Skip to content

ci(build): sign release packages with Certum#267

Merged
ChrisPulman merged 1 commit into
mainfrom
CP_add-certum-release-signing
Jul 10, 2026
Merged

ci(build): sign release packages with Certum#267
ChrisPulman merged 1 commit into
mainfrom
CP_add-certum-release-signing

Conversation

@ChrisPulman

Copy link
Copy Markdown
Member

What kind of change does this PR introduce?

CI/release workflow update to sign NuGet packages with the Certum SimplySign certificate before publishing.

What is the new behavior?

BuildDeploy.yml now keeps the Windows build/pack flow producing unsigned-nuget, then runs a dedicated Linux container signing job using ghcr.io/reactiveui/certum-signer:latest. The signing job logs into SimplySign with CERTUM_USER_ID and CERTUM_OTP_URI, signs every .nupkg with jsign using RFC3161 timestamping, verifies the signature against CERTUM_CERT_FINGERPRINT, and uploads signed-nuget.

NuGet publishing and the GitHub release artifact now consume signed-nuget.

What is the current behavior?

The release workflow uploads, publishes, and attaches unsigned NuGet packages.

Checklist

  • Tests have been added or updated (for bug fixes / features)
  • Docs have been added or updated (for bug fixes / features)
  • Changes target the main branch
  • PR title follows Conventional Commits

Additional information

This follows the Certum/SimplySign pattern from RoslynCommonAnalyzers release.yml while preserving the existing MinVer floor-aware release version calculation.

Validation:

  • git diff --check
  • dotnet nuget verify -h confirmed SHA256 --certificate-fingerprint verification support.
  • Confirmed workflow references now route unsigned-nuget -> sign -> signed-nuget -> publish/release.

The actual Certum login/signing path requires the GitHub release environment secrets and cannot be executed locally.

Release workflow:

- Add a dedicated Certum/SimplySign signing job using ghcr.io/reactiveui/certum-signer.

- Download unsigned NuGet packages, connect SimplySign headlessly, sign with jsign using RFC3161 timestamping, and verify signatures against the configured SHA256 certificate fingerprint.

- Publish and attach the signed-nuget artifact instead of unsigned-nuget.

Validation:

- Verified workflow diff and artifact references.

- Verified dotnet nuget verify supports SHA256 certificate fingerprint validation.

- git diff --check passed.
@ChrisPulman ChrisPulman merged commit 836e2b7 into main Jul 10, 2026
1 check passed
@ChrisPulman ChrisPulman deleted the CP_add-certum-release-signing branch July 10, 2026 23:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant