使用 Azure Devops 管道中的 Azure Key Vault 对 nuget 包内的程序集进行签名

问题描述 投票:0回答:1

目标是创建 nuget 包,其中包含已编译的 C# 程序集代码签名,并使用在使用 Azure Devops YAML 管道进行 CI/CD 构建期间存储在 Azure Key Vault 中的证书。

我现在拥有的(在管道中自动化):

  1. nuget 包作为构建的一部分生成(SDK 样式项目)
  2. 构建后使用 AzureSignTool 对(纯)程序集进行签名
  3. 使用 NugetSignTool
  4. 签署 nuget 包(但不包括内部的程序集)

有没有办法在构建之后、打包之前对程序集进行代码签名?

c# azure azure-devops azure-pipelines code-signing
1个回答
0
投票

您可以使用

PowershellTask@5
对您的包进行签名并使用下面的 YAML 代码:-

trigger:
- main

pool:
  vmImage: 'windows-latest'

variables:
  buildConfiguration: 'Release'
  azureKeyVaultName: 'valleykeyvault3'
  azureKeyVaultCertificateName: 'valleycert'
  azureSubscription: '01xxxxxxxx7cb2a7'

stages:
- stage: Build
  jobs:
  - job: Build
    steps:
    - task: UseDotNet@2
      inputs:
        packageType: 'sdk'
        version: '2.2.x'
        
    - task: AzureKeyVault@2
      inputs:
        azureSubscription: 'PowershellSid'
        KeyVaultName: '$(azureKeyVaultName)'
        SecretsFilter: '$(azureKeyVaultCertificateName)'
        RunAsPreJob: false

    - script: |
        dotnet tool install --global AzureSignTool --version 5.0.0
        dotnet add package SignTool --version 10.0.17763.132
      displayName: 'Install Signing Tools'
    
    - task: AzurePowerShell@5
      inputs:
        azureSubscription: 'PowershellSid'
        ScriptType: 'InlineScript'
        Inline: |
          $certThumbprint = (Get-AzKeyVaultCertificate -VaultName $(azureKeyVaultName) -Name $(azureKeyVaultCertificateName)).Thumbprint
          $secureKeyVaultAccessToken = (az account get-access-token --resource https://vault.azure.net).accessToken
          $certPfxPath = "$(System.DefaultWorkingDirectory)\cert.pfx"
          
          # Extract the certificate from Azure Key Vault to a file
          az keyvault secret download --file $certPfxPath --vault-name $(azureKeyVaultName) --name $(azureKeyVaultCertificateName)
          
          # Sign the assemblies
          $assemblies = Get-ChildItem -Path $(Build.SourcesDirectory) -Filter "*.dll" -Recurse
          foreach ($assembly in $assemblies) {
              & '$(USERPROFILE)\.dotnet\tools\azuresigntool.exe' sign -kvu https://$(azureKeyVaultName).vault.azure.net -kvi $(azureKeyVaultCertificateName) -tr http://timestamp.digicert.com -v -in $assembly.FullName -out $assembly.FullName
          }
        azurePowerShellVersion: 'LatestVersion'
      displayName: 'Code Sign Assemblies'

    - task: DotNetCoreCLI@2
      inputs:
        command: 'pack'
        projects: '**/*.csproj'
        arguments: '--configuration $(buildConfiguration) --output $(Build.ArtifactStagingDirectory)'

    - powershell: |
        $nugetPackages = Get-ChildItem -Path $(Build.ArtifactStagingDirectory) -Filter "*.nupkg"
        foreach ($package in $nugetPackages) {
            & '$(USERPROFILE)\.dotnet\tools\nugetsigntool.exe' sign -CertificateThumbprint $certThumbprint -InputPath $package.FullName
        }
      displayName: 'Sign NuGet Packages'

    - task: PublishBuildArtifacts@1
      inputs:
        PathtoPublish: $(Build.ArtifactStagingDirectory)
        ArtifactName: 'drop'
        publishLocation: 'Container'

输出:-

enter image description here

enter image description here

© www.soinside.com 2019 - 2024. All rights reserved.