From 9d64a81de9d717c355599868f10c0b411ba77e39 Mon Sep 17 00:00:00 2001 From: Joshua Rakita Date: Wed, 27 Mar 2024 19:09:16 -0700 Subject: [PATCH 1/6] Partially done. Updating all projects to .NET 8 and drop .Net Framework. --- .github/workflows/continuous-integration.yml | 6 +++--- .github/workflows/release.yml | 2 +- .vscode/launch.json | 4 ++-- .vscode/tasks.json | 4 ++-- Directory.Build.props | 6 ------ build/GCM.MSBuild.csproj | 2 +- docs/development.md | 8 ++++---- src/linux/Packaging.Linux/Packaging.Linux.csproj | 2 +- src/linux/Packaging.Linux/layout.sh | 2 +- src/osx/Installer.Mac/Installer.Mac.csproj | 2 +- src/osx/Installer.Mac/layout.sh | 2 +- .../Atlassian.Bitbucket.Tests.csproj | 2 +- .../Atlassian.Bitbucket.csproj | 7 +------ src/shared/Core.Tests/Core.Tests.csproj | 2 +- src/shared/Core/Core.csproj | 15 ++------------- src/shared/DotnetTool/DotnetTool.csproj | 2 +- src/shared/DotnetTool/dotnet-tool.nuspec | 2 +- src/shared/DotnetTool/layout.sh | 2 +- .../Git-Credential-Manager.csproj | 3 +-- src/shared/GitHub.Tests/GitHub.Tests.csproj | 2 +- src/shared/GitHub/GitHub.csproj | 7 +------ src/shared/GitLab.Tests/GitLab.Tests.csproj | 2 +- src/shared/GitLab/GitLab.csproj | 7 +------ .../Microsoft.AzureRepos.Tests.csproj | 2 +- .../Microsoft.AzureRepos.csproj | 7 +------ .../TestInfrastructure/TestInfrastructure.csproj | 2 +- .../Installer.Windows/Installer.Windows.csproj | 4 ++-- src/windows/Installer.Windows/layout.ps1 | 2 +- 28 files changed, 36 insertions(+), 74 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 4482f0b18..bee5e2681 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -37,9 +37,9 @@ jobs: shell: bash run: | mkdir -p artifacts/bin - mv out/windows/Installer.Windows/bin/Release/net472/win-x86 artifacts/bin/ - cp out/windows/Installer.Windows/bin/Release/net472/win-x86.sym/* artifacts/bin/win-x86/ - mv out/windows/Installer.Windows/bin/Release/net472/gcm*.exe artifacts/ + mv out/windows/Installer.Windows/bin/Release/net8.0/win-x86 artifacts/bin/ + cp out/windows/Installer.Windows/bin/Release/net8.0/win-x86.sym/* artifacts/bin/win-x86/ + mv out/windows/Installer.Windows/bin/Release/net8.0/gcm*.exe artifacts/ - name: Upload artifacts uses: actions/upload-artifact@v4 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 124350066..a00a99d27 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -200,7 +200,7 @@ jobs: /p:PayloadPath=$env:GITHUB_WORKSPACE\payload /p:NoLayout=true ` --configuration=WindowsRelease mkdir installers - Move-Item -Path .\out\windows\Installer.Windows\bin\Release\net472\*.exe ` + Move-Item -Path .\out\windows\Installer.Windows\bin\Release\net8.0\*.exe ` -Destination $env:GITHUB_WORKSPACE\installers - name: Sign installers with Azure Code Signing diff --git a/.vscode/launch.json b/.vscode/launch.json index af72a8e27..d9b004b86 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -10,7 +10,7 @@ "request": "launch", "preLaunchTask": "build", // If you have changed target frameworks, make sure to update the program path. - "program": "${workspaceFolder}/out/shared/Git-Credential-Manager/bin/Debug/net7.0/git-credential-manager.dll", + "program": "${workspaceFolder}/out/shared/Git-Credential-Manager/bin/Debug/net8.0/git-credential-manager.dll", "args": ["get"], "cwd": "${workspaceFolder}/out/shared/Git-Credential-Manager", "console": "integratedTerminal", @@ -22,7 +22,7 @@ "request": "launch", "preLaunchTask": "build", // If you have changed target frameworks, make sure to update the program path. - "program": "${workspaceFolder}/out/shared/Git-Credential-Manager/bin/Debug/net7.0/git-credential-manager.dll", + "program": "${workspaceFolder}/out/shared/Git-Credential-Manager/bin/Debug/net8.0/git-credential-manager.dll", "args": ["store"], "cwd": "${workspaceFolder}/out/shared/Git-Credential-Manager", "console": "integratedTerminal", diff --git a/.vscode/tasks.json b/.vscode/tasks.json index e47892848..c559b17b8 100644 --- a/.vscode/tasks.json +++ b/.vscode/tasks.json @@ -56,7 +56,7 @@ "type": "shell", "group": "test", "args": [ - "~/.nuget/packages/reportgenerator/*/*/net7.0/ReportGenerator.dll", + "~/.nuget/packages/reportgenerator/*/*/net8.0/ReportGenerator.dll", "-reports:${workspaceFolder}/**/TestResults/**/coverage.cobertura.xml", "-targetdir:${workspaceFolder}/out/code-coverage" ], @@ -71,7 +71,7 @@ "type": "shell", "group": "test", "args": [ - "${env:USERROFILE}/.nuget/packages/reportgenerator/*/*/net7.0/ReportGenerator.dll", + "${env:USERROFILE}/.nuget/packages/reportgenerator/*/*/net8.0/ReportGenerator.dll", "-reports:${workspaceFolder}/**/TestResults/**/coverage.cobertura.xml", "-targetdir:${workspaceFolder}/out/code-coverage" ], diff --git a/Directory.Build.props b/Directory.Build.props index 8c94238ca..d8c53e0bb 100644 --- a/Directory.Build.props +++ b/Directory.Build.props @@ -26,10 +26,4 @@ true - - - 7.0.2 - - - diff --git a/build/GCM.MSBuild.csproj b/build/GCM.MSBuild.csproj index 02f5a8444..3df4909e6 100644 --- a/build/GCM.MSBuild.csproj +++ b/build/GCM.MSBuild.csproj @@ -1,7 +1,7 @@ - net7.0 + net8.0 false diff --git a/docs/development.md b/docs/development.md index 31350192a..75f9fd0cf 100644 --- a/docs/development.md +++ b/docs/development.md @@ -40,9 +40,9 @@ To build from the command line, run: dotnet build -c WindowsDebug ``` -You can find a copy of the installer .exe file in `out\windows\Installer.Windows\bin\Debug\net472`. +You can find a copy of the installer .exe file in `out\windows\Installer.Windows\bin\Debug\net8.0`. -The flat binaries can also be found in `out\windows\Payload.Windows\bin\Debug\net472\win-x86`. +The flat binaries can also be found in `out\windows\Payload.Windows\bin\Debug\net8.0\win-x86`. ### Linux @@ -209,13 +209,13 @@ HTML reports can be generated using ReportGenerator, this should be installed during the build process, from the command line: ```shell -dotnet ~/.nuget/packages/reportgenerator/*/*/net7.0/ReportGenerator.dll -reports:./**/TestResults/**/coverage.cobertura.xml -targetdir:./out/code-coverage +dotnet ~/.nuget/packages/reportgenerator/*/*/net8.0/ReportGenerator.dll -reports:./**/TestResults/**/coverage.cobertura.xml -targetdir:./out/code-coverage ``` or ```shell -dotnet {$env:USERPROFILE}/.nuget/packages/reportgenerator/*/*/net7.0/ReportGenerator.dll -reports:./**/TestResults/**/coverage.cobertura.xml -targetdir:./out/code-coverage +dotnet {$env:USERPROFILE}/.nuget/packages/reportgenerator/*/*/net8.0/ReportGenerator.dll -reports:./**/TestResults/**/coverage.cobertura.xml -targetdir:./out/code-coverage ``` Or via VSCode Terminal/Run Task: diff --git a/src/linux/Packaging.Linux/Packaging.Linux.csproj b/src/linux/Packaging.Linux/Packaging.Linux.csproj index 362ffc230..8b9755c78 100644 --- a/src/linux/Packaging.Linux/Packaging.Linux.csproj +++ b/src/linux/Packaging.Linux/Packaging.Linux.csproj @@ -3,7 +3,7 @@ - net7.0 + net8.0 false diff --git a/src/linux/Packaging.Linux/layout.sh b/src/linux/Packaging.Linux/layout.sh index 5f3ba8ca8..6679c39ca 100755 --- a/src/linux/Packaging.Linux/layout.sh +++ b/src/linux/Packaging.Linux/layout.sh @@ -38,7 +38,7 @@ GCM_SRC="$SRC/shared/Git-Credential-Manager" PROJ_OUT="$OUT/linux/Packaging.Linux" # Build parameters -FRAMEWORK=net7.0 +FRAMEWORK=net8.0 RUNTIME=linux-x64 # Perform pre-execution checks diff --git a/src/osx/Installer.Mac/Installer.Mac.csproj b/src/osx/Installer.Mac/Installer.Mac.csproj index e46022374..daabd20d4 100644 --- a/src/osx/Installer.Mac/Installer.Mac.csproj +++ b/src/osx/Installer.Mac/Installer.Mac.csproj @@ -3,7 +3,7 @@ - net7.0 + net8.0 false diff --git a/src/osx/Installer.Mac/layout.sh b/src/osx/Installer.Mac/layout.sh index 544b7e106..ad8e2cfc2 100755 --- a/src/osx/Installer.Mac/layout.sh +++ b/src/osx/Installer.Mac/layout.sh @@ -24,7 +24,7 @@ GCM_SRC="$SRC/shared/Git-Credential-Manager" GCM_UI_SRC="$SRC/shared/Git-Credential-Manager.UI.Avalonia" # Build parameters -FRAMEWORK=net7.0 +FRAMEWORK=net8.0 # Parse script arguments for i in "$@" diff --git a/src/shared/Atlassian.Bitbucket.Tests/Atlassian.Bitbucket.Tests.csproj b/src/shared/Atlassian.Bitbucket.Tests/Atlassian.Bitbucket.Tests.csproj index 0e3c94c22..d5d08797c 100644 --- a/src/shared/Atlassian.Bitbucket.Tests/Atlassian.Bitbucket.Tests.csproj +++ b/src/shared/Atlassian.Bitbucket.Tests/Atlassian.Bitbucket.Tests.csproj @@ -1,7 +1,7 @@  - net7.0 + net8.0 false true latest diff --git a/src/shared/Atlassian.Bitbucket/Atlassian.Bitbucket.csproj b/src/shared/Atlassian.Bitbucket/Atlassian.Bitbucket.csproj index af8285c72..d50785fa7 100644 --- a/src/shared/Atlassian.Bitbucket/Atlassian.Bitbucket.csproj +++ b/src/shared/Atlassian.Bitbucket/Atlassian.Bitbucket.csproj @@ -1,8 +1,7 @@  - net7.0 - net7.0;net472 + net8.0 Atlassian.Bitbucket Atlassian.Bitbucket false @@ -13,10 +12,6 @@ - - - - diff --git a/src/shared/Core.Tests/Core.Tests.csproj b/src/shared/Core.Tests/Core.Tests.csproj index 4ee2d350e..db045a83b 100644 --- a/src/shared/Core.Tests/Core.Tests.csproj +++ b/src/shared/Core.Tests/Core.Tests.csproj @@ -1,7 +1,7 @@  - net7.0 + net8.0 false true latest diff --git a/src/shared/Core/Core.csproj b/src/shared/Core/Core.csproj index 644d07e4e..ae180a8d3 100644 --- a/src/shared/Core/Core.csproj +++ b/src/shared/Core/Core.csproj @@ -1,8 +1,7 @@  - net7.0 - net7.0;net472 + net8.0 gcmcore GitCredentialManager false @@ -10,22 +9,12 @@ true - - - - - - - - - - - + diff --git a/src/shared/DotnetTool/DotnetTool.csproj b/src/shared/DotnetTool/DotnetTool.csproj index a951303bb..a1107a4b6 100644 --- a/src/shared/DotnetTool/DotnetTool.csproj +++ b/src/shared/DotnetTool/DotnetTool.csproj @@ -1,6 +1,6 @@ - net7.0 + net8.0 true dotnet-tool.nuspec diff --git a/src/shared/DotnetTool/dotnet-tool.nuspec b/src/shared/DotnetTool/dotnet-tool.nuspec index e707ba27e..cf9ba7444 100644 --- a/src/shared/DotnetTool/dotnet-tool.nuspec +++ b/src/shared/DotnetTool/dotnet-tool.nuspec @@ -12,7 +12,7 @@ - + diff --git a/src/shared/DotnetTool/layout.sh b/src/shared/DotnetTool/layout.sh index 44c712650..f5244dbbd 100755 --- a/src/shared/DotnetTool/layout.sh +++ b/src/shared/DotnetTool/layout.sh @@ -39,7 +39,7 @@ PROJ_OUT="$OUT/$DOTNET_TOOL" CONFIGURATION="${CONFIGURATION:=Debug}" # Build parameters -FRAMEWORK=net7.0 +FRAMEWORK=net8.0 # Outputs OUTDIR="$PROJ_OUT/nupkg/$CONFIGURATION" diff --git a/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj b/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj index bc6dcb061..0f4ff550d 100644 --- a/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj +++ b/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj @@ -2,8 +2,7 @@ Exe - net7.0 - net472;net7.0 + net8.0 win-x86;osx-x64;linux-x64;osx-arm64 x86 git-credential-manager diff --git a/src/shared/GitHub.Tests/GitHub.Tests.csproj b/src/shared/GitHub.Tests/GitHub.Tests.csproj index a5cda349e..1b892075e 100644 --- a/src/shared/GitHub.Tests/GitHub.Tests.csproj +++ b/src/shared/GitHub.Tests/GitHub.Tests.csproj @@ -1,7 +1,7 @@  - net7.0 + net8.0 false true latest diff --git a/src/shared/GitHub/GitHub.csproj b/src/shared/GitHub/GitHub.csproj index 1de18e7a5..2d550fef1 100644 --- a/src/shared/GitHub/GitHub.csproj +++ b/src/shared/GitHub/GitHub.csproj @@ -1,8 +1,7 @@  - net7.0 - net7.0;net472 + net8.0 GitHub GitHub false @@ -13,8 +12,4 @@ - - - - diff --git a/src/shared/GitLab.Tests/GitLab.Tests.csproj b/src/shared/GitLab.Tests/GitLab.Tests.csproj index bcd5fe7e8..253c36db4 100644 --- a/src/shared/GitLab.Tests/GitLab.Tests.csproj +++ b/src/shared/GitLab.Tests/GitLab.Tests.csproj @@ -1,7 +1,7 @@  - net7.0 + net8.0 false true latest diff --git a/src/shared/GitLab/GitLab.csproj b/src/shared/GitLab/GitLab.csproj index 66017d55e..23086c8ee 100644 --- a/src/shared/GitLab/GitLab.csproj +++ b/src/shared/GitLab/GitLab.csproj @@ -1,8 +1,7 @@  - net7.0 - net7.0;net472 + net8.0 GitLab GitLab false @@ -13,8 +12,4 @@ - - - - diff --git a/src/shared/Microsoft.AzureRepos.Tests/Microsoft.AzureRepos.Tests.csproj b/src/shared/Microsoft.AzureRepos.Tests/Microsoft.AzureRepos.Tests.csproj index 8a475c370..01ec9d411 100644 --- a/src/shared/Microsoft.AzureRepos.Tests/Microsoft.AzureRepos.Tests.csproj +++ b/src/shared/Microsoft.AzureRepos.Tests/Microsoft.AzureRepos.Tests.csproj @@ -1,7 +1,7 @@  - net7.0 + net8.0 false true latest diff --git a/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj b/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj index c99f102b3..ec08beda2 100644 --- a/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj +++ b/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj @@ -1,8 +1,7 @@  - net7.0 - net7.0;net472 + net8.0 