Skip to content

Enable signing of nuget.org packages and update to supported timestamp server #23132

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zooba merged 3 commits into from
Nov 3, 2020
Merged

Enable signing of nuget.org packages and update to supported timestamp server #23132

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e39f4e9
Enable signing of nuget.org packages and update to supported timestam…
zooba Nov 3, 2020
83b4820
Sign and timestamp MSIX together
zooba Nov 3, 2020
55e6c08
Fix MSI signing step
zooba Nov 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Enable signing of nuget.org packages and update to supported timestam… 
…p server
  • Loading branch information
@zooba
zooba committed Nov 3, 2020
commit e39f4e921aa6d64304e7d8d84e9225e819499449
11 changes: 8 additions & 3 deletions .azure-pipelines/windows-release/stage-pack-msix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,20 +120,25 @@ jobs:
artifactName: unsigned_msix
downloadPath: $(Build.BinariesDirectory)

- powershell: |
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" (gi *.msix)
displayName: 'Sign MSIX'
workingDirectory: $(Build.BinariesDirectory)\unsigned_msix

- powershell: |
$failed = $true
foreach ($retry in 1..3) {
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "$(SigningDescription)" (gi *.msix)
signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 (gi *.msix)
if ($?) {
$failed = $false
break
}
sleep 1
}
if ($failed) {
throw "Failed to sign MSIX"
throw "Failed to timestamp MSIX"
}
displayName: 'Sign MSIX'
displayName: 'Timestamp MSIX'
workingDirectory: $(Build.BinariesDirectory)\unsigned_msix

- task: PublishBuildArtifacts@1
Expand Down
10 changes: 9 additions & 1 deletion .azure-pipelines/windows-release/stage-pack-nuget.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ jobs:
condition: and(succeeded(), eq(variables['DoNuget'], 'true'))

pool:
vmImage: windows-2019
name: 'Windows Release'

workspace:
clean: all
Expand Down Expand Up @@ -36,6 +36,14 @@ jobs:
nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive
displayName: 'Create nuget package'

- powershell: |
gci *.nupkg | %{
nuget sign "$_" -CertificateSubjectName "$(SigningCertificate)" -Timestamper http://timestamp.digicert.com/ -Overwrite
}
displayName: 'Sign nuget package'
workingDirectory: $(Build.ArtifactStagingDirectory)
condition: and(succeeded(), variables['SigningCertificate'])

- task: PublishBuildArtifacts@1
displayName: 'Publish Artifact: nuget'
inputs:
Expand Down
2 changes: 1 addition & 1 deletion .azure-pipelines/windows-release/stage-sign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
$files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
$failed = $true
foreach ($retry in 1..10) {
signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files
signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files
if ($?) {
$failed = $false
break
Expand Down