目标是创建 nuget 包,其中包含已编译的 C# 程序集代码签名,并使用在使用 Azure Devops YAML 管道进行 CI/CD 构建期间存储在 Azure Key Vault 中的证书。
我现在拥有的(在管道中自动化):
有没有办法在构建之后、打包之前对程序集进行代码签名?
您可以使用
PowershellTask@5
对您的包进行签名并使用下面的 YAML 代码:-
trigger:
- main
pool:
vmImage: 'windows-latest'
variables:
buildConfiguration: 'Release'
azureKeyVaultName: 'valleykeyvault3'
azureKeyVaultCertificateName: 'valleycert'
azureSubscription: '01xxxxxxxx7cb2a7'
stages:
- stage: Build
jobs:
- job: Build
steps:
- task: UseDotNet@2
inputs:
packageType: 'sdk'
version: '2.2.x'
- task: AzureKeyVault@2
inputs:
azureSubscription: 'PowershellSid'
KeyVaultName: '$(azureKeyVaultName)'
SecretsFilter: '$(azureKeyVaultCertificateName)'
RunAsPreJob: false
- script: |
dotnet tool install --global AzureSignTool --version 5.0.0
dotnet add package SignTool --version 10.0.17763.132
displayName: 'Install Signing Tools'
- task: AzurePowerShell@5
inputs:
azureSubscription: 'PowershellSid'
ScriptType: 'InlineScript'
Inline: |
$certThumbprint = (Get-AzKeyVaultCertificate -VaultName $(azureKeyVaultName) -Name $(azureKeyVaultCertificateName)).Thumbprint
$secureKeyVaultAccessToken = (az account get-access-token --resource https://vault.azure.net).accessToken
$certPfxPath = "$(System.DefaultWorkingDirectory)\cert.pfx"
# Extract the certificate from Azure Key Vault to a file
az keyvault secret download --file $certPfxPath --vault-name $(azureKeyVaultName) --name $(azureKeyVaultCertificateName)
# Sign the assemblies
$assemblies = Get-ChildItem -Path $(Build.SourcesDirectory) -Filter "*.dll" -Recurse
foreach ($assembly in $assemblies) {
& '$(USERPROFILE)\.dotnet\tools\azuresigntool.exe' sign -kvu https://$(azureKeyVaultName).vault.azure.net -kvi $(azureKeyVaultCertificateName) -tr http://timestamp.digicert.com -v -in $assembly.FullName -out $assembly.FullName
}
azurePowerShellVersion: 'LatestVersion'
displayName: 'Code Sign Assemblies'
- task: DotNetCoreCLI@2
inputs:
command: 'pack'
projects: '**/*.csproj'
arguments: '--configuration $(buildConfiguration) --output $(Build.ArtifactStagingDirectory)'
- powershell: |
$nugetPackages = Get-ChildItem -Path $(Build.ArtifactStagingDirectory) -Filter "*.nupkg"
foreach ($package in $nugetPackages) {
& '$(USERPROFILE)\.dotnet\tools\nugetsigntool.exe' sign -CertificateThumbprint $certThumbprint -InputPath $package.FullName
}
displayName: 'Sign NuGet Packages'
- task: PublishBuildArtifacts@1
inputs:
PathtoPublish: $(Build.ArtifactStagingDirectory)
ArtifactName: 'drop'
publishLocation: 'Container'
输出:-