ci(build): sign release packages with Certum#267
Merged
Conversation
Release workflow: - Add a dedicated Certum/SimplySign signing job using ghcr.io/reactiveui/certum-signer. - Download unsigned NuGet packages, connect SimplySign headlessly, sign with jsign using RFC3161 timestamping, and verify signatures against the configured SHA256 certificate fingerprint. - Publish and attach the signed-nuget artifact instead of unsigned-nuget. Validation: - Verified workflow diff and artifact references. - Verified dotnet nuget verify supports SHA256 certificate fingerprint validation. - git diff --check passed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What kind of change does this PR introduce?
CI/release workflow update to sign NuGet packages with the Certum SimplySign certificate before publishing.
What is the new behavior?
BuildDeploy.ymlnow keeps the Windows build/pack flow producingunsigned-nuget, then runs a dedicated Linux container signing job usingghcr.io/reactiveui/certum-signer:latest. The signing job logs into SimplySign withCERTUM_USER_IDandCERTUM_OTP_URI, signs every.nupkgwith jsign using RFC3161 timestamping, verifies the signature againstCERTUM_CERT_FINGERPRINT, and uploadssigned-nuget.NuGet publishing and the GitHub release artifact now consume
signed-nuget.What is the current behavior?
The release workflow uploads, publishes, and attaches unsigned NuGet packages.
Checklist
Additional information
This follows the Certum/SimplySign pattern from RoslynCommonAnalyzers
release.ymlwhile preserving the existing MinVer floor-aware release version calculation.Validation:
git diff --checkdotnet nuget verify -hconfirmed SHA256--certificate-fingerprintverification support.unsigned-nuget->sign->signed-nuget-> publish/release.The actual Certum login/signing path requires the GitHub release environment secrets and cannot be executed locally.