Merge pull request #206 from microsoft/master

Release GCM Core with various fixes and new Windows user-installer

Author: mjcheetham

.github/run_esrp_signing.py

@@ -0,0 +1,112 @@
+import json
+import os
+import glob
+import pprint
+import subprocess
+import sys
+
+esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
+
+aad_id = os.environ['AZURE_AAD_ID'].strip()
+workspace = os.environ['GITHUB_WORKSPACE'].strip()
+
+source_root_location = os.path.join(workspace, "deb", "Release")
+destination_location = os.path.join(workspace)
+
+files = glob.glob(os.path.join(source_root_location, "*.deb"))
+
+print("Found files:")
+pprint.pp(files)
+
+if len(files) < 1 or not files[0].endswith(".deb"):
+	print("Error: cannot find .deb to sign")
+	exit(1)
+
+file_to_sign = os.path.basename(files[0])
+
+auth_json = {
+	"Version": "1.0.0",
+	"AuthenticationType": "AAD_CERT",
+	"TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
+	"ClientId": aad_id,
+	"AuthCert": {
+		"SubjectName": f"CN={aad_id}.microsoft.com",
+		"StoreLocation": "LocalMachine",
+		"StoreName": "My",
+	},
+	"RequestSigningCert": {
+		"SubjectName": f"CN={aad_id}",
+		"StoreLocation": "LocalMachine",
+		"StoreName": "My",
+	}
+}
+
+input_json = {
+	"Version": "1.0.0",
+	"SignBatches": [
+		{
+			"SourceLocationType": "UNC",
+			"SourceRootDirectory": source_root_location,
+			"DestinationLocationType": "UNC",
+			"DestinationRootDirectory": destination_location,
+			"SignRequestFiles": [
+				{
+					"CustomerCorrelationId": "01A7F55F-6CDD-4123-B255-77E6F212CDAD",
+					"SourceLocation": file_to_sign,
+					"DestinationLocation": os.path.join("Signed", file_to_sign),
+				}
+			],
+			"SigningInfo": {
+				"Operations": [
+					{
+						"KeyCode": "CP-450779-Pgp",
+						"OperationCode": "LinuxSign",
+						"Parameters": {},
+						"ToolName": "sign",
+						"ToolVersion": "1.0",
+					}
+				]
+			}
+		}
+	]
+}
+
+policy_json = {
+	"Version": "1.0.0",
+	"Intent": "production release",
+	"ContentType": "Debian package",
+}
+
+configs = [
+	("auth.json", auth_json),
+	("input.json", input_json),
+	("policy.json", policy_json),
+]
+
+for filename, data in configs:
+	with open(filename, 'w') as fp:
+		json.dump(data, fp)
+
+# Run ESRP Client
+esrp_out = "esrp_out.json"
+result = subprocess.run(
+	[esrp_tool, "sign",
+	"-a", "auth.json",
+	"-i", "input.json",
+	"-p", "policy.json",
+	"-o", esrp_out,
+	"-l", "Verbose"],
+	cwd=workspace)
+
+if result.returncode != 0:
+	print("Failed to run ESRPClient.exe")
+	sys.exit(1)
+
+if os.path.isfile(esrp_out):
+	print("ESRP output json:")
+	with open(esrp_out, 'r') as fp:
+		pprint.pp(json.load(fp))
+
+signed_file = os.path.join(destination_location, "Signed", file_to_sign)
+if os.path.isfile(signed_file):
+	print(f"Success!\nSigned {signed_file}")

.github/workflows/build-installers.yml

@@ -1,6 +1,7 @@
 name: Build-Installers
 
 on:
+  workflow_dispatch:
   push:
     branches: [ master, release ]
   pull_request:

