Pipeline Moved to new Certification #5017
Conversation
ugras-ergun-sonarsource
changed the title
github-actions
bot
assigned pavel-mikula-sonarsource and unassigned ugras-ergun-sonarsource
pipeline/azure-pipelines.yml
Outdated
| @@ -154,12 +170,25 @@ jobs: | |||
| inputs: | |||
| solution: $(BuildParameters.solution) | |||
| vsVersion: 17.0 | |||
| msbuildArgs: /p:VsTargetVersion=$(vsTargetVersion) /p:DeployExtension=false /p:SignArtifacts=$(SHOULD_SIGN) /p:AssemblyOriginatorKeyFile="$(snk.secureFilePath)" /p:pfxCertificatePath="$(pfx.secureFilePath)" /p:pfxPassword="$(pfxPassword2021-2023)" /p:pfxSha1=$(pfxSha1-2021-2023) /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId) $(AdditionalMSBuildArgs) | |||
| msbuildArgs: /p:VsTargetVersion=$(vsTargetVersion) /p:DeployExtension=false /p:SignArtifacts=false /p:AssemblyOriginatorKeyFile="$(snk.secureFilePath)" /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId) $(AdditionalMSBuildArgs) | |||
There was a problem hiding this comment.
Now instead of signing the artifact on build we sign them after the build.
pipeline/azure-pipelines.yml
Outdated
| SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath) | ||
| inputs: | ||
| targetType: 'inline' | ||
| script: nuget sign "$env:PACKAGES_PATH" -Overwrite -HashAlgorithm SHA256 -CertificateFingerprint $(SM_CERT_FP) -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256 |
There was a problem hiding this comment.
By trials done by Tom nuget sign is the only command that