM_CLIENT_CERT_FILE_B64: ${{ secrets.DIGICERT_SM_CLIENT_CERT_FILE_B64 }}
18+
SM_HOST: ${{ secrets.DIGICERT_SM_HOST }}
19+
SM_API_KEY: ${{ secrets.DIGICERT_SM_API_KEY }}
20+
SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.DIGICERT_SM_CODE_SIGNING_CERT_SHA1_HASH }}
1821
nugetApiKey: ${{ secrets.NUGET_API_KEY }}

.github/workflows/Allegro.CosmosDb.ConsistencyLevelUtilities.publish.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ jobs:
1313
publish: true
1414
tagName: ${{ github.ref_name }}
1515
secrets:
16-
nugetCertificate: ${{ secrets.NUGET_PRIVATE_KEY_P12 }}
17-
nugetCertificatePassword: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
16+
SM_CLIENT_CERT_PASSWORD: ${{ secrets.DIGICERT_SM_CLIENT_CERT_PASSWORD }}
17+
SM_CLIENT_CERT_FILE_B64: ${{ secrets.DIGICERT_SM_CLIENT_CERT_FILE_B64 }}
18+
SM_HOST: ${{ secrets.DIGICERT_SM_HOST }}
19+
SM_API_KEY: ${{ secrets.DIGICERT_SM_API_KEY }}
20+
SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.DIGICERT_SM_CODE_SIGNING_CERT_SHA1_HASH }}
1821
nugetApiKey: ${{ secrets.NUGET_API_KEY }}

.github/workflows/template.yml

Lines changed: 45 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -60,19 +60,51 @@ jobs:
6060
name: package
6161
path: src/${{ inputs.projectName }}/package
6262
publish:
63-
runs-on: ubuntu-latest
63+
runs-on: windows-latest
6464
if: inputs.publish
6565
needs: [build]
6666
steps:
67-
- uses: actions/download-artifact@v3
68-
with:
69-
name: package
70-
path: unsigned
71-
- name: Save & verify certificate
72-
run: |
73-
echo ${{ secrets.nugetCertificate }} | base64 -d > cert.p12
74-
openssl pkcs12 -in cert.p12 -nodes -legacy -passin pass:"${{ secrets.nugetCertificatePassword }}" | openssl x509 -noout -subject || "Certificate validation failed"
75-
- name: Sign package
76-
run: dotnet nuget sign unsigned/*.nupkg --certificate-path cert.p12 --certificate-password ${{ secrets.nugetCertificatePassword }} --timestamper http://timestamp.digicert.com --output signed
77-
- name: Push package
78-
run: dotnet nuget push signed/${{needs.build.outputs.nupkgFilename}} --api-key ${{ secrets.nugetApiKey }} --source https://api.nuget.org/v3/index.json
67+
- uses: actions/download-artifact@v3
68+
with:
69+
name: package
70+
path: unsigned
71+
- name: NuGet Install
72+
uses: NuGet/setup-nuget@v1.0.5
73+
with:
74+
nuget-version: latest
75+
- name: Setup Certificate
76+
run: |
77+
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12
78+
shell: bash
79+
- name: Set variables
80+
id: variables
81+
run: |
82+
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
83+
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
84+
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
85+
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
86+
echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV"
87+
shell: bash
88+
- name: Configure Digicert Secure Software Manager
89+
uses: digicert/ssm-code-signing@v0.0.2
90+
env:
91+
SM_API_KEY: ${{ env.SM_API_KEY }}
92+
SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }}
93+
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
94+
- name: Setup SSM KSP on windows latest
95+
run: |
96+
smksp_registrar.exe list
97+
smctl.exe keypair ls
98+
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
99+
smksp_cert_sync.exe
100+
smctl.exe healthcheck
101+
shell: cmd
102+
- name: Signing using Nuget
103+
run: |
104+
dir "%cd%\unsigned"
105+
mkdir "%cd%\signed"
106+
nuget sign "%cd%\unsigned\*.nupkg" -Timestamper http://timestamp.digicert.com -outputdirectory "%cd%\signed" -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
107+
nuget verify -All "%cd%\signed\*.nupkg"
108+
shell: cmd
109+
- name: Push package
110+
run: dotnet nuget push signed/${{needs.build.outputs.nupkgFilename}} --api-key ${{ secrets.nugetApiKey }} --source https://api.nuget.org/v3/index.json

0 commit comments

Comments
 (0)