diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 47297ac50..4d10017ed 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -24,6 +24,9 @@ jobs: build: name: Build runs-on: windows-2022 + permissions: + packages: write + id-token: write steps: - name: Checkout code uses: actions/checkout@v3 @@ -34,6 +37,11 @@ jobs: # shell: cmd # run: ./src/vs_config.cmd + - name: Install sign tool + if: (github.ref == 'refs/heads/master') + shell: cmd + run: dotnet tool install --tool-path build\.tools sign --version 0.9.1-beta.23356.1 + - name: Configure automated logging and crash dumps shell: cmd run: | @@ -46,13 +54,22 @@ jobs: reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpCount /d 10 /f reg add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\Windows Error Reporting\LocalDumps" /t REG_DWORD /v DumpType /d 1 + - name: 'Az CLI login' + if: (github.ref == 'refs/heads/master') + uses: azure/login@v1 + with: + allow-no-subscriptions: true + client-id: ${{ secrets.WIX_SIGNING_CLIENTID }} + tenant-id: ${{ secrets.WIX_SIGNING_TENANTID }} + subscription-id: ${{ secrets.WIX_SIGNING_SUBSCRIPTIONID }} + - name: Build wix4 shell: cmd run: ./src/build_official.cmd env: RuntimeTestsEnabled: true - SigningUser: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_USER || '' }} - SigningSecret: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_SECRET || '' }} + SigningVaultUri: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_VAULTURI || '' }} + SigningCertName: ${{ github.ref == 'refs/heads/master' && secrets.WIX_SIGNING_CERTNAME || '' }} - name: Validate test results shell: cmd diff --git a/src/Directory.Build.targets b/src/Directory.Build.targets index 0dd56353c..74a381baf 100644 --- a/src/Directory.Build.targets +++ b/src/Directory.Build.targets @@ -4,9 +4,9 @@ $(ToolsFolder) - $(SigningToolFolder)\SignClient.exe - $(SigningToolFolder)\empty-filelist.txt - $([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildProjectDirectory), signing.json))\signing.json + $(SigningToolFolder)\sign.exe + $(MSBuildThisFileDirectory)signing-empty-file-list.txt + --description "WiX Toolset" --description-url "https://wixtoolset.org/" --timestamp-url "http://timestamp.digicert.com" --file-list "$(SigningFilelist)" --azure-key-vault-managed-identity true --azure-key-vault-url "$(SigningVaultUri)" --azure-key-vault-certificate "$(SigningCertName)" @@ -113,47 +113,39 @@ - - - - - - - - - + - - + - + - - - + + - - - + + - diff --git a/src/internal/SetBuildNumber/SetBuildNumber.proj b/src/internal/SetBuildNumber/SetBuildNumber.proj index cf98234ef..9ff4e7c33 100644 --- a/src/internal/SetBuildNumber/SetBuildNumber.proj +++ b/src/internal/SetBuildNumber/SetBuildNumber.proj @@ -22,8 +22,7 @@ GitThisAssembly; SetGlobalJson; SetDirectoryPackagesProps; - SetOverallWixVersions; - InstallSigningClient + SetOverallWixVersions $([System.IO.Path]::GetFullPath($(MSBuildThisFileDirectory)..\..\..\global.json)) @@ -106,12 +105,6 @@ - - - - diff --git a/src/signing-empty-file-list.txt b/src/signing-empty-file-list.txt new file mode 100644 index 000000000..246cc9b6c --- /dev/null +++ b/src/signing-empty-file-list.txt @@ -0,0 +1 @@ +this-file-prevents-files-from-being-signed-in-nupkgs \ No newline at end of file diff --git a/src/signing.json b/src/signing.json deleted file mode 100644 index fe1c8c9b1..000000000 --- a/src/signing.json +++ /dev/null @@ -1,13 +0,0 @@ -{ - "SignClient": { - "AzureAd": { - "AADInstance": "https://login.microsoftonline.com/", - "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8", - "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e" - }, - "Service": { - "Url": "https://codesign.dotnetfoundation.org/", - "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001" - } - } -}