Add code signing

2025-12-26 07:47:56 +01:00 · 2025-12-08 00:31:35 +01:00
parent 6a7457dc9f
commit 27f40e5da0
5 changed files with 78 additions and 16 deletions
--- a/build.cs
+++ b/build.cs
@@ -45,9 +45,10 @@ Task("Build")

 Task("Test")
    .IsDependentOn("Build")
-    .Does(ctx => 
+    .Does(ctx =>
 {
-    ctx.DotNetTest(testProject, new DotNetTestSettings {
+    ctx.DotNetTest(testProject, new DotNetTestSettings
+    {
        Configuration = configuration,
        Verbosity = DotNetVerbosity.Minimal,
        NoLogo = true,
@@ -73,18 +74,66 @@ Task("Package")
    });
 });

+Task("Sign-Binaries")
+    .IsDependentOn("Package")
+    .WithCriteria(ctx => ctx.HasArgument("sign"), "Not signing binaries")
+    .Does(ctx =>
+{
+    // Ensure the sign tool is installed
+    ctx.StartProcess("dotnet", new ProcessSettings
+    {
+        Arguments = "tool install --tool-path .sign --prerelease sign"
+    });
+
+    var commandSettings = new CommandSettings
+    {
+        ToolExecutableNames = ["sign", "sign.exe"],
+        ToolName = "sign",
+        ToolPath = ResolveSignTool("sign.exe") 
+            ?? ResolveSignTool("sign")
+            ?? throw new Exception("Failed to locate sign tool"),
+    };
+
+    var files = ctx.GetFiles("./.artifacts/*.nupkg");
+    foreach (var file in files)
+    {
+        ctx.Information("Signing {0}...", file.FullPath);
+
+        var arguments = new ProcessArgumentBuilder()
+            .Append("code")
+            .Append("azure-key-vault")
+            .AppendQuoted(file.FullPath)
+            .AppendSwitchQuoted("--file-list", ctx.MakeAbsolute(ctx.File("./resources/signclient.filter")).FullPath)
+            .AppendSwitchQuoted("--publisher-name", "Spectre Console")
+            .AppendSwitchQuoted("--description", "A .NET library that makes it easier to create beautiful console applications.")
+            .AppendSwitchQuoted("--description-url", "https://spectreconsole.net")
+            .AppendSwitchQuoted("--azure-credential-type", "azure-cli")
+            .AppendSwitchQuotedSecret("--azure-key-vault-certificate", Argument<string>("keyvaultCertificate"))
+            .AppendSwitchQuotedSecret("--azure-key-vault-url", Argument<string>("keyvaultUrl"));
+
+        ctx.Command(commandSettings, arguments);
+        ctx.Information("Done signing {0}.", file.FullPath);
+    }
+
+    FilePath? ResolveSignTool(string name)
+    {
+        var path = ctx.MakeAbsolute(ctx.Directory(".sign").Path.CombineWithFilePath(name));
+        return ctx.FileExists(path) ? path : null;
+    }
+});
+
 Task("Publish-NuGet")
    .WithCriteria(ctx => BuildSystem.IsRunningOnGitHubActions, "Not running on GitHub Actions")
-    .IsDependentOn("Package")
-    .Does(ctx => 
+    .IsDependentOn("Sign-Binaries")
+    .Does(ctx =>
 {
    var apiKey = Argument<string?>("nuget-key", null);
-    if(string.IsNullOrWhiteSpace(apiKey)) {
+    if (string.IsNullOrWhiteSpace(apiKey))
+    {
        throw new CakeException("No NuGet API key was provided.");
    }

-    // Publish to GitHub Packages
-    foreach(var file in ctx.GetFiles("./.artifacts/*.nupkg")) 
+    foreach (var file in ctx.GetFiles("./.artifacts/*.nupkg"))
    {
        ctx.Information("Publishing {0}...", file.GetFilename().FullPath);
        DotNetNuGetPush(file.FullPath, new DotNetNuGetPushSettings