Skip to content

Commit 162cabb

Browse files
jozefizsojozefizso
committed
Use Azure Trusted Signing service to digitally sign NetOffice libraries
1 parent 25dc0f2 commit 162cabb

File tree

1 file changed

+26
-16
lines changed

1 file changed

+26
-16
lines changed

.github/workflows/release.yml

Lines changed: 26 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,13 @@ on:
66
- 'v*.*.*'
77

88
permissions:
9+
id-token: write
910
contents: read
1011

1112
jobs:
1213
release:
14+
environment: production
15+
1316
runs-on: windows-2022
1417

1518
strategy:
@@ -45,13 +48,13 @@ jobs:
4548
path: ~/.dotnet/tools
4649
key: dotnettools
4750

48-
- name: Setup AzureSignTool
51+
- name: Setup dotnet sign tool
4952
if: steps.cache-dotnettools.outputs.cache-hit != 'true'
50-
run: dotnet tool install --verbosity minimal --global azuresigntool --version 6.0.1
53+
run: dotnet tool install --verbosity minimal --global sign --version 0.9.1-beta.25379.1
5154

52-
- name: Setup NuGetKeyVaultSignTool
55+
- name: Setup Knapcode.CertificateExtractor tool
5356
if: steps.cache-dotnettools.outputs.cache-hit != 'true'
54-
run: dotnet tool install --verbosity minimal --global NuGetKeyVaultSignTool --version 3.2.3
57+
run: dotnet tool install --verbosity minimal --global Knapcode.CertificateExtractor --version 0.1.1
5558

5659
- name: Cache packages
5760
uses: actions/cache@v4
@@ -77,20 +80,27 @@ jobs:
7780
$content = $content.Replace('${{ github.workspace }}', '..')
7881
$content | Set-Content obj/signlist.txt
7982
83+
- name: azure login
84+
uses: azure/login@v2
85+
with:
86+
client-id: ${{ secrets.TRUSTED_SIGNING_CLIENT_ID }}
87+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
88+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
89+
8090
- name: Sign NetOffice libraries
8191
if: success() && steps.build.outputs.sign_binaries == 'true'
82-
uses: azure/[email protected]
83-
with:
84-
azure-tenant-id: ${{ secrets.KEYVAULT_TENANT_ID }}
85-
azure-client-id: ${{ secrets.KEYVAULT_CLIENT_ID }}
86-
azure-client-secret: ${{ secrets.KEYVAULT_CLIENT_SECRET }}
87-
endpoint: ${{ vars.KEYVAULT_ENDPOINT }}
88-
trusted-signing-account-name: ${{ vars.KEYVAULT_ACCOUNT_NAME }}
89-
certificate-profile-name: ${{ secrets.KEYVAULT_CERTIFICATE_PROFILE }}
90-
files-catalog: '${{ github.workspace }}/obj/signlist.txt'
91-
file-digest: SHA256
92-
timestamp-rfc3161: http://timestamp.acs.microsoft.com
93-
timestamp-digest: SHA256
92+
run: |
93+
sign code trusted-signing `
94+
--file-list "${{ github.workspace }}\obj\signlist.txt" `
95+
--publisher-name "NetOffice" `
96+
--description "NetOffice" `
97+
--description-url "https://github.com/NetOfficeFw/NetOffice" `
98+
--trusted-signing-endpoint "${{ secrets.TRUSTED_SIGNING_ENDPOINT }}" `
99+
--trusted-signing-account "${{ secrets.TRUSTED_SIGNING_ACCOUNT_NAME }}" `
100+
--trusted-signing-certificate-profile "${{ secrets.TRUSTED_SIGNING_CERTIFICATE_PROFILE }}" `
101+
--file-digest SHA256 `
102+
--timestamp-url http://timestamp.acs.microsoft.com `
103+
--timestamp-digest SHA256
94104
95105
- name: Archive NetOffice binaries
96106
uses: actions/upload-artifact@v5

0 commit comments

Comments
 (0)