Microsoft.AzureRepos Microsoft.AzureRepos false @@ -13,8 +12,4 @@ - - - - diff --git a/src/shared/TestInfrastructure/TestInfrastructure.csproj b/src/shared/TestInfrastructure/TestInfrastructure.csproj index 467df5c3c..569b64cd5 100644 --- a/src/shared/TestInfrastructure/TestInfrastructure.csproj +++ b/src/shared/TestInfrastructure/TestInfrastructure.csproj @@ -1,7 +1,7 @@  - net7.0 + net8.0 GitCredentialManager.Tests false false diff --git a/src/windows/Installer.Windows/Installer.Windows.csproj b/src/windows/Installer.Windows/Installer.Windows.csproj index 99253c445..27b652e2c 100644 --- a/src/windows/Installer.Windows/Installer.Windows.csproj +++ b/src/windows/Installer.Windows/Installer.Windows.csproj @@ -3,10 +3,10 @@ - net472 + net8.0 false false - $(PlatformOutPath)Installer.Windows\bin\$(Configuration)\net472\win-x86 + $(PlatformOutPath)Installer.Windows\bin\$(Configuration)\$(TargetFramework)\win-x86 diff --git a/src/windows/Installer.Windows/layout.ps1 b/src/windows/Installer.Windows/layout.ps1 index 070c9bf49..d1405ce43 100644 --- a/src/windows/Installer.Windows/layout.ps1 +++ b/src/windows/Installer.Windows/layout.ps1 @@ -37,7 +37,7 @@ mkdir -p "$PAYLOAD","$SYMBOLS" # Publish core application executables Write-Output "Publishing core application..." dotnet publish "$GCM_SRC" ` - --framework net472 ` + --framework "net8.0" ` --configuration "$CONFIGURATION" ` --runtime win-x86 ` --output "$PAYLOAD" From ff0f59cfa28f6c3f15c9a186ffcdeb89b5c501f1 Mon Sep 17 00:00:00 2001 From: Joshua Rakita Date: Mon, 8 Apr 2024 13:01:27 -0700 Subject: [PATCH 2/6] Move CI and Linux packaging to .Net 8 --- .github/workflows/continuous-integration.yml | 6 +++--- src/linux/Packaging.Linux/install-from-source.sh | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index bee5e2681..8f54ba1b4 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -21,7 +21,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: 6.0.201 + dotnet-version: 8.0.x - name: Install dependencies run: dotnet restore @@ -61,7 +61,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: 6.0.201 + dotnet-version: 8.0.x - name: Install dependencies run: dotnet restore @@ -102,7 +102,7 @@ jobs: - name: Setup .NET uses: actions/setup-dotnet@v4.0.0 with: - dotnet-version: 6.0.201 + dotnet-version: 8.0.x - name: Install dependencies run: dotnet restore diff --git a/src/linux/Packaging.Linux/install-from-source.sh b/src/linux/Packaging.Linux/install-from-source.sh index df586ce1c..7d7b5b80c 100755 --- a/src/linux/Packaging.Linux/install-from-source.sh +++ b/src/linux/Packaging.Linux/install-from-source.sh @@ -157,7 +157,7 @@ case "$distribution" in # Install dotnet packages and dependencies if needed. if [ -z "$(verify_existing_dotnet_installation)" ]; then # First try to use native feeds (Ubuntu 22.04 and later). - if ! apt_install dotnet7; then + if ! apt_install dotnet8; then # If the native feeds fail, we fall back to # packages.microsoft.com. We begin by adding the dotnet package # repository/signing key. @@ -173,7 +173,7 @@ case "$distribution" in $sudo_cmd apt update $sudo_cmd apt install apt-transport-https -y $sudo_cmd apt update - $sudo_cmd apt install dotnet-sdk-7.0 dpkg-dev -y + $sudo_cmd apt install dotnet-sdk-8.0 dpkg-dev -y fi fi ;; From fbc5c11a817e4466026c301577321f77cb6b951e Mon Sep 17 00:00:00 2001 From: Joshua Rakita Date: Mon, 8 Apr 2024 13:42:19 -0700 Subject: [PATCH 3/6] Large change - remove all NETFRAMEWORK conditional code. 1. Get rid of all code inside `if NETFRAMEWORK` conditional compilation directives. 2. Attempt to clean up the resulting unreachable code. Anecdotally most of it was the OsBroker and interactive window authentication code. This cleanup was done more aggressively than usual to establish a starting point for a potential port to .NET along with a drop of .Net Framework support. --- .../Core/Authentication/AuthenticationBase.cs | 4 - .../Authentication/MicrosoftAuthentication.cs | 193 ++++-------------- src/shared/Core/Constants.cs | 2 - src/shared/Core/CurlCookie.cs | 4 - .../MicrosoftAuthenticationDiagnostic.cs | 2 +- src/shared/Core/HttpClientFactory.cs | 21 +- .../Core/Interop/Posix/PosixFileSystem.cs | 10 - .../Core/Interop/Windows/WindowsSettings.cs | 36 ---- src/shared/Core/PlatformUtils.cs | 64 +----- src/shared/Core/Settings.cs | 2 +- src/shared/Core/UI/AvaloniaUi.cs | 14 -- src/shared/Git-Credential-Manager/Program.cs | 5 - .../AzureReposHostProvider.cs | 8 +- 13 files changed, 48 insertions(+), 317 deletions(-) diff --git a/src/shared/Core/Authentication/AuthenticationBase.cs b/src/shared/Core/Authentication/AuthenticationBase.cs index 03e4d8ca6..ca3be4173 100644 --- a/src/shared/Core/Authentication/AuthenticationBase.cs +++ b/src/shared/Core/Authentication/AuthenticationBase.cs @@ -60,11 +60,7 @@ protected internal virtual async Task> InvokeHelperA // Write the standard input to the process if we have any to write if (standardInput is not null) { -#if NETFRAMEWORK - await standardInput.BaseStream.CopyToAsync(process.StandardInput.BaseStream); -#else await standardInput.BaseStream.CopyToAsync(process.StandardInput.BaseStream, ct); -#endif process.StandardInput.Close(); } diff --git a/src/shared/Core/Authentication/MicrosoftAuthentication.cs b/src/shared/Core/Authentication/MicrosoftAuthentication.cs index b39cc1a73..541571ac3 100644 --- a/src/shared/Core/Authentication/MicrosoftAuthentication.cs +++ b/src/shared/Core/Authentication/MicrosoftAuthentication.cs @@ -1,24 +1,20 @@ -using System; -using System.Collections.Generic; -using System.IO; -using System.Linq; -using System.Net.Http; -using System.Security.Cryptography.X509Certificates; -using System.Threading.Tasks; using GitCredentialManager.Interop.Windows.Native; -using Microsoft.Identity.Client; -using Microsoft.Identity.Client.Extensions.Msal; -using System.Text; -using System.Threading; using GitCredentialManager.UI; using GitCredentialManager.UI.Controls; using GitCredentialManager.UI.ViewModels; using GitCredentialManager.UI.Views; +using System.Threading.Tasks; +using System.Security.Cryptography.X509Certificates; +using System; +using System.Threading; +using Microsoft.Identity.Client; +using Microsoft.Identity.Client.Extensions.Msal; +using System.IO; +using System.Collections.Generic; using