[Infra] Fix missing signatures from .nupkg files (#6591)

Author: martincostello

.github/workflows/publish-packages-1.0.yml

@@ -32,6 +32,8 @@ jobs:
       id-token: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      # renovate: datasource=github-releases depName=cosign packageName=sigstore/cosign
+      COSIGN_VERSION: v2.5.3
       COSIGN_YES: "yes"
 
     outputs:
@@ -52,7 +54,7 @@ jobs:
     - name: Install Cosign
       uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
       with:
-        cosign-release: v2.5.3
+        cosign-release: ${{ env.COSIGN_VERSION }}
 
     - name: dotnet restore
       run: dotnet restore ./build/OpenTelemetry.proj -p:RunningDotNetPack=true
@@ -71,7 +73,7 @@ jobs:
 
             Get-ChildItem -Path artifacts/bin/$projectName/release_*/$projectName.dll -File | ForEach-Object {
                 $fileFullPath = $_.FullName
-                Write-Host "Signing $fileFullPath"
+                Write-Output "Signing $fileFullPath"
 
                 cosign.exe sign-blob $fileFullPath --yes --output-signature $fileFullPath-keyless.sig --output-certificate $fileFullPath-keyless.pem
             }
@@ -83,6 +85,38 @@ jobs:
         PACK_TAG: ${{ github.ref_type == 'tag' && github.ref_name || '' }}
       run: dotnet pack ./build/OpenTelemetry.proj --configuration Release --no-restore --no-build -p:"PackTag=${env:PACK_TAG}"
 
+    - name: Verify package DLL Cosign Keyless signatures
+      shell: pwsh
+      run: |
+        $nupkgFiles = Get-ChildItem -Path artifacts/package/release/*.nupkg -File
+
+        # Copy the NuGet packages to a temporary directory and extract them
+        $tempDir = New-Item -ItemType Directory -Path (Join-Path -Path ${env:RUNNER_TEMP} -ChildPath ([System.Guid]::NewGuid().ToString()))
+        foreach ($nupkgFile in $nupkgFiles) {
+            $nupkgFilePath = $nupkgFile.FullName
+            $packageName = [System.IO.Path]::GetFileNameWithoutExtension($nupkgFilePath)
+            Write-Output "Extracting $nupkgFilePath"
+            Expand-Archive -Path $nupkgFilePath -DestinationPath (Join-Path $tempDir.FullName $packageName)
+        }
+
+        # Iterate over all DLL files in the extracted packages and verify their signatures
+        $dllFiles = Get-ChildItem -Path $tempDir.FullName -Recurse -Filter *.dll -File
+        foreach ($dllFile in $dllFiles) {
+            $dllFilePath = $dllFile.FullName
+            Write-Output "Verifying $dllFilePath"
+            cosign.exe verify-blob `
+              --signature $dllFilePath-keyless.sig `
+              --certificate $dllFilePath-keyless.pem `
+              --certificate-identity "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/.github/workflows/publish-packages-1.0.yml@${env:GITHUB_REF}" `
+              --certificate-oidc-issuer "https://token.actions.githubusercontent.com" `
+              $dllFilePath
+            if ($LASTEXITCODE -ne 0) {
+                Write-Output "::error::Signature verification failed for $dllFilePath."
+                exit 1
+            }
+            Write-Output "Signature verification succeeded for $dllFilePath"
+        }
+
     - name: Publish Artifacts
       id: upload-artifacts
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

