-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLI specification #541
base: main
Are you sure you want to change the base?
CLI specification #541
Changes from 1 commit
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,47 @@ | ||||||
# Signing CLI specficiation | ||||||
|
||||||
### Inputs | ||||||
|
||||||
The parameters to the signing client are as follows: | ||||||
|
||||||
`sign code AzureKeyVault [options] <files>` | ||||||
|
||||||
Options: | ||||||
|
||||||
- `-o | --output` - The output file. If omitted, overwrites input. Must be a directory if multiple files are specified. | ||||||
- `-b | --base-directory` - Base directory for files to override the working directory. | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
- `-f | --force` - Overwrites a signature if it exists. | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
- `-m | --max-concurrency` - Maximum concurrency (default is 4) | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
- `-fl | --filelist` - Path to file containing paths of files to sign within an archive | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
- `-fd | --file-digest` - The digest algorithm to hash the file with. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I expected it would be enum, right? Which algorithm does it default to?
Suggested change
|
||||||
- `-tr | --timestamp-rfc3161` - Specifies the RFC 3161 timestamp server's URL. | ||||||
- `-d | --description` - Description | ||||||
- `-u | --descriptionUrl` - Description Url | ||||||
- `-td | --timestamp-digest` - Used with the -tr switch to request a digest algorithm used by the RFC 3161 timestamp server. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This one is also expects enum value, right? If yes what are the expected values and default value? |
||||||
- `-kvu | --azure-key-vault-url` - The URL to an Azure Key Vault. | ||||||
- `-kvt | --azure-key-vault-tenant-id` - The Tenant Id to authenticate to the Azure Key Vault.. | ||||||
- `-kvi | --azure-key-vault-client-id` - The Client ID to authenticate to the Azure Key Vault. | ||||||
- `-kvs | --azure-key-vault-client-secret` - The Client Secret to authenticate to the Azure Key Vault. | ||||||
- `-kvc | --azure-key-vault-certificate` - The name of the certificate in Azure Key Vault. | ||||||
- `-kvm | --azure-key-vault-managed-identity` - Use a Managed Identity to access Azure Key Vault. | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we need There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would be good to know what the options are here for this value to provide as generally the tool is run on the CI, so getting help from the tool directly involves more steps (and it's not as discernable from the code as it's a .NET enum value) |
||||||
Signing an archive type (`.zip`, `.nupkg`, `.vsix`) will open up the archive and sign any supported file types. It is strongly recommended to use the `filelist` parameter to explicitly list the files inside the archive that should be signed. Signing is recursive; it will sign contents of any detectected `Zip`, `NuPkg` or `VSIX` files inside the uploaded one. After signing contents of the archive, the archive itself is signed if supported (currently `VSIX`). | ||||||
|
||||||
### File list | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This is argument, right? Could we create Argument section like https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-sign#arguments? |
||||||
|
||||||
When specified, only files that match patterns in the list will be signed. This is critical as only first party files should be signed. Files that are third party should not be signed. | ||||||
|
||||||
The format for the file contains one file path/pattern per line and does support globs. | ||||||
|
||||||
``` | ||||||
**/MyLibrary.* | ||||||
**/MyOtherLibrary.dll | ||||||
``` | ||||||
|
||||||
## ClickOnce | ||||||
ClickOnce files can be signed with this tool, but it requires an extra step -- you must zip up the `publish` directory containing the `setup.exe`, `foo.application` or `foo.vsto` files along with the `Application Files` directory. The `Application Files` must only have a single subdirectory (version you want to sign). Zip these and then rename the extension to `.clickonce` before submitting to the tool. Once done, you can extract the signed files wherever you'd like for publication. If the `name` parameter is supplied, it's used in the `Mage` name to update the `Product` in the manifests. If the `descriptionUrl` parameter is supplied, it's used as the `supportUrl` in the manifests. You should also use the `filter` parameter with the file list to sign, something like this: | ||||||
|
||||||
``` | ||||||
**/ProjectAddIn1.* | ||||||
**/setup.exe | ||||||
``` | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could we have sample section like dotnet nuget sign? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have Synopsis section like
dotnet nuget sign
?