Microsoft.Identity.Client.AppConfig; - -#if NETFRAMEWORK -using Microsoft.Identity.Client.Broker; -#endif +using System.Net.Http; +using System.Text; +using System.Linq; namespace GitCredentialManager.Authentication { @@ -127,11 +123,7 @@ public async Task GetTokenForUserAsync( { var uiCts = new CancellationTokenSource(); - // Check if we can and should use OS broker authentication - bool useBroker = CanUseBroker(); - Context.Trace.WriteLine(useBroker - ? "OS broker is available and enabled." - : "OS broker is not available or enabled."); + Context.Trace.WriteLine("OS broker is not available or enabled."); if (msaPt) { @@ -141,7 +133,7 @@ public async Task GetTokenForUserAsync( try { // Create the public client application for authentication - IPublicClientApplication app = await CreatePublicClientApplicationAsync(authority, clientId, redirectUri, useBroker, msaPt, uiCts); + IPublicClientApplication app = await CreatePublicClientApplicationAsync(authority, clientId, redirectUri, msaPt, uiCts); AuthenticationResult result = null; @@ -178,80 +170,37 @@ public async Task GetTokenForUserAsync( // If the user has disabled interaction all we can do is fail at this point ThrowIfUserInteractionDisabled(); - // If we're using the OS broker then delegate everything to that - if (useBroker) + // Check for a user flow preference if they've specified one + MicrosoftAuthenticationFlowType flowType = GetFlowType(); + switch (flowType) { - // If the user has enabled the default account feature then we can try to acquire an access - // token 'silently' without knowing the user's UPN. Whilst this could be done truly silently, - // we still prompt the user to confirm this action because if the OS account is the incorrect - // account then the user may become stuck in a loop of authentication failures. - if (!hasExistingUser && Context.Settings.UseMsAuthDefaultAccount) - { - result = await GetAccessTokenSilentlyAsync(app, scopes, null, msaPt); - - if (result is null || !await UseDefaultAccountAsync(result.Account.Username)) - { - result = null; - } - } + case MicrosoftAuthenticationFlowType.Auto: + if (CanUseSystemWebView(app, redirectUri)) + goto case MicrosoftAuthenticationFlowType.SystemWebView; - if (result is null) - { - Context.Trace.WriteLine("Performing interactive auth with broker..."); + // Fall back to device code flow + goto case MicrosoftAuthenticationFlowType.DeviceCode; + + case MicrosoftAuthenticationFlowType.SystemWebView: + Context.Trace.WriteLine("Performing interactive auth with system web view..."); + EnsureCanUseSystemWebView(app, redirectUri); result = await app.AcquireTokenInteractive(scopes) .WithPrompt(Prompt.SelectAccount) - // We must configure the system webview as a fallback .WithSystemWebViewOptions(GetSystemWebViewOptions()) .ExecuteAsync(); + break; + + case MicrosoftAuthenticationFlowType.DeviceCode: + Context.Trace.WriteLine("Performing interactive auth with device code..."); + // We don't have a way to display a device code without a terminal at the moment + // TODO: introduce a small GUI window to show a code if no TTY exists + ThrowIfTerminalPromptsDisabled(); + result = await app.AcquireTokenWithDeviceCode(scopes, ShowDeviceCodeInTty).ExecuteAsync(); + break; + + default: + goto case MicrosoftAuthenticationFlowType.Auto; } - } - else - { - // Check for a user flow preference if they've specified one - MicrosoftAuthenticationFlowType flowType = GetFlowType(); - switch (flowType) - { - case MicrosoftAuthenticationFlowType.Auto: - if (CanUseEmbeddedWebView()) - goto case MicrosoftAuthenticationFlowType.EmbeddedWebView; - - if (CanUseSystemWebView(app, redirectUri)) - goto case MicrosoftAuthenticationFlowType.SystemWebView; - - // Fall back to device code flow - goto case MicrosoftAuthenticationFlowType.DeviceCode; - - case MicrosoftAuthenticationFlowType.EmbeddedWebView: - Context.Trace.WriteLine("Performing interactive auth with embedded web view..."); - EnsureCanUseEmbeddedWebView(); - result = await app.AcquireTokenInteractive(scopes) - .WithPrompt(Prompt.SelectAccount) - .WithUseEmbeddedWebView(true) - .WithEmbeddedWebViewOptions(GetEmbeddedWebViewOptions()) - .ExecuteAsync(); - break; - - case MicrosoftAuthenticationFlowType.SystemWebView: - Context.Trace.WriteLine("Performing interactive auth with system web view..."); - EnsureCanUseSystemWebView(app, redirectUri); - result = await app.AcquireTokenInteractive(scopes) - .WithPrompt(Prompt.SelectAccount) - .WithSystemWebViewOptions(GetSystemWebViewOptions()) - .ExecuteAsync(); - break; - - case MicrosoftAuthenticationFlowType.DeviceCode: - Context.Trace.WriteLine("Performing interactive auth with device code..."); - // We don't have a way to display a device code without a terminal at the moment - // TODO: introduce a small GUI window to show a code if no TTY exists - ThrowIfTerminalPromptsDisabled(); - result = await app.AcquireTokenWithDeviceCode(scopes, ShowDeviceCodeInTty).ExecuteAsync(); - break; - - default: - goto case MicrosoftAuthenticationFlowType.Auto; - } - } } return new MsalResult(result); @@ -447,7 +396,7 @@ private async Task GetAccessTokenSilentlyAsync( } private async Task CreatePublicClientApplicationAsync(string authority, - string clientId, Uri redirectUri, bool enableBroker, bool msaPt, CancellationTokenSource uiCts) + string clientId, Uri redirectUri, bool msaPt, CancellationTokenSource uiCts) { var httpFactoryAdaptor = new MsalHttpClientFactoryAdaptor(Context.HttpClientFactory); @@ -488,30 +437,9 @@ private async Task CreatePublicClientApplicationAsync( Context.Trace.WriteLine($"Using console parent window ID '{parentHandle}' for MSAL authentication dialogs."); appBuilder.WithParentActivityOrWindow(() => parentHandle); } - else if (enableBroker) // Only actually need to set a parent window when using the Windows broker - { - Context.Trace.WriteLine("Using progress parent window for MSAL authentication dialogs."); - appBuilder.WithParentActivityOrWindow(() => ProgressWindow.ShowAndGetHandle(uiCts.Token)); - } } } - // Configure the broker if enabled - // Currently only supported on Windows so only included in the .NET Framework builds - // to save on the distribution size of the .NET builds (no need for MSALRuntime bits). - if (enableBroker) - { -#if NETFRAMEWORK - appBuilder.WithBroker( - new BrokerOptions(BrokerOptions.OperatingSystems.Windows) - { - Title = "Git Credential Manager", - MsaPassthrough = msaPt, - } - ); -#endif - } - IPublicClientApplication app = appBuilder.Build(); // Register the user token cache @@ -799,55 +727,10 @@ public HttpClient GetHttpClient() #region Auth flow capability detection - public bool CanUseBroker() - { -#if NETFRAMEWORK - // We only support the broker on Windows 10+ and in an interactive session - if (!Context.SessionManager.IsDesktopSession || !PlatformUtils.IsWindowsBrokerSupported()) - { - return false; - } - - // Default to using the OS broker only on DevBox for the time being - bool defaultValue = PlatformUtils.IsDevBox(); - - if (Context.Settings.TryGetSetting(Constants.EnvironmentVariables.MsAuthUseBroker, - Constants.GitConfiguration.Credential.SectionName, - Constants.GitConfiguration.Credential.MsAuthUseBroker, - out string valueStr)) - { - return valueStr.ToBooleanyOrDefault(defaultValue); - } - - return defaultValue; -#else - // OS broker requires .NET Framework right now until we migrate to .NET 5.0 (net5.0-windows10.x.y.z) - return false; -#endif - } - - private bool CanUseEmbeddedWebView() - { - // If we're in an interactive session and on .NET Framework then MSAL can show the WinForms-based embedded UI -#if NETFRAMEWORK - return Context.SessionManager.IsDesktopSession; -#else - return false; -#endif - } - private void EnsureCanUseEmbeddedWebView() { -#if NETFRAMEWORK - if (!Context.SessionManager.IsDesktopSession) - { - throw new Trace2InvalidOperationException(Context.Trace2, - "Embedded web view is not available without a desktop session."); - } -#else throw new Trace2InvalidOperationException(Context.Trace2, "Embedded web view is not available on .NET Core."); -#endif } private bool CanUseSystemWebView(IPublicClientApplication app, Uri redirectUri) diff --git a/src/shared/Core/Constants.cs b/src/shared/Core/Constants.cs index ac609adaa..1851c8e4f 100644 --- a/src/shared/Core/Constants.cs +++ b/src/shared/Core/Constants.cs @@ -16,8 +16,6 @@ public static class Constants public const string GcmDataDirectoryName = ".gcm"; - public static readonly Guid DevBoxPartnerId = new("e3171dd9-9a5f-e5be-b36c-cc7c4f3f3bcf"); - /// /// Home tenant ID for Microsoft Accounts (MSA). /// diff --git a/src/shared/Core/CurlCookie.cs b/src/shared/Core/CurlCookie.cs index e3a5fa140..a2bb25a8b 100644 --- a/src/shared/Core/CurlCookie.cs +++ b/src/shared/Core/CurlCookie.cs @@ -66,11 +66,7 @@ public IList Parse(string content) private static DateTime ParseExpires(string expires) { -#if NETFRAMEWORK - DateTime epoch = new DateTime(1970, 01, 01, 0, 0, 0, DateTimeKind.Utc); -#else DateTime epoch = DateTime.UnixEpoch; -#endif if (long.TryParse(expires, out long i)) { diff --git a/src/shared/Core/Diagnostics/MicrosoftAuthenticationDiagnostic.cs b/src/shared/Core/Diagnostics/MicrosoftAuthenticationDiagnostic.cs index e4dba0822..5fc60ecad 100644 --- a/src/shared/Core/Diagnostics/MicrosoftAuthenticationDiagnostic.cs +++ b/src/shared/Core/Diagnostics/MicrosoftAuthenticationDiagnostic.cs @@ -16,7 +16,7 @@ public MicrosoftAuthenticationDiagnostic(ICommandContext context) protected override async Task RunInternalAsync(StringBuilder log, IList additionalFiles) { var msAuth = new MicrosoftAuthentication(CommandContext); - log.AppendLine(msAuth.CanUseBroker() ? "Broker is enabled." : "Broker is not enabled."); + log.AppendLine("Broker capability does not exist with the upgrade to .NET 8."); log.AppendLine($"Flow type is: {msAuth.GetFlowType()}"); log.Append("Gathering MSAL token cache data..."); diff --git a/src/shared/Core/HttpClientFactory.cs b/src/shared/Core/HttpClientFactory.cs index c48e277e5..61031a12f 100644 --- a/src/shared/Core/HttpClientFactory.cs +++ b/src/shared/Core/HttpClientFactory.cs @@ -99,11 +99,8 @@ public HttpClient CreateClient() _streams.Error.WriteLine("warning: ---------------------------------------------------"); _streams.Error.WriteLine($"warning: HTTPS connections may not be secure. See {Constants.HelpUrls.GcmTlsVerification} for more information."); -#if NETFRAMEWORK - ServicePointManager.ServerCertificateValidationCallback = (req, cert, chain, errors) => true; -#else + handler.ServerCertificateCustomValidationCallback = (req, cert, chain, errors) => true; -#endif } // If schannel is the TLS backend, custom certificate usage must be explicitly enabled else if (!string.IsNullOrWhiteSpace(_settings.CustomCertificateBundlePath) && @@ -178,23 +175,7 @@ public HttpClient CreateClient() // Set the custom server certificate validation callback. // NOTE: this is executed after the default platform server certificate validation is performed -#if NETFRAMEWORK - ServicePointManager.ServerCertificateValidationCallback = (_, cert, chain, errors) => - { - // Fail immediately if the cert or chain isn't present - if (cert is null || chain is null) - { - return false; - } - - using (X509Certificate2 cert2 = new X509Certificate2(cert)) - { - return validationCallback(cert2, chain, errors); - } - }; -#else handler.ServerCertificateCustomValidationCallback = (_, cert, chain, errors) => validationCallback(cert, chain, errors); -#endif } // If CustomCookieFilePath is set, set Cookie header from cookie file, which is written by libcurl diff --git a/src/shared/Core/Interop/Posix/PosixFileSystem.cs b/src/shared/Core/Interop/Posix/PosixFileSystem.cs index ec7ff8d50..06660bc2f 100644 --- a/src/shared/Core/Interop/Posix/PosixFileSystem.cs +++ b/src/shared/Core/Interop/Posix/PosixFileSystem.cs @@ -13,13 +13,6 @@ public abstract class PosixFileSystem : FileSystem /// Path is not absolute. protected internal static string ResolveSymbolicLinks(string path) { -#if NETFRAMEWORK - // Support for symlinks only exists in .NET 6+. - // Since we're still targeting .NET Framework on Windows it - // doesn't matter if we don't resolve symlinks for POSIX here - // (unless we're running on Mono.. but why do that?) - return path; -#else if (!Path.IsPathRooted(path)) { throw new ArgumentException("Path must be absolute", nameof(path)); @@ -54,10 +47,8 @@ protected internal static string ResolveSymbolicLinks(string path) } return Path.Combine("/", partialPath); -#endif } -#if !NETFRAMEWORK