.github/workflows/build-signed-deb.yml

@@ -0,0 +1,93 @@
+name: "Build Signed Debian Installer"
+
+on:
+  workflow_dispatch:
+  release:
+    types: [released]
+
+jobs:
+  build:
+    name: "Build"
+    runs-on: ubuntu-18.04
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        fetch-depth: 0 # Indicate full history so Nerdbank.GitVersioning works.
+
+    - name: Setup .NET Core
+      uses: actions/setup-dotnet@v1
+      with:
+        dotnet-version: 3.1.302
+
+    - name: Install dependencies
+      run: dotnet restore --force
+
+    - name: Build Linux Payloads
+      run: dotnet build -c Release src/linux/Packaging.Linux/Packaging.Linux.csproj
+
+    - name: Upload Installers
+      uses: actions/upload-artifact@v2
+      with:
+        name: LinuxInstallers
+        path: |
+          out/linux/Packaging.Linux/deb/Release/*.deb
+          out/linux/Packaging.Linux/tar/Release/*.tar.gz
+
+  sign:
+    name: 'Sign'
+    runs-on: windows-latest
+    needs: build
+    steps:
+    - name: setup python
+      uses: actions/setup-python@v2
+      with:
+        python-version: 3.8
+
+    - uses: actions/checkout@v2
+
+    - name: 'Download Installer Artifact'
+      uses: actions/download-artifact@v2
+      with:
+        name: LinuxInstallers
+
+    - uses: Azure/[email protected]
+      with:
+        creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+    - name: 'Install ESRP Client'
+      shell: pwsh
+      env:
+        AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }}
+      run: |
+        az storage blob download --subscription  "$env:AZ_SUB" --account-name gitcitoolstore -c tools -n microsoft.esrpclient.1.2.47.nupkg -f esrp.zip
+        Expand-Archive -Path esrp.zip -DestinationPath .\esrp
+
+    - name: Install Certs
+      shell: pwsh
+      env:
+        AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }}
+        AZ_VAULT: ${{ secrets.AZURE_VAULT }}
+        SSL_CERT: ${{ secrets.VAULT_SSL_CERT_NAME }}
+        ESRP_CERT: ${{ secrets.VAULT_ESRP_CERT_NAME }}
+      run: |
+        az keyvault secret download --subscription "$env:AZ_SUB" --vault-name "$env:AZ_VAULT" --name "$env:SSL_CERT" -f out.pfx
+        certutil -f -importpfx out.pfx
+        Remove-Item out.pfx
+
+        az keyvault secret download --subscription "$env:AZ_SUB" --vault-name "$env:AZ_VAULT" --name "$env:ESRP_CERT" -f out.pfx
+        certutil -f -importpfx out.pfx
+        Remove-Item out.pfx
+
+    - name: Run ESRP Client
+      shell: pwsh
+      env:
+        AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
+      run: |
+        python .github/run_esrp_signing.py
+
+    - name: Upload Installer
+      uses: actions/upload-artifact@v2
+      with:
+        name: DebianInstallerSigned
+        path: |
+          Signed/*.deb

.github/workflows/continuous-integration.yml

@@ -1,6 +1,7 @@
 name: GCM-Core
 
 on:
+  workflow_dispatch:
   push:
     branches: [ master, linux ]
   pull_request:

.github/workflows/release-winget.yaml

@@ -0,0 +1,32 @@
+name: "release-winget"
+on:
+  release:
+    types: [released]
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Update winget repository
+      uses: mjcheetham/[email protected]
+      with:
+        token: ${{ secrets.WINGET_TOKEN }}
+        repo: microsoft/winget-pkgs
+        id: Microsoft.GitCredentialManagerCore
+        releaseAsset: gcmcore-win-x86-(.*)\.exe
+        manifestText: |
+          Id: {{id}}
+          Version: {{version}}
+          Name: Git Credential Manager Core
+          Publisher: Microsoft Corporation
+          AppMoniker: git-credential-manager-core
+          Homepage: https://aka.ms/gcmcore
+          Tags: "gcm, gcmcore, git, credential"
+          License: Copyright (C) Microsoft Corporation
+          Description: Secure, cross-platform Git credential storage with authentication to GitHub, Azure Repos, and other popular Git hosting services.
+          Installers:
+              - Arch: x86
+                Url: {{url}}
+                InstallerType: Inno
+                Sha256: {{sha256}}
+        alwaysUsePullRequest: true

