Merge pull request #4188 from devlead/feature/gh-4173

GH4173: Switch to new SignTool
cake-build · Jul 5, 2023 · 2cd8a60 · 2cd8a60
2 parents 4a07acf + 14c8459
commit 2cd8a60
Show file tree

Hide file tree

Showing 6 changed files with 96 additions and 58 deletions.
diff --git a/build.cake b/build.cake
@@ -3,8 +3,8 @@
 
 // Install .NET Core Global tools.
 #tool "dotnet:https://api.nuget.org/v3/index.json?package=GitVersion.Tool&version=5.12.0"
-#tool "dotnet:https://api.nuget.org/v3/index.json?package=SignClient&version=1.3.155"
 #tool "dotnet:https://api.nuget.org/v3/index.json?package=GitReleaseManager.Tool&version=0.13.0"
+#tool "dotnet:https://api.nuget.org/v3/index.json?package=sign&version=0.9.1-beta.23274.1&prerelease"
 
 // Load other scripts.
 #load "./build/parameters.cake"
@@ -29,6 +29,11 @@ Setup<BuildParameters>(context =>
         parameters.Version.CakeVersion,
         parameters.IsTagged);
 
+    if (parameters.ShouldSignPackages && !parameters.CodeSigning.HasCredentials)
+    {
+        throw new CakeException("Code signing credentials are missing.");
+    }
+
     foreach(var assemblyInfo in GetFiles("./src/**/AssemblyInfo.cs"))
     {
         CreateAssemblyInfo(
@@ -145,52 +150,44 @@ Task("Create-NuGet-Packages")
 
 Task("Sign-Binaries")
     .IsDependentOn("Create-NuGet-Packages")
-    .WithCriteria<BuildParameters>((context, parameters) =>
-        (parameters.ShouldPublish && !parameters.SkipSigning) ||
-        StringComparer.OrdinalIgnoreCase.Equals(EnvironmentVariable("SIGNING_TEST"), "True"))
-    .Does<BuildParameters>((context, parameters) =>
+    .WithCriteria<BuildParameters>(static (context, parameters) => parameters.ShouldSignPackages)
+    .Does<BuildParameters>(async static (context, parameters) =>
 {
-    // Get the secret.
-    var secret = EnvironmentVariable("SIGNING_SECRET");
-    if(string.IsNullOrWhiteSpace(secret)) {
-        throw new InvalidOperationException("Could not resolve signing secret.");
-    }
-    // Get the user.
-    var user = EnvironmentVariable("SIGNING_USER");
-    if(string.IsNullOrWhiteSpace(user)) {
-        throw new InvalidOperationException("Could not resolve signing user.");
-    }
-
-    var settings = File("./signclient.json");
-    var filter = File("./signclient.filter");
-
     // Get the files to sign.
-    var files = GetFiles(string.Concat(parameters.Paths.Directories.NuGetRoot, "/", "*.nupkg"));
-
-    foreach(var file in files)
-    {
-        Information("Signing {0}...", file.FullPath);
+    var files = context.GetFiles(string.Concat(parameters.Paths.Directories.NuGetRoot, "/", "*.nupkg"));
+    var commandSettings = new CommandSettings{
+        ToolExecutableNames = new [] { "sign", "sign.exe" },
+        ToolName = "sign",
+        ToolPath = parameters.Paths.SignClientPath.FullPath
+    };
+
+    Parallel.ForEach(
+        files,
+        file => {
+        context.Information("Signing {0}...", file.FullPath);
 
         // Build the argument list.
         var arguments = new ProcessArgumentBuilder()
-            .Append("sign")
-            .AppendSwitchQuoted("-c", MakeAbsolute(settings.Path).FullPath)
-            .AppendSwitchQuoted("-i", MakeAbsolute(file).FullPath)
-            .AppendSwitchQuoted("-f", MakeAbsolute(filter).FullPath)
-            .AppendSwitchQuotedSecret("-s", secret)
-            .AppendSwitchQuotedSecret("-r", user)
-            .AppendSwitchQuoted("-n", "Cake")
-            .AppendSwitchQuoted("-d", "Cake (C# Make) is a cross platform build automation system.")
-            .AppendSwitchQuoted("-u", "https://cakebuild.net");
-
-        // Sign the binary.
-        var result = StartProcess(parameters.Paths.SignClientPath.FullPath, new ProcessSettings {  Arguments = arguments });
-        if(result != 0)
-        {
-            // We should not recover from this.
-            throw new InvalidOperationException("Signing failed!");
-        }
-    }
+            .Append("code")
+            .Append("azure-key-vault")
+            .AppendQuoted(file.FullPath)
+            .AppendSwitchQuoted("--file-list", parameters.Paths.SignFilterPath.FullPath)
+            .AppendSwitchQuoted("--publisher-name", "Cake")
+            .AppendSwitchQuoted("--description", "Cake (C# Make) is a cross platform build automation system.")
+            .AppendSwitchQuoted("--description-url", "https://cakebuild.net")
+            .AppendSwitchQuotedSecret("--azure-key-vault-tenant-id", parameters.CodeSigning.SignTenantId)
+            .AppendSwitchQuotedSecret("--azure-key-vault-client-id", parameters.CodeSigning.SignClientId)
+            .AppendSwitchQuotedSecret("--azure-key-vault-client-secret", parameters.CodeSigning.SignClientSecret)
+            .AppendSwitchQuotedSecret("--azure-key-vault-certificate", parameters.CodeSigning.SignKeyVaultCertificate)
+            .AppendSwitchQuotedSecret("--azure-key-vault-url", parameters.CodeSigning.SignKeyVaultUrl);
+
+        context.Command(
+            commandSettings,
+            arguments
+        );
+
+        context.Information("Done signing {0}.", file.FullPath);
+    });
 });
 