private static bool TryResolveFileLink(string path, out string target) { FileSystemInfo fsi = File.ResolveLinkTarget(path, true); @@ -71,6 +62,5 @@ private static bool TryResolveDirectoryLink(string path, out string target) target = fsi?.FullName; return fsi != null; } -#endif } } diff --git a/src/shared/Core/Interop/Windows/WindowsSettings.cs b/src/shared/Core/Interop/Windows/WindowsSettings.cs index abdd9ee0e..106dc7fb5 100644 --- a/src/shared/Core/Interop/Windows/WindowsSettings.cs +++ b/src/shared/Core/Interop/Windows/WindowsSettings.cs @@ -16,41 +16,5 @@ public WindowsSettings(IEnvironment environment, IGit git, ITrace trace) PlatformUtils.EnsureWindows(); } - - protected override bool TryGetExternalDefault(string section, string scope, string property, out string value) - { - value = null; - -#if NETFRAMEWORK - // Check for machine (HKLM) registry keys that match the Git configuration name. - // These can be set by system administrators via Group Policy, so make useful defaults. - using (Microsoft.Win32.RegistryKey configKey = Microsoft.Win32.Registry.LocalMachine.OpenSubKey(Constants.WindowsRegistry.HKConfigurationPath)) - { - if (configKey is null) - { - // No configuration key exists - return false; - } - - string name = string.IsNullOrWhiteSpace(scope) - ? $"{section}.{property}" - : $"{section}.{scope}.{property}"; - - object registryValue = configKey.GetValue(name); - if (registryValue is null) - { - // No property exists - return false; - } - - value = registryValue.ToString(); - _trace.WriteLine($"Default setting found in registry: {name}={value}"); - - return true; - } -#else - return base.TryGetExternalDefault(section, scope, property, out value); -#endif - } } } diff --git a/src/shared/Core/PlatformUtils.cs b/src/shared/Core/PlatformUtils.cs index 8872827d4..f992afc57 100644 --- a/src/shared/Core/PlatformUtils.cs +++ b/src/shared/Core/PlatformUtils.cs @@ -23,36 +23,7 @@ public static PlatformInformation GetPlatformInformation(ITrace2 trace2) return new PlatformInformation(osType, osVersion, cpuArch, clrVersion); } - - public static bool IsDevBox() - { - if (!IsWindows()) - { - return false; - } - -#if NETFRAMEWORK - // Check for machine (HKLM) registry keys for Cloud PC indicators - // Note that the keys are only found in the 64-bit registry view - using (Microsoft.Win32.RegistryKey hklm64 = Microsoft.Win32.RegistryKey.OpenBaseKey(Microsoft.Win32.RegistryHive.LocalMachine, Microsoft.Win32.RegistryView.Registry64)) - using (Microsoft.Win32.RegistryKey w365Key = hklm64.OpenSubKey(Constants.WindowsRegistry.HKWindows365Path)) - { - if (w365Key is null) - { - // No Windows365 key exists - return false; - } - - object w365Value = w365Key.GetValue(Constants.WindowsRegistry.IsW365EnvironmentKeyName); - string partnerValue = w365Key.GetValue(Constants.WindowsRegistry.W365PartnerIdKeyName)?.ToString(); - - return w365Value is not null && Guid.TryParse(partnerValue, out Guid partnerId) && partnerId == Constants.DevBoxPartnerId; - } -#else - return false; -#endif - } - + /// /// Returns true if the current process is running on an ARM processor. /// @@ -193,24 +164,6 @@ public static void EnsurePosix() } } - public static bool IsElevatedUser() - { - if (IsWindows()) - { -#if NETFRAMEWORK - var identity = System.Security.Principal.WindowsIdentity.GetCurrent(); - var principal = new System.Security.Principal.WindowsPrincipal(identity); - return principal.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator); -#endif - } - else if (IsPosix()) - { - return Unistd.geteuid() == 0; - } - - return false; - } - #region Platform Entry Path Utils /// @@ -287,9 +240,6 @@ private static string GetLinuxEntryPath() } } -#if NETFRAMEWORK - return null; -#else // // We cannot determine the absolute file path from argv[0] // (how we were launched), so let's now try to extract the @@ -299,7 +249,6 @@ private static string GetLinuxEntryPath() // FileSystemInfo fsi = File.ResolveLinkTarget("/proc/self/exe", returnFinalTarget: false); return fsi?.FullName; -#endif } private static string GetMacOSEntryPath() @@ -365,15 +314,8 @@ private static string GetOSVersion(ITrace2 trace2) // version for Windows or the kernel version for macOS. // https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/environment-osversion-returns-correct-version // - // However, we still need to use the old method for Windows on .NET Framework - // and call into the Win32 API to get the correct version (regardless of app - // compatibility settings). -#if NETFRAMEWORK - if (IsWindows() && RtlGetVersionEx(out RTL_OSVERSIONINFOEX osvi) == 0) - { - return $"{osvi.dwMajorVersion}.{osvi.dwMinorVersion} (build {osvi.dwBuildNumber})"; - } -#endif + // This code used to support getting the version for Windows on .NET Framework. + // This functionality is removed so we always use the modern .NET methods. if (IsWindows() || IsMacOS()) { return Environment.OSVersion.Version.ToString(); diff --git a/src/shared/Core/Settings.cs b/src/shared/Core/Settings.cs index 2aa71edf4..f8e4130c6 100644 --- a/src/shared/Core/Settings.cs +++ b/src/shared/Core/Settings.cs @@ -828,7 +828,7 @@ ProxyConfiguration CreateConfiguration(Uri uri, bool isLegacy = false) KnownGitCfg.Credential.MsAuthUseDefaultAccount, out string str) ? str.IsTruthy() - : PlatformUtils.IsDevBox(); // default to true in DevBox environment + : false; #region IDisposable diff --git a/src/shared/Core/UI/AvaloniaUi.cs b/src/shared/Core/UI/AvaloniaUi.cs index 34021c595..825a9b233 100644 --- a/src/shared/Core/UI/AvaloniaUi.cs +++ b/src/shared/Core/UI/AvaloniaUi.cs @@ -65,22 +65,8 @@ public static Task ShowWindowAsync(Func windowFunc, object dataContext, { var appBuilder = AppBuilder.Configure(); -#if NETFRAMEWORK - // Set custom rendering options and modes if required - if (PlatformUtils.IsWindows() && _win32SoftwareRendering) - { - appBuilder.With(new Win32PlatformOptions - { RenderingMode = new[] { Win32RenderingMode.Software } }); - } -#endif - appBuilder -#if NETFRAMEWORK - .UseWin32() - .UseSkia() -#else .UsePlatformDetect() -#endif .LogToTrace() .SetupWithoutStarting(); diff --git a/src/shared/Git-Credential-Manager/Program.cs b/src/shared/Git-Credential-Manager/Program.cs index 59f579b9f..b8aa0eb7c 100644 --- a/src/shared/Git-Credential-Manager/Program.cs +++ b/src/shared/Git-Credential-Manager/Program.cs @@ -76,12 +76,7 @@ private static void AppMain(object o) // Required for Avalonia designer static AppBuilder BuildAvaloniaApp() => AppBuilder.Configure() -#if NETFRAMEWORK - .UseWin32() - .UseSkia() -#else .UsePlatformDetect() -#endif .LogToTrace(); } } diff --git a/src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs b/src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs index 55b1449d7..81be4dacd 100644 --- a/src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs +++ b/src/shared/Microsoft.AzureRepos/AzureReposHostProvider.cs @@ -464,8 +464,8 @@ private static string GetAccountNameForCredentialQuery(InputArguments input) /// True if Personal Access Tokens should be used, false otherwise. private bool UsePersonalAccessTokens() { - // Default to using PATs except on DevBox where we prefer OAuth tokens - bool defaultValue = !PlatformUtils.IsDevBox(); + // Default to using PATs. + bool shouldUsePAT = true; if (_context.Settings.TryGetSetting( AzureDevOpsConstants.EnvironmentVariables.CredentialType, @@ -486,11 +486,11 @@ private bool UsePersonalAccessTokens() default: _context.Streams.Error.WriteLine( $"warning: unknown Azure Repos credential type '{valueStr}' - using PATs"); - return defaultValue; + return shouldUsePAT; } } - return defaultValue; + return shouldUsePAT; } private bool UseServicePrincipal(out ServicePrincipalIdentity sp) From 2d64686a0825a08e0b1d31009672f74f015c0726 Mon Sep 17 00:00:00 2001 From: Joshua Rakita Date: Mon, 8 Apr 2024 13:55:58 -0700 Subject: [PATCH 4/6] Target single framework (.NET 8) instead of multiple. --- src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj | 2 +- src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj b/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj index 0f4ff550d..d1cbed8b2 100644 --- a/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj +++ b/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj @@ -2,7 +2,7 @@ Exe - net8.0 + net8.0 win-x86;osx-x64;linux-x64;osx-arm64 x86 git-credential-manager diff --git a/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj b/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj index ec08beda2..1408d63db 100644 --- a/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj +++ b/src/shared/Microsoft.AzureRepos/Microsoft.AzureRepos.csproj @@ -1,7 +1,7 @@  - net8.0 + net8.0 Microsoft.AzureRepos Microsoft.AzureRepos false From 6c502c10fde674b2bed78ada07c9c69e7d88e7a8 Mon Sep 17 00:00:00 2001 From: Lessley Date: Sun, 7 Apr 2024 19:57:17 -0600 Subject: [PATCH 5/6] release: sign .net tool with sign cli Migrate .NET tool from using ESRP to using the Sign CLI tool for signing. This tool is a fork of [1] that was set up to support Trusted Signing (previously known as Azure Code Signing). 1: https://github.com/dotnet/sign --- .github/workflows/release.yml | 97 +++++++++++++++-------------------- 1 file changed, 41 insertions(+), 56 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a00a99d27..ee99c6070 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -331,7 +331,6 @@ jobs: dotnet-tool-payload-sign: name: Sign .NET tool payload - # ESRP service requires signing to run on Windows runs-on: windows-latest environment: release needs: dotnet-tool-build @@ -343,13 +342,6 @@ jobs: with: name: tmp.dotnet-tool-build - - name: Zip unsigned payload - shell: pwsh - run: | - Compress-Archive -Path payload payload/payload.zip - cd payload - Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force - - name: Log into Azure uses: azure/login@v1 with: @@ -357,35 +349,37 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Set up ESRP client - shell: pwsh + - name: Download/extract Sign CLI tool env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }} - ESRP_TOOL: ${{ secrets.ESRP_TOOL }} - AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} - REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} + AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} + ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} + SCT: ${{ secrets.SIGN_CLI_TOOL }} run: | - .github\set_up_esrp.ps1 + az storage blob download --file sign-cli.zip --auth-mode login ` + --account-name $env:AST --container-name $env:ASC --name $env:SCT + Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - - name: Run ESRP client - shell: pwsh + - name: Sign payload env: - AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} - NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }} - NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }} + ACST: ${{ secrets.AZURE_TENANT_ID }} + ACSI: ${{ secrets.AZURE_CLIENT_ID }} + ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - python .github\run_esrp_signing.py payload ` - $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE + ./sign-cli/sign.exe code azcodesign payload/* ` + -acsu https://wus2.codesigning.azure.net/ ` + -acsa git-fundamentals-signing ` + -acscp git-fundamentals-windows-signing ` + -d "Git Fundamentals Windows Signing Certificate" ` + -u "https://github.com/git-ecosystem/git-credential-manager" ` + -acst $env:ACST ` + -acsi $env:ACSI ` + -acss $env:ACSS - name: Lay out signed payload, images, and symbols shell: bash run: | mkdir dotnet-tool-payload-sign - rm -rf payload - mv images payload.sym -t dotnet-tool-payload-sign - unzip signed/payload.zip -d dotnet-tool-payload-sign + mv images payload.sym payload -t dotnet-tool-payload-sign - name: Upload signed payload uses: actions/upload-artifact@v4 @@ -427,7 +421,6 @@ jobs: dotnet-tool-sign: name: Sign .NET tool package - # ESRP service requires signing to run on Windows runs-on: windows-latest environment: release needs: dotnet-tool-pack @@ -440,13 +433,6 @@ jobs: name: tmp.dotnet-tool-package-unsigned path: nupkg - - name: Zip unsigned package - shell: pwsh - run: | - Compress-Archive -Path nupkg/*.nupkg nupkg/gcm-nupkg.zip - cd nupkg - Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force - - name: Log into Azure uses: azure/login@v1 with: @@ -454,38 +440,37 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Set up ESRP client - shell: pwsh + - name: Download/extract Sign CLI tool env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }} - AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }} - ESRP_TOOL: ${{ secrets.ESRP_TOOL }} - AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} - REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} + AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }} + ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }} + SCT: ${{ secrets.SIGN_CLI_TOOL }} run: | - .github\set_up_esrp.ps1 + az storage blob download --file sign-cli.zip --auth-mode login ` + --account-name $env:AST --container-name $env:ASC --name $env:SCT + Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli - name: Sign package - shell: pwsh env: - AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} - NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }} - NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }} - run: | - python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE - - - name: Unzip signed package - shell: pwsh + ACST: ${{ secrets.AZURE_TENANT_ID }} + ACSI: ${{ secrets.AZURE_CLIENT_ID }} + ACSS: ${{ secrets.AZURE_CLIENT_SECRET }} run: | - Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force - Remove-Item signed\gcm-nupkg.zip -Force + ./sign-cli/sign.exe code azcodesign nupkg/* ` + -acsu https://wus2.codesigning.azure.net/ ` + -acsa git-fundamentals-signing ` + -acscp git-fundamentals-windows-signing ` + -d "Git Fundamentals Windows Signing Certificate" ` + -u "https://github.com/git-ecosystem/git-credential-manager" ` + -acst $env:ACST ` + -acsi $env:ACSI ` + -acss $env:ACSS - name: Publish signed package uses: actions/upload-artifact@v4 with: name: dotnet-tool-sign - path: signed/*.nupkg + path: nupkg/*.nupkg # ================================ # Validate From 91f31cc86232468c6764c6ac9e58beabb206c35f Mon Sep 17 00:00:00 2001 From: Lessley Date: Sun, 7 Apr 2024 18:59:38 -0600 Subject: [PATCH 6/6] release: remove scripts associated with esrp Remove ESRP-related scripts, as we are no longer using this tool for signing. --- .github/run_esrp_signing.py | 135 ------------------------------------ .github/set_up_esrp.ps1 | 12 ---- 2 files changed, 147 deletions(-) delete mode 100644 .github/run_esrp_signing.py delete mode 100644 .github/set_up_esrp.ps1 diff --git a/.github/run_esrp_signing.py b/.github/run_esrp_signing.py deleted file mode 100644 index be5a0f222..000000000 --- a/.github/run_esrp_signing.py +++ /dev/null @@ -1,135 +0,0 @@ -import argparse -import json -import os -import glob -import pprint -import subprocess -import sys -import re - -parser = argparse.ArgumentParser(description='Sign binaries for Windows, macOS, and Linux') -parser.add_argument('path', help='Path to file for signing') -parser.add_argument('keycode', help='Platform-specific key code for signing') -parser.add_argument('opcode', help='Platform-specific operation code for signing') -# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--` -parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing') -args = parser.parse_args() - -esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe") - -aad_id = os.environ['AZURE_AAD_ID'].strip() -workspace = os.environ['GITHUB_WORKSPACE'].strip() - -source_location = args.path -files = glob.glob(os.path.join(source_location, "*")) - -print("Found files:") -pprint.pp(files) - -auth_json = { - "Version": "1.0.0", - "AuthenticationType": "AAD_CERT", - "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47", - "ClientId": f"{aad_id}", - "AuthCert": { - "SubjectName": f"CN={aad_id}.microsoft.com", - "StoreLocation": "LocalMachine", - "StoreName": "My", - "SendX5c" : "true" - }, - "RequestSigningCert": { - "SubjectName": f"CN={aad_id}", - "StoreLocation": "LocalMachine", - "StoreName": "My" - } -} - -input_json = { - "Version": "1.0.0", - "SignBatches": [ - { - "SourceLocationType": "UNC", - "SourceRootDirectory": source_location, - "DestinationLocationType": "UNC", - "DestinationRootDirectory": workspace, - "SignRequestFiles": [], - "SigningInfo": { - "Operations": [ - { - "KeyCode": f"{args.keycode}", - "OperationCode": f"{args.opcode}", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0", - } - ] - } - } - ] -} - -# add files to sign -for f in files: - name = os.path.basename(f) - input_json["SignBatches"][0]["SignRequestFiles"].append( - { - "SourceLocation": name, - "DestinationLocation": os.path.join("signed", name), - } - ) - -# add parameters to input.json (e.g. enabling the hardened runtime for macOS) -if args.params is not None: - i = 0 - while i < len(args.params): - input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1] - i += 2 - -policy_json = { - "Version": "1.0.0", - "Intent": "production release", - "ContentType": "binary", -} - -configs = [ - ("auth.json", auth_json), - ("input.json", input_json), - ("policy.json", policy_json), -] - -for filename, data in configs: - with open(filename, 'w') as fp: - json.dump(data, fp) - -# Run ESRP Client -esrp_out = "esrp_out.json" -result = subprocess.run( - [esrp_tool, "sign", - "-a", "auth.json", - "-i", "input.json", - "-p", "policy.json", - "-o", esrp_out, - "-l", "Verbose"], - capture_output=True, - text=True, - cwd=workspace) - -# Scrub log before printing -log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$', - '***', - result.stdout, - flags=re.IGNORECASE|re.MULTILINE) -print(log) - -if result.returncode != 0: - print("Failed to run ESRPClient.exe") - sys.exit(1) - -if os.path.isfile(esrp_out): - print("ESRP output json:") - with open(esrp_out, 'r') as fp: - pprint.pp(json.load(fp)) - -for file in files: - if os.path.isfile(os.path.join("signed", file)): - print(f"Success!\nSigned {file}") \ No newline at end of file diff --git a/.github/set_up_esrp.ps1 b/.github/set_up_esrp.ps1 deleted file mode 100644 index abe9183e0..000000000 --- a/.github/set_up_esrp.ps1 +++ /dev/null @@ -1,12 +0,0 @@ -# Install ESRP client -az storage blob download --file esrp.zip --auth-mode login --account-name $env:AZURE_STORAGE_ACCOUNT --container $env:AZURE_STORAGE_CONTAINER --name $env:ESRP_TOOL -Expand-Archive -Path esrp.zip -DestinationPath .\esrp - -# Install certificates -az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx -certutil -f -importpfx out.pfx -Remove-Item out.pfx - -az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx -certutil -f -importpfx out.pfx -Remove-Item out.pfx \ No newline at end of file