From e350072d71cf27ac005a859d7ef9060ca07396fb Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 12:14:51 -0400 Subject: [PATCH 01/11] feat: add a release workflow --- .github/workflows/release.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..fcfe817 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,7 @@ +--- +on: + pull-request: + +jobs: + - name: Test signing + uses: cisco-sbg/ZT-duo_universal_csharp_ci/.github/workflows/sign_and_package.yml@5c673525a3fc07bfb93bd4f18304fb66763525d7 From a6de654c08df2c371245c0387880d8863d2bbdb9 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 12:35:54 -0400 Subject: [PATCH 02/11] fixes --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fcfe817..e00fdf7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,7 +1,7 @@ --- on: - pull-request: + pull_request: jobs: - - name: Test signing + release: uses: cisco-sbg/ZT-duo_universal_csharp_ci/.github/workflows/sign_and_package.yml@5c673525a3fc07bfb93bd4f18304fb66763525d7 From 145a58b9468d981c6397d210090c539eb941e737 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 12:45:43 -0400 Subject: [PATCH 03/11] copy the reusable workflow in --- .github/workflows/release.yml | 86 ++++++++++++++++++++++++++++++++++- 1 file changed, 84 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e00fdf7..41239f5 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,88 @@ on: pull_request: + +permissions: {} + jobs: - release: - uses: cisco-sbg/ZT-duo_universal_csharp_ci/.github/workflows/sign_and_package.yml@5c673525a3fc07bfb93bd4f18304fb66763525d7 + test: + runs-on: windows-2022 + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + - name: Test C# + run: dotnet test + + package: + runs-on: windows-2022 + permissions: + contents: read + steps: + - uses: actions/checkout@v4 + - name: Create nuget package + run: dotnet pack -c Release -o ../out + working-directory: DuoUniversal + - name: Artifact the nupkg + uses: actions/upload-artifact@v4 + with: + name: nupkg + path: out/DuoUniversal*.nupkg + retention-days: 1 + + sign: + runs-on: windows-2022 + environment: authenticode-signing + permissions: + contents: read + id-token: write + steps: + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AUTHENTICODE_ROLE_ARN }} + role-session-name: jsign-kms + aws-region: us-west-2 + + # NuGet doesn't support signature via signtool.exe, instead using + # nuget sign or dotnet nuget sign. These commands do not support + # detached signing. So, we have to use a different tool, jsign. + - name: Install jsign + run: choco install jsign + + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: nupkg + - name: Stage authenticode public certificate + run: | + # Pull a configured certificate parameter and write it to a specified location + $b64 = aws ssm get-parameter ` + --name $env:AUTHENTICODE_CERTIFICATE_PARAMETER + --with-decryption ` + --query "Parameter.Value" ` + --output text + $bytes = [Convert]::FromBase64String($b64) + [IO.File]::WriteAllBytes($env:CERT_FILE, $bytes) + [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromCertFile($env:CERT_FILE) | Select-Object "*" + env: + AUTHENTICODE_CERTIFICATE_PARAMETER: ${{ secrets.AUTHENTICODE_CERTIFICATE_PARAMETER }} + CERT_FILE: authenticode.cer + + - name: Sign nupkg + run: > + jsign + --storetype AWS + --keystore us-west-2 + --alias $env:KEY_ID + --certfile $env:CERT_FILE + DuoUniversal*.nupkg + env: + CERT_FILE: authenticode.cer + KEY_ID: ${{ secrets.AUTHENTICODE_KMS_KEY_ID }} + + # - name: Retain signed binary + # uses: actions/upload-artifact@v4 + # with: + # path: DuoUniversal*.nupkg + # retention-days: 1 From a86660e4d0cf7a015fa458ac400bf9ca94baf0f2 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 12:49:40 -0400 Subject: [PATCH 04/11] missing a ` --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 41239f5..6a45975 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -59,7 +59,7 @@ jobs: run: | # Pull a configured certificate parameter and write it to a specified location $b64 = aws ssm get-parameter ` - --name $env:AUTHENTICODE_CERTIFICATE_PARAMETER + --name $env:AUTHENTICODE_CERTIFICATE_PARAMETER ` --with-decryption ` --query "Parameter.Value" ` --output text From 2c69bf834a2ab5bbd5d2dd0f7d2c7bdebe42a3d3 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 12:59:03 -0400 Subject: [PATCH 05/11] use cmd --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a45975..6e5d1eb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -71,6 +71,7 @@ jobs: CERT_FILE: authenticode.cer - name: Sign nupkg + shell: cmd run: > jsign --storetype AWS From 9bf1eeabc28b8a4748a6eb82f2404a2ad8144cc5 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 13:01:24 -0400 Subject: [PATCH 06/11] no test; signing needs package --- .github/workflows/release.yml | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6e5d1eb..a324ee2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,15 +6,6 @@ on: permissions: {} jobs: - test: - runs-on: windows-2022 - permissions: - contents: read - steps: - - uses: actions/checkout@v4 - - name: Test C# - run: dotnet test - package: runs-on: windows-2022 permissions: @@ -34,6 +25,7 @@ jobs: sign: runs-on: windows-2022 environment: authenticode-signing + needs: package permissions: contents: read id-token: write From 983b3f4432fe663d1b0818147e284bba83ffb772 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 13:15:11 -0400 Subject: [PATCH 07/11] don't download extra java --- .github/workflows/release.yml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a324ee2..3f2b351 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -30,23 +30,32 @@ jobs: contents: read id-token: write steps: - - name: Configure AWS credentials - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + - name: Setup Java + uses: actions/setup-java@v4 with: - role-to-assume: ${{ secrets.AUTHENTICODE_ROLE_ARN }} - role-session-name: jsign-kms - aws-region: us-west-2 + distribution: temurin + java-version: 11 + # NuGet doesn't support signature via signtool.exe, instead using # nuget sign or dotnet nuget sign. These commands do not support # detached signing. So, we have to use a different tool, jsign. - name: Install jsign - run: choco install jsign + run: choco install --ignore-dependencies jsign - name: Download artifact uses: actions/download-artifact@v4 with: name: nupkg + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0 + with: + role-to-assume: ${{ secrets.AUTHENTICODE_ROLE_ARN }} + role-session-name: jsign-kms + aws-region: us-west-2 + + - name: Stage authenticode public certificate run: | # Pull a configured certificate parameter and write it to a specified location From 935584089337cbb087411d5cfc13d904bfdc58fe Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 13:24:09 -0400 Subject: [PATCH 08/11] unroll --- .github/workflows/release.yml | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3f2b351..28b1e17 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,16 +73,10 @@ jobs: - name: Sign nupkg shell: cmd - run: > - jsign - --storetype AWS - --keystore us-west-2 - --alias $env:KEY_ID - --certfile $env:CERT_FILE - DuoUniversal*.nupkg - env: - CERT_FILE: authenticode.cer - KEY_ID: ${{ secrets.AUTHENTICODE_KMS_KEY_ID }} + run: jsign --storetype AWS --keystore us-west-2 --alias $env:KEY_ID --certfile $env:CERT_FILE DuoUniversal*.nupkg + env: + CERT_FILE: authenticode.cer + KEY_ID: ${{ secrets.AUTHENTICODE_KMS_KEY_ID }} # - name: Retain signed binary # uses: actions/upload-artifact@v4 From dc4862930316808354bddbf40f2b0d10e3ecefdc Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 13:29:07 -0400 Subject: [PATCH 09/11] :facepalm: --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 28b1e17..dfbe04f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,7 +73,7 @@ jobs: - name: Sign nupkg shell: cmd - run: jsign --storetype AWS --keystore us-west-2 --alias $env:KEY_ID --certfile $env:CERT_FILE DuoUniversal*.nupkg + run: jsign --storetype AWS --keystore us-west-2 --alias %KEY_ID% --certfile %CERT_FILE% DuoUniversal*.nupkg env: CERT_FILE: authenticode.cer KEY_ID: ${{ secrets.AUTHENTICODE_KMS_KEY_ID }} From 9ad1f4360ffa03c71d972a143995cd1fde71df79 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 14:24:30 -0400 Subject: [PATCH 10/11] make this a manual workflow; artifact the signed .nupkg --- .github/workflows/release.yml | 26 ++++++++++++++++---------- .gitlab-ci.yml | 4 ---- 2 files changed, 16 insertions(+), 14 deletions(-) delete mode 100644 .gitlab-ci.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dfbe04f..412b453 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,7 +1,8 @@ --- -on: - pull_request: +name: Build and Sign a release +on: + workflow_dispatch: permissions: {} @@ -12,10 +13,16 @@ jobs: contents: read steps: - uses: actions/checkout@v4 - - name: Create nuget package + + - uses: actions/setup-dotnet@v4 + with: + dotnet-version: "6.0.100" + + - name: Create NuGet package run: dotnet pack -c Release -o ../out working-directory: DuoUniversal - - name: Artifact the nupkg + + - name: Artifact the .nupkg uses: actions/upload-artifact@v4 with: name: nupkg @@ -36,7 +43,6 @@ jobs: distribution: temurin java-version: 11 - # NuGet doesn't support signature via signtool.exe, instead using # nuget sign or dotnet nuget sign. These commands do not support # detached signing. So, we have to use a different tool, jsign. @@ -78,8 +84,8 @@ jobs: CERT_FILE: authenticode.cer KEY_ID: ${{ secrets.AUTHENTICODE_KMS_KEY_ID }} - # - name: Retain signed binary - # uses: actions/upload-artifact@v4 - # with: - # path: DuoUniversal*.nupkg - # retention-days: 1 + - name: Retain signed binary + uses: actions/upload-artifact@v4 + with: + path: DuoUniversal*.nupkg + retention-days: 1 diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml deleted file mode 100644 index 5710510..0000000 --- a/.gitlab-ci.yml +++ /dev/null @@ -1,4 +0,0 @@ -include: - - project: "mirrors/duo_universal_csharp_ci" - ref: "main" - file: ".gitlab-ci.yml" From e149d813f3dc433715ed45b708fef5990e3584d9 Mon Sep 17 00:00:00 2001 From: Will Saxon Date: Wed, 16 Apr 2025 18:56:46 -0400 Subject: [PATCH 11/11] also artifact the certificate --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 412b453..2788b92 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -87,5 +87,7 @@ jobs: - name: Retain signed binary uses: actions/upload-artifact@v4 with: - path: DuoUniversal*.nupkg + path: | + authenticode.cer + DuoUniversal*.nupkg retention-days: 1