CLI specification #541
+117
−0
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,47 @@ | ||||||
| # Signing CLI specficiation | ||||||
|
|
||||||
| ### Inputs | ||||||
|
|
||||||
| The parameters to the signing client are as follows: | ||||||
|
|
||||||
| `sign code AzureKeyVault [options] <files>` | ||||||
|
|
||||||
| Options: | ||||||
|
|
||||||
| - `-o | --output` - The output file. If omitted, overwrites input. Must be a directory if multiple files are specified. | ||||||
| - `-b | --base-directory` - Base directory for files to override the working directory. | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| - `-f | --force` - Overwrites a signature if it exists. | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| - `-m | --max-concurrency` - Maximum concurrency (default is 4) | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| - `-fl | --filelist` - Path to file containing paths of files to sign within an archive | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
| - `-fd | --file-digest` - The digest algorithm to hash the file with. | ||||||
|
There was a problem hiding this comment. I expected it would be enum, right? Which algorithm does it default to?
Suggested change
|
||||||
| - `-tr | --timestamp-rfc3161` - Specifies the RFC 3161 timestamp server's URL. | ||||||
| - `-d | --description` - Description | ||||||
| - `-u | --descriptionUrl` - Description Url | ||||||
| - `-td | --timestamp-digest` - Used with the -tr switch to request a digest algorithm used by the RFC 3161 timestamp server. | ||||||
|
There was a problem hiding this comment. This one is also expects enum value, right? If yes what are the expected values and default value? |
||||||
| - `-kvu | --azure-key-vault-url` - The URL to an Azure Key Vault. | ||||||
| - `-kvt | --azure-key-vault-tenant-id` - The Tenant Id to authenticate to the Azure Key Vault.. | ||||||
| - `-kvi | --azure-key-vault-client-id` - The Client ID to authenticate to the Azure Key Vault. | ||||||
| - `-kvs | --azure-key-vault-client-secret` - The Client Secret to authenticate to the Azure Key Vault. | ||||||
| - `-kvc | --azure-key-vault-certificate` - The name of the certificate in Azure Key Vault. | ||||||
| - `-kvm | --azure-key-vault-managed-identity` - Use a Managed Identity to access Azure Key Vault. | ||||||
erdembayar marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
|
There was a problem hiding this comment. Do we need There was a problem hiding this comment. Would be good to know what the options are here for this value to provide as generally the tool is run on the CI, so getting help from the tool directly involves more steps (and it's not as discernable from the code as it's a .NET enum value) |
||||||
| Signing an archive type (`.zip`, `.nupkg`, `.vsix`) will open up the archive and sign any supported file types. It is strongly recommended to use the `filelist` parameter to explicitly list the files inside the archive that should be signed. Signing is recursive; it will sign contents of any detectected `Zip`, `NuPkg` or `VSIX` files inside the uploaded one. After signing contents of the archive, the archive itself is signed if supported (currently `VSIX`). | ||||||
|
|
||||||
| ### File list | ||||||
|
There was a problem hiding this comment. This is argument, right? Could we create Argument section like https://learn.microsoft.com/en-us/dotnet/core/tools/dotnet-nuget-sign#arguments? |
||||||
|
|
||||||
| When specified, only files that match patterns in the list will be signed. This is critical as only first party files should be signed. Files that are third party should not be signed. | ||||||
|
|
||||||
| The format for the file contains one file path/pattern per line and does support globs. | ||||||
|
|
||||||
| ``` | ||||||
| **/MyLibrary.* | ||||||
| **/MyOtherLibrary.dll | ||||||
| ``` | ||||||
|
|
||||||
| ## ClickOnce | ||||||
| ClickOnce files can be signed with this tool, but it requires an extra step -- you must zip up the `publish` directory containing the `setup.exe`, `foo.application` or `foo.vsto` files along with the `Application Files` directory. The `Application Files` must only have a single subdirectory (version you want to sign). Zip these and then rename the extension to `.clickonce` before submitting to the tool. Once done, you can extract the signed files wherever you'd like for publication. If the `name` parameter is supplied, it's used in the `Mage` name to update the `Product` in the manifests. If the `descriptionUrl` parameter is supplied, it's used as the `supportUrl` in the manifests. You should also use the `filter` parameter with the file list to sign, something like this: | ||||||
|
|
||||||
| ``` | ||||||
| **/ProjectAddIn1.* | ||||||
| **/setup.exe | ||||||
| ``` | ||||||
|
There was a problem hiding this comment. Could we have sample section like dotnet nuget sign? |
||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we have Synopsis section like
dotnet nuget sign?