Add signing to NuGet package pipeline (#5)

* Update azure-pipelines.yml * Create Sign-Package.ps1 * Create SignClientSettings.json
CommunityToolkit · Aug 28, 2021 · 6f94788 · 6f94788
1 parent 759a34b
commit 6f94788
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 1 deletion.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -82,6 +82,16 @@ jobs:
         displayName: Pack Community Toolkit NuGets
         inputs:
           script: 'dotnet pack -c Release $(PathToCommunityToolkitCsproj) -p:PackageVersion=$(NugetPackageVersion) --output $(Build.ArtifactStagingDirectory)/nuget'
+      # Sign NuGet Packages
+      - task: PowerShell@2
+        displayName: Authenticode Sign Packages
+        inputs:
+          filePath: build/Sign-Package.ps1
+        env:
+          SignClientUser: $(SignClientUser)
+          SignClientSecret: $(SignClientSecret)
+          ArtifactDirectory: $(Build.ArtifactStagingDirectory)/nuget
+        condition: and(succeeded(), not(eq(variables['build.reason'], 'PullRequest')), not(eq(variables['SignClientSecret'], '')), not(eq(variables['SignClientUser'], '')))
       # publish the packages
       - task: PublishBuildArtifacts@1
         displayName: 'Publish Unsigned NuGets'
@@ -132,4 +142,4 @@ jobs:
       - task: CmdLine@2
         displayName: 'Pack CommunityToolkit NuGets'
         inputs:
-          script: 'dotnet pack -c Release $(PathToCommunityToolkitCsproj) -p:PackageVersion=$(NugetPackageVersion) --output $(Build.ArtifactStagingDirectory)/nuget'
+          script: 'dotnet pack -c Release $(PathToCommunityToolkitCsproj) -p:PackageVersion=$(NugetPackageVersion) --output $(Build.ArtifactStagingDirectory)/nuget'
diff --git a/build/Sign-Package.ps1 b/build/Sign-Package.ps1
@@ -0,0 +1,27 @@
+$currentDirectory = split-path $MyInvocation.MyCommand.Definition
+
+# See if we have the ClientSecret available
+if ([string]::IsNullOrEmpty($Env:SignClientSecret)) {
+  Write-Host "Client Secret not found, not signing packages"
+  return;
+}
+
+dotnet tool install --tool-path . SignClient
+
+# Setup Variables we need to pass into the sign client tool
+
+$appSettings = "$currentDirectory\SignClientSettings.json"
+
+$nupkgs = Get-ChildItem $Env:ArtifactDirectory\*.nupkg -recurse | Select-Object -ExpandProperty FullName
+
+foreach ($nupkg in $nupkgs) {
+  Write-Host "Submitting $nupkg for signing"
+
+  .\SignClient 'sign' -c $appSettings -i $nupkg -r $Env:SignClientUser -s $Env:SignClientSecret -n 'Windows Community Toolkit' -d 'Windows Community Toolkit' -u 'https://developer.microsoft.com/en-us/windows/uwp-community-toolkit'
+  if ($LASTEXITCODE -ne 0) {
+    exit 1
+  }
+  Write-Host "Finished signing $nupkg"
+}
+
+Write-Host "Sign-package complete"
diff --git a/build/SignClientSettings.json b/build/SignClientSettings.json
@@ -0,0 +1,13 @@
+{
+  "SignClient": {
+    "AzureAd": {
+      "AADInstance": "https://login.microsoftonline.com/",
+      "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
+      "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
+    },
+    "Service": {
+      "Url": "https://codesign.dotnetfoundation.org/",
+      "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
+    }
+  }
+}