README.md

@@ -201,10 +201,11 @@ To verify the integrity of a DLL inside a NuGet package use the
 [cosign](https://github.com/sigstore/cosign) tool from Sigstore:
 
 ```bash
+$TAG="core-1.12.0"
 cosign verify-blob \
     --signature OpenTelemetry.dll-keyless.sig \
-    --certificate OpenTelemetry.dll-keyless.pem.cer \
-    --certificate-identity "https://github.com/open-telemetry/opentelemetry-dotnet/.github/workflows/publish-packages-1.0.yml@refs/tags/core-1.10.0-rc.1" \
+    --certificate OpenTelemetry.dll-keyless.pem \
+    --certificate-identity "https://github.com/open-telemetry/opentelemetry-dotnet/.github/workflows/publish-packages-1.0.yml@refs/tags/$TAG" \
     --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
     OpenTelemetry.dll
 ```

build/Common.prod.props

@@ -52,16 +52,23 @@
   </ItemGroup>
 
   <Target Name="IncludeSigningSignaturesInPackages" BeforeTargets="_GetTargetFrameworksOutput">
-    <!-- Note: This target adds any signatures found to nuget packages -->
+    <!-- Note: This target adds any signatures found to NuGet packages -->
     <ItemGroup>
-      <SignatureFiles Include="$(RepoRoot)\src\$(MSBuildProjectName)\bin\$(Configuration)\*\$(MSBuildProjectName).dll-keyless.sig" />
-      <Content Include="@(SignatureFiles)" Link="%(RecursiveDir)%(Filename)%(Extension)" PackagePath="lib" />
-      <CertificateFiles Include="$(RepoRoot)\src\$(MSBuildProjectName)\bin\$(Configuration)\*\$(MSBuildProjectName).dll-keyless.pem" />
-      <Content Include="@(CertificateFiles)" Link="%(RecursiveDir)%(Filename)%(Extension)" PackagePath="lib" />
+      <SignatureFiles Include="$(ArtifactsPath)\bin\$(MSBuildProjectName)\$(Configuration.ToLower())_*\$(MSBuildProjectName).dll-keyless.sig" />
+      <CertificateFiles Include="$(ArtifactsPath)\bin\$(MSBuildProjectName)\$(Configuration.ToLower())_*\$(MSBuildProjectName).dll-keyless.pem" />
+      <!-- RecursiveDir is equal to e.g. `release_net8.0` so we need to strip it out -->
+      <SignatureFilesWithTfm Include="@(SignatureFiles)">
+        <TargetFramework>$([System.String]::Copy('%(RecursiveDir)').Replace(`$(Configuration.ToLower())_`, ''))</TargetFramework>
+      </SignatureFilesWithTfm>
+      <CertificateFilesWithTfm Include="@(CertificateFiles)">
+        <TargetFramework>$([System.String]::Copy('%(RecursiveDir)').Replace(`$(Configuration.ToLower())_`, ''))</TargetFramework>
+      </CertificateFilesWithTfm>
+      <Content Include="@(SignatureFilesWithTfm)" Pack="True" PackagePath="lib\%(SignatureFilesWithTfm.TargetFramework)%(Filename)%(Extension)" />
+      <Content Include="@(CertificateFilesWithTfm)" Pack="True" PackagePath="lib\%(CertificateFilesWithTfm.TargetFramework)%(Filename)%(Extension)" />
     </ItemGroup>
 
-    <Message Importance="high" Text="**IncludeSignaturesInPackagesDebug** SignatureFiles: @(SignatureFiles)" />
-    <Message Importance="high" Text="**IncludeCertificatesInPackagesDebug** SignatureFiles: @(CertificateFiles)" />
+    <Message Importance="high" Text="**IncludeSignaturesInPackagesDebug** SignatureFiles: @(SignatureFilesWithTfm)" />
+    <Message Importance="high" Text="**IncludeCertificatesInPackagesDebug** CertificateFiles: @(CertificateFilesWithTfm)" />
   </Target>
 
   <Target Name="AssemblyVersionTarget" AfterTargets="MinVer" Condition="'$(MinVerVersion)' != '' AND '$(BuildNumber)' != ''">
@@ -96,7 +103,7 @@
 
   <Target Name="IncludeReadmeAndReleaseNotesInPackages" BeforeTargets="_GetTargetFrameworksOutput">
     <!-- Note: This target runs during pack to convert relative links in
-    markdowns into github permalinks which will work when rendered on Nuget. -->
+    markdowns into GitHub permalinks which will work when rendered on NuGet. -->
 
     <Exec
       Command="git rev-parse HEAD"