Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)
This commit is contained in:
parent
bffb137cb5
commit
db6434c474
|
@ -120,10 +120,11 @@ jobs:
|
||||||
artifactName: unsigned_msix
|
artifactName: unsigned_msix
|
||||||
downloadPath: $(Build.BinariesDirectory)
|
downloadPath: $(Build.BinariesDirectory)
|
||||||
|
|
||||||
|
# MSIX must be signed and timestamped simultaneously
|
||||||
- powershell: |
|
- powershell: |
|
||||||
$failed = $true
|
$failed = $true
|
||||||
foreach ($retry in 1..3) {
|
foreach ($retry in 1..3) {
|
||||||
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "$(SigningDescription)" (gi *.msix)
|
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "$(SigningDescription)" (gi *.msix)
|
||||||
if ($?) {
|
if ($?) {
|
||||||
$failed = $false
|
$failed = $false
|
||||||
break
|
break
|
||||||
|
|
|
@ -4,7 +4,7 @@ jobs:
|
||||||
condition: and(succeeded(), eq(variables['DoNuget'], 'true'))
|
condition: and(succeeded(), eq(variables['DoNuget'], 'true'))
|
||||||
|
|
||||||
pool:
|
pool:
|
||||||
vmImage: windows-2019
|
name: 'Windows Release'
|
||||||
|
|
||||||
workspace:
|
workspace:
|
||||||
clean: all
|
clean: all
|
||||||
|
@ -36,6 +36,14 @@ jobs:
|
||||||
nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive
|
nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive
|
||||||
displayName: 'Create nuget package'
|
displayName: 'Create nuget package'
|
||||||
|
|
||||||
|
- powershell: |
|
||||||
|
gci *.nupkg | %{
|
||||||
|
nuget sign "$_" -CertificateSubjectName "$(SigningCertificate)" -Timestamper http://timestamp.digicert.com/ -Overwrite
|
||||||
|
}
|
||||||
|
displayName: 'Sign nuget package'
|
||||||
|
workingDirectory: $(Build.ArtifactStagingDirectory)
|
||||||
|
condition: and(succeeded(), variables['SigningCertificate'])
|
||||||
|
|
||||||
- task: PublishBuildArtifacts@1
|
- task: PublishBuildArtifacts@1
|
||||||
displayName: 'Publish Artifact: nuget'
|
displayName: 'Publish Artifact: nuget'
|
||||||
inputs:
|
inputs:
|
||||||
|
|
|
@ -57,7 +57,7 @@ jobs:
|
||||||
$files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
|
$files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
|
||||||
$failed = $true
|
$failed = $true
|
||||||
foreach ($retry in 1..10) {
|
foreach ($retry in 1..10) {
|
||||||
signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files
|
signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files
|
||||||
if ($?) {
|
if ($?) {
|
||||||
$failed = $false
|
$failed = $false
|
||||||
break
|
break
|
||||||
|
|
|
@ -176,8 +176,8 @@ public override bool Execute() {
|
||||||
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot81)\bin\x86</SdkBinPath>
|
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot81)\bin\x86</SdkBinPath>
|
||||||
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86</SdkBinPath>
|
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86</SdkBinPath>
|
||||||
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\</SdkBinPath>
|
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\</SdkBinPath>
|
||||||
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
|
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)"</_SignCommand>
|
||||||
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
|
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)"</_SignCommand>
|
||||||
<_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe"</_MakeCatCommand>
|
<_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe"</_MakeCatCommand>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
|
||||||
|
|
|
@ -37,11 +37,11 @@ function Sign-File {
|
||||||
|
|
||||||
foreach ($a in $files) {
|
foreach ($a in $files) {
|
||||||
if ($certsha1) {
|
if ($certsha1) {
|
||||||
SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
|
SignTool sign /sha1 $certsha1 /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
|
||||||
} elseif ($certname) {
|
} elseif ($certname) {
|
||||||
SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
|
SignTool sign /a /n $certname /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
|
||||||
} elseif ($certfile) {
|
} elseif ($certfile) {
|
||||||
SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
|
SignTool sign /f $certfile /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue