Rework nuget packages signing to use Azure Trusted Signing service

Author: jozefizso

.github/workflows/release.yml

@@ -10,6 +10,8 @@ permissions:
 
 jobs:
   release:
+    environment: production
+
     runs-on: windows-2022
 
     strategy:
@@ -45,13 +47,13 @@ jobs:
         path: ~/.dotnet/tools
         key: dotnettools
 
-    - name: Setup AzureSignTool
+    - name: Setup dotnet sign tool
       if: steps.cache-dotnettools.outputs.cache-hit != 'true'
-      run: dotnet tool install --verbosity minimal --global azuresigntool --version 6.0.1
+      run: dotnet tool install --verbosity minimal --global sign --version 0.9.1-beta.24529.1
 
-    - name: Setup NuGetKeyVaultSignTool
+    - name: Setup Knapcode.CertificateExtractor tool
       if: steps.cache-dotnettools.outputs.cache-hit != 'true'
-      run: dotnet tool install --verbosity minimal --global NuGetKeyVaultSignTool --version 3.2.3
+      run: dotnet tool install --verbosity minimal --global Knapcode.CertificateExtractor --version 0.1.1
 
     - name: Cache packages
       uses: actions/cache@v4
@@ -99,36 +101,36 @@ jobs:
         path: '${{ github.workspace }}\Source\ClientApplication\bin\${{ matrix.configuration }}'
 
     - name: Pack NetOffice
-      if: steps.build.outputs.publish_nuget == 'true'
       run: |
         dotnet pack --no-build --no-restore Source\NetOffice.sln -c ${{ matrix.configuration }} -o dist
       env:
         VersionSuffix: ${{ steps.build.outputs.app_version_suffix }}
 
-    # - name: Sign NetOffice packages
-    #   if: success() && steps.build.outputs.publish_nuget == 'true' && steps.build.outputs.sign_binaries == 'true'
-    #   working-directory: '${{ github.workspace}}\dist'
-    #   run: |
-    #       NuGetKeyVaultSignTool.exe sign *.nupkg `
-    #       --file-digest sha256 `
-    #       --timestamp-rfc3161 http://timestamp.digicert.com `
-    #       --timestamp-digest sha256 `
-    #       --azure-key-vault-url https://opensourcesigning.vault.azure.net `
-    #       --azure-key-vault-tenant-id "${{ secrets.KEYVAULT_TENANT_ID }}" `
-    #       --azure-key-vault-client-id "${{ secrets.KEYVAULT_CLIENT_ID }}" `
-    #       --azure-key-vault-client-secret "${{ secrets.KEYVAULT_CLIENT_SECRET }}" `
-    #       --azure-key-vault-certificate "goITSolutions-until-2024-01"
+    - name: Sign NetOffice packages
+      if: success() && steps.build.outputs.sign_binaries == 'true'
+      working-directory: '${{ github.workspace}}\dist'
+      run: |
+          sign code trusted-signing *.nupkg `
+          --publisher-name "NetOffice" `
+          --description "NetOffice" `
+          --description-url "https://github.com/NetOfficeFw/NetOffice" `
+          --trusted-signing-endpoint "${{ secrets.TRUSTED_SIGNING_ENDPOINT }}" `
+          --trusted-signing-account "${{ secrets.TRUSTED_SIGNING_ACCOUNT_NAME }}" `
+          --trusted-signing-certificate-profile "${{ secrets.TRUSTED_SIGNING_CERTIFICATE_PROFILE }}" `
+          --file-digest SHA256 `
+          --timestamp-rfc3161 http://timestamp.acs.microsoft.com `
+          --timestamp-digest SHA256
 
     - name: Publish packages
-      if: success()  && steps.build.outputs.publish_nuget == 'true'
+      if: success() && steps.build.outputs.publish_nuget == 'true'
       working-directory: '${{ github.workspace}}\dist'
       run: |
         dotnet nuget push *.nupkg --api-key $env:NUGET_TOKEN --source https://api.nuget.org/v3/index.json
       env:
         NUGET_TOKEN: ${{ secrets.NUGET_TOKEN }}
 
     - name: Archive NetOffice packages
-      if: success() && steps.build.outputs.publish_nuget == 'true'
+      if: success()
       uses: actions/upload-artifact@v5
       with:
         name: NetOffice_packages_v${{ steps.build.outputs.app_version_full }}