 Task("Upload-AppVeyor-Artifacts")

diff --git a/build/credentials.cake b/build/credentials.cake
@@ -1,3 +1,35 @@
+public record CodeSigningCredentials(
+    string SignTenantId,
+    string SignClientId,
+    string SignClientSecret,
+    string SignKeyVaultCertificate,
+    string SignKeyVaultUrl
+)
+{
+    public bool HasCredentials
+    {
+        get
+        {
+            return
+                !string.IsNullOrEmpty(SignTenantId) &&
+                !string.IsNullOrEmpty(SignClientId) &&
+                !string.IsNullOrEmpty(SignClientSecret) &&
+                !string.IsNullOrEmpty(SignKeyVaultCertificate) &&
+                !string.IsNullOrEmpty(SignKeyVaultUrl);
+        }
+    }
+
+    public static CodeSigningCredentials GetCodeSigningCredentials(ICakeContext context)
+    {
+        return new CodeSigningCredentials(
+            SignTenantId: context.EnvironmentVariable("SIGN_TENANT_ID"),
+            SignClientId: context.EnvironmentVariable("SIGN_CLIENT_ID"),
+            SignClientSecret: context.EnvironmentVariable("SIGN_CLIENT_SECRET"),
+            SignKeyVaultCertificate: context.EnvironmentVariable("SIGN_KEYVAULT_CERTIFICATE"),
+            SignKeyVaultUrl: context.EnvironmentVariable("SIGN_KEYVAULT_URL"));
+    }
+}
+
 public record BuildCredentials(string Token)
 {
     public static BuildCredentials GetGitHubCredentials(ICakeContext context)

diff --git a/build/parameters.cake b/build/parameters.cake
@@ -28,6 +28,7 @@ public class BuildParameters
     public BuildPackages Packages { get; }
     public bool PublishingError { get; set; }
     public DotNetMSBuildSettings MSBuildSettings { get; }
+    public CodeSigningCredentials CodeSigning { get; }
 
     public bool ShouldPublish
     {
@@ -47,6 +48,8 @@ public class BuildParameters
         }
     }
 
+
+    public bool ShouldSignPackages { get; }
     public bool CanPostToTwitter
     {
         get
@@ -80,6 +83,7 @@ public class BuildParameters
         IsTagged = IsBuildTagged(buildSystem);
         GitHub = BuildCredentials.GetGitHubCredentials(context);
         Twitter = TwitterCredentials.GetTwitterCredentials(context);
+        CodeSigning = CodeSigningCredentials.GetCodeSigningCredentials(context);
         ReleaseNotes = context.ParseReleaseNotes("./ReleaseNotes.md");
         IsPublishBuild = IsPublishing(context.TargetTask.Name);
         IsReleaseBuild = IsReleasing(context.TargetTask.Name);
@@ -119,6 +123,14 @@ public class BuildParameters
         {
             MSBuildSettings.WithProperty("TemplateVersion", Version.SemVersion);
         }
+
+
+        ShouldSignPackages = (!SkipSigning && ShouldPublish)
+                                ||
+                                StringComparer.OrdinalIgnoreCase.Equals(
+                                    context.EnvironmentVariable("SIGNING_TEST"),
+                                    "True"
+                                );
     }
 
     private static bool IsBuildTagged(BuildSystem buildSystem)

diff --git a/build/paths.cake b/build/paths.cake
@@ -1,6 +1,7 @@
 public record BuildPaths(
     BuildDirectories Directories,
-    FilePath SignClientPath
+    FilePath SignClientPath,
+    FilePath SignFilterPath
 )
 {
     public static BuildPaths GetPaths(
@@ -38,11 +39,20 @@ public record BuildPaths(
             nugetRoot,
             integrationTestsBinTool);
 
-        var signClientPath = context.Tools.Resolve("SignClient.exe") ?? context.Tools.Resolve("SignClient") ?? throw new Exception("Failed to locate sign tool");
+        var signClientPath = context.Tools.Resolve("sign.exe")
+                                ?? context.Tools.Resolve("sign")
+                                ?? (
+                                    context.IsRunningOnWindows()
+                                        ? throw new Exception("Failed to locate sign tool")
+                                        : null
+                                    );
+
+        var signFilterPath = context.MakeAbsolute(context.File("./build/signclient.filter"));
 
         return new BuildPaths(
             Directories: buildDirectories,
-            SignClientPath: signClientPath
+            SignClientPath: signClientPath,
+            SignFilterPath: signFilterPath
         );
     }
 }

diff --git a/signclient.filter → build/signclient.filter b/signclient.filter → build/signclient.filter
diff --git a/signclient.json b/signclient.json