.gitignore

@@ -340,3 +340,7 @@ out/
 
 # dotnet local tools
 .tools/
+
+# Signing generated Files
+auth.json
+input.json

README.md

@@ -6,36 +6,39 @@ master|[![Build Status](https://mseng.visualstudio.com/AzureDevOps/_apis/build/s
 
 ---
 
-[Git Credential Manager Core](https://github.com/Microsoft/Git-Credential-Manager-Core) (GCM Core) is a secure Git credential helper built on [.NET Core](https://microsoft.com/dotnet) that runs on Windows and macOS. Linux support is planned, but not yet scheduled.
+[Git Credential Manager Core](https://github.com/microsoft/Git-Credential-Manager-Core) (GCM Core) is a secure Git credential helper built on [.NET Core](https://microsoft.com/dotnet) that runs on Windows and macOS. Linux support is in an early preview.
 
 Compared to Git's [built-in credential helpers]((https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage)) (Windows: wincred, macOS: osxkeychain, Linux: gnome-keyring) which provides single-factor authentication support working on any HTTP-enabled Git repository, GCM Core provides multi-factor authentication support for [Azure DevOps](https://dev.azure.com/), Azure DevOps Server (formerly Team Foundation Server), GitHub, and Bitbucket.
 
-## Public preview
+Git Credential Manager Core (GCM Core) replaces the .NET Framework-based [Git Credential Manager for Windows](https://github.com/microsoft/Git-Credential-Manager-for-Windows) (GCM), and the Java-based [Git Credential Manager for Mac and Linux](https://github.com/microsoft/Git-Credential-Manager-for-Mac-and-Linux) (Java GCM), providing a consistent authentication experience across all platforms.
 
-The long-term goal of Git Credential Manager Core (GCM Core) is to converge the .NET Framework-based [Git Credential Manager for Windows](https://github.com/Microsoft/Git-Credential-Manager-for-Windows) (GCM), and the Java-based [Git Credential Manager for Mac and Linux](https://github.com/Microsoft/Git-Credential-Manager-for-Mac-and-Linux) (Java GCM), providing a consistent authentication experience across all platforms.
+## Current status
 
-### Current status
+Git Credential Manager Core is currently available for macOS and Windows, with Linux support in preview. If the Linux version of GCM Core is insufficient then SSH still remains an option:
 
-Git Credential Manager Core is currently in preview for macOS and Windows. Linux support is planned, but not yet scheduled. For now, we recommend [SSH for authentication to Azure DevOps](https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops) for Linux users.
+- [Azure DevOps SSH](https://docs.microsoft.com/en-us/azure/devops/repos/git/use-ssh-keys-to-authenticate?view=azure-devops)
+- [GitHub SSH](https://help.github.com/en/articles/connecting-to-github-with-ssh)
+- [Bitbucket SSH](https://confluence.atlassian.com/bitbucket/ssh-keys-935365775.html)
 
 Feature|Windows|macOS|Linux
 -|:-:|:-:|:-:
-Installer/uninstaller|✓|✓|
-Secure platform credential storage|&#10003;<br/>Windows Credential Manager|&#10003;<br/>macOS Keychain|
+Installer/uninstaller|&#10003;|&#10003;|&#10003;\*\*
+Secure platform credential storage|&#10003;<br/>Windows<br/>Credential<br/>Manager|&#10003;<br/>macOS Keychain|&#10003;<br/>1. Secret Service<br/>2. `pass`/GPG<br/>3. Plaintext files
 Multi-factor authentication support for Azure DevOps|&#10003;|&#10003;|&#10003;\*
 Two-factor authentication support for GitHub|&#10003;|&#10003;\*|&#10003;\*
 Two-factor authentication support for Bitbucket|&#10003;|&#10003;\*|&#10003;\*
 Windows Integrated Authentication (NTLM/Kerberos) support|&#10003;|_N/A_|_N/A_
 Basic HTTP authentication support|&#10003;|&#10003;|&#10003;
-Proxy support|&#10003;|&#10003;|
+Proxy support|&#10003;|&#10003;|&#10003;
 
 **Notes:**
 
 (\*) Currently only supported when using Git from the terminal or command line. A platform-native UI experience is not yet available, but planned.
 
+(\*\*) Debian package offered but not yet available on an official Microsoft feed.
+
 ### Planned features
 
-- [ ] Linux support ([#135](https://github.com/microsoft/Git-Credential-Manager-Core/issues/135))
 - [ ] macOS/Linux native UI ([#136](https://github.com/microsoft/Git-Credential-Manager-Core/issues/136))
 
 ## Download and Install
@@ -51,6 +54,12 @@ brew tap microsoft/git
 brew cask install git-credential-manager-core
 ```
 
+After installing you can stay up-to-date with new releases by running:
+
+```shell
+brew upgrade git-credential-manager-core
+```
+
 #### Git Credential Manager for Mac and Linux (Java-based GCM)
 
 If you have an existing installation of the 'Java GCM' on macOS and you have installed this using Homebrew, this installation will be unlinked (`brew unlink git-credential-manager`) when GCM Core is installed.
@@ -67,7 +76,7 @@ brew cask uninstall git-credential-manager-core
 
 ### macOS Package
 
-We also provide a [.pkg installer](https://github.com/Microsoft/Git-Credential-Manager-Core/releases/latest) with each release. To install, double-click the installation package and follow the instructions presented.
+We also provide a [.pkg installer](https://github.com/microsoft/Git-Credential-Manager-Core/releases/latest) with each release. To install, double-click the installation package and follow the instructions presented.
 
 #### Uninstall
 
@@ -79,9 +88,33 @@ sudo /usr/local/share/gcm-core/uninstall.sh
 
 ---
 
+### Linux Debian package (.deb)
+
+Download the latest [.deb package](https://github.com/microsoft/Git-Credential-Manager-Core/releases/latest), and run the following:
+
+```shell
+sudo dpkg -i <path-to-package>
+git-credential-manager-core configure
+```
+
+Note that Linux distributions [require additional configuration](https://aka.ms/gcmcore-linuxcredstores) to use GCM Core.
+
+---
+
+### Linux tarball (.tar.gz)
+
+Download the latest [tarball](https://github.com/microsoft/Git-Credential-Manager-Core/releases/latest), and run the following:
+
+```shell
+tar -xvf <path-to-tarball> -C /usr/local/bin
+git-credential-manager-core configure
+```
+
+---
+
 ### Windows
 
-You can download the [latest installer](https://github.com/Microsoft/Git-Credential-Manager-Core/releases/latest) for Windows. To install, double-click the installation package and follow the instructions presented.
+You can download the [latest installer](https://github.com/microsoft/Git-Credential-Manager-Core/releases/latest) for Windows. To install, double-click the installation package and follow the instructions presented.
 
 #### Git Credential Manager for Windows
 

docs/development.md

@@ -41,7 +41,17 @@ The flat binaries can also be found in `out\windows\Payload.Windows\bin\Debug\ne
 
 ### Linux
 
-_No information yet._
+The two available solution configurations are `LinuxDebug` and `LinuxRelease`.
+
+To build from the command line, run:
+
+```shell
+dotnet build -c LinuxDebug
+```
+
+You can find a copy of the Debian package (.deb) file in `out/linux/Packaging.Linux/deb/Debug`.
+
+The flat binaries can also be found in `out/linux/Packaging.Linux/payload/Debug`.
 
 ## Debugging