microsoft
/
git
зеркало из https://github.com/microsoft/git.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

fixup! release: add signing step for .deb package

This commit is contained in:
Lessley Dennington 2022-06-27 14:41:32 -07:00
Родитель e197c6fc86
Коммит b4c150ca63
2 изменённых файлов: 19 добавлений и 133 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

118
.github/scripts/sign-debian-packages.py поставляемый
Просмотреть файл

@ -1,118 +0,0 @@
import json
import os
import glob
import pprint
import subprocess
import sys
esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
AAD_ID = os.environ['AZURE_AAD_ID'].strip()
AAD_ID_TEMP = os.environ['AZURE_AAD_ID_TEMP'].strip()
WORKSPACE = os.environ['GITHUB_WORKSPACE'].strip()
ARTIFACTS_DIR = os.environ['ARTIFACTS_DIR'].strip()
def main():
source_root_location = os.path.join(WORKSPACE, ARTIFACTS_DIR, "unsigned")
destination_location = os.path.join(WORKSPACE, ARTIFACTS_DIR)
files = glob.glob(os.path.join(source_root_location, "*.deb"))
print("Found files:")
pprint.pp(files)
if len(files) < 1 or not files[0].endswith(".deb"):
print("Error: cannot find .deb to sign")
exit(1)
file_to_sign = os.path.basename(files[0])
auth_json = {
"Version": "1.0.0",
"AuthenticationType": "AAD_CERT",
"TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
"ClientId": AAD_ID,
"AuthCert": {
"SubjectName": f"CN={AAD_ID_TEMP}.microsoft.com",
"StoreLocation": "LocalMachine",
"StoreName": "My",
},
"RequestSigningCert": {
"SubjectName": f"CN={AAD_ID}",
"StoreLocation": "LocalMachine",
"StoreName": "My",
}
}
input_json = {
"Version": "1.0.0",
"SignBatches": [
{
"SourceLocationType": "UNC",
"SourceRootDirectory": source_root_location,
"DestinationLocationType": "UNC",
"DestinationRootDirectory": destination_location,
"SignRequestFiles": [
{
"CustomerCorrelationId": "01A7F55F-6CDD-4123-B255-77E6F212CDAD",
"SourceLocation": file_to_sign,
"DestinationLocation": os.path.join("signed", file_to_sign),
}
],
"SigningInfo": {
"Operations": [
{
"KeyCode": "CP-450779-Pgp",
"OperationCode": "LinuxSign",
"Parameters": {},
"ToolName": "sign",
"ToolVersion": "1.0",
}
]
}
}
]
}
policy_json = {
"Version": "1.0.0",
"Intent": "production release",
"ContentType": "Debian package",
}
configs = [
("auth.json", auth_json),
("input.json", input_json),
("policy.json", policy_json),
]
for filename, data in configs:
with open(filename, 'w') as fp:
json.dump(data, fp)
# Run ESRP Client
esrp_out = "esrp_out.json"
result = subprocess.run(
[esrp_tool, "sign",
"-a", "auth.json",
"-i", "input.json",
"-p", "policy.json",
"-o", esrp_out,
"-l", "Verbose"],
cwd=WORKSPACE)
if result.returncode != 0:
print("Failed to run ESRPClient.exe")
sys.exit(1)
if os.path.isfile(esrp_out):
print("ESRP output json:")
with open(esrp_out, 'r') as fp:
pprint.pp(json.load(fp))
signed_file = os.path.join(destination_location, "signed", file_to_sign)
if os.path.isfile(signed_file):
print(f"Success!\nSigned {signed_file}")
if __name__ == "__main__":
main()

34
.github/workflows/build-git-installers.yml поставляемый
Просмотреть файл

@ -668,38 +668,42 @@ jobs:
steps:
- name: Clone repository
uses: actions/checkout@v2
with:
path: 'git'
- name: Download unsigned packages
uses: actions/download-artifact@v2
with:
name: deb-package-unsigned
path: ${{ env.ARTIFACTS_DIR }}/unsigned
path: unsigned
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Download ESRP client
- name: Set up ESRP client
shell: pwsh
env:
AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
run: |
az storage blob download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --account-name msftgitesrp -c microsoft-esrp-client -n microsoft.esrpclient.1.2.76.nupkg -f esrp.zip
Expand-Archive -Path esrp.zip -DestinationPath .\esrp
- name: Install ESRP certificates
run: |
az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "msft-git-esrp" --name "microsoft-git-esrp-auth-cert" -f auth_cert.pfx
Import-PfxCertificate auth_cert.pfx -CertStoreLocation Cert:\LocalMachine\My
az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "msft-git-esrp" --name "microsoft-git-request-signing-cert" -f request_signing_cert.pfx
Import-PfxCertificate request_signing_cert.pfx -CertStoreLocation Cert:\LocalMachine\My
- uses: actions/setup-python@v2
- name: Run ESRP client
git\.github\scripts\set-up-esrp.ps1
- name: Sign package
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
# We temporarily need two AAD IDs, as we're using an SSL certificate associated
# with an older App Registration until we have the required hardware to approve
# the new certificate in SSL Admin.
AZURE_AAD_ID_TEMP: ${{ secrets.AAD_ID_TEMP }}
run: python .github/scripts/sign-debian-packages.py
AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }}
LINUX_KEY_CODE: ${{ secrets.LINUX_KEY_CODE }}
LINUX_OP_CODE: ${{ secrets.LINUX_OPERATION_CODE }}
run: |
python git\.github\scripts\run-esrp-signing.py unsigned $env:LINUX_KEY_CODE $env:LINUX_OP_CODE
- name: Upload signed artifact
uses: actions/upload-artifact@v2
with:
name: deb-package-signed
path: ${{ env.ARTIFACTS_DIR }}/signed
path: signed
# End build & sign Ubuntu package
create-github-release: