Sign NuGet package with NuGetKeyVaultSignTool

mmarkwort · May 3, 2019 · b743aef · b743aef
1 parent 80c6fb4
commit b743aef
Show file tree

Hide file tree

Showing 3 changed files with 78 additions and 0 deletions.
diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json
@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "nugetkeyvaultsigntool": {
+      "version": "1.2.18",
+      "commands": [
+        "NuGetKeyVaultSignTool"
+      ]
+    }
+  }
+}
diff --git a/appveyor.yml b/appveyor.yml
@@ -7,6 +7,15 @@ branches:
     - develop
     - master
 
+environment:
+  azure-key-vault-url:
+    secure: 1mKS/HfCVq+iYNRVSrrN8NEowOkKt3knrpMzw+SOy3g=
+  azure-key-vault-client-id:
+    secure: JfSqzmsJdXB6uIxttCRoQw1NygwxqXHDj9uIqQnWOb9VCnQYlRPlAnxgW0yTSX4b
+  azure-key-vault-client-secret:
+    secure: CUpRJxMLeUZwNPMcqI0wECaWfy5AMnWn1UZhBd9WnQ3Z16lJP1Vzrkf24mccbhUD
+  azure-key-vault-certificate:
+    secure: BSPdW2TgnQtoQXXbeDECug==
 skip_tags: true
 image: Visual Studio 2019 Preview
 configuration: Release

diff --git a/build.cake b/build.cake
@@ -161,6 +161,62 @@ Task("Pack")
     );
 });
 
+Task("Sign")
+    .WithCriteria(() => AppVeyor.IsRunningOnAppVeyor)
+    .ContinueOnError()
+    .Does(() =>
+{
+    if (!DirectoryExists(Directory(publishDir)))
+    {
+        return;
+    }
+
+    StartProcess("dotnet", new ProcessSettings {
+        Arguments = new ProcessArgumentBuilder()
+            .Append("tool")
+            .Append("restore")
+       }
+    );
+
+    var files = GetFiles(publishDir + "/*.nupkg");
+    foreach(var file in files)
+    {
+        var processSettings = new ProcessSettings {
+            RedirectStandardOutput = true,
+            RedirectStandardError = true,
+            Arguments = new ProcessArgumentBuilder()
+                .Append("sign")
+                .Append(file.ToString())
+                .Append("--force")
+                .Append("--file-digest sha256")
+                .Append("--timestamp-rfc3161 http://timestamp.digicert.com")
+                .Append("--timestamp-digest sha256")
+                .Append("--azure-key-vault-url").Append(EnvironmentVariable("azure-key-vault-url"))
+                .Append("--azure-key-vault-client-id").Append(EnvironmentVariable("azure-key-vault-client-id"))
+                .Append("--azure-key-vault-client-secret").Append(EnvironmentVariable("azure-key-vault-client-secret"))
+                .Append("--azure-key-vault-certificate").Append(EnvironmentVariable("azure-key-vault-certificate"))
+        };
+
+        using(var process = StartAndReturnProcess("NuGetKeyVaultSignTool", processSettings))
+        {
+            process.WaitForExit();
+
+            if (process.GetStandardOutput().Any())
+            {
+                Information($"Output:{Environment.NewLine}{string.Join(Environment.NewLine, process.GetStandardOutput())}");
+            }
+
+            if (process.GetStandardError().Any())
+            {
+                Information($"Errors occurred:{Environment.NewLine}{string.Join(Environment.NewLine, process.GetStandardError())}");
+            }
+
+            // This should output 0 as valid arguments supplied
+            Information("Exit code: {0}", process.GetExitCode());
+        }
+    }
+});
+
 Task("Zip")
     .Does(() =>
 {
@@ -240,6 +296,7 @@ Task("Default")
 Task("appveyor")
     .IsDependentOn("Default")
     .IsDependentOn("Pack")
+    .IsDependentOn("Sign")
     .IsDependentOn("Zip");
 
 ///////////////////////////////////////////////////////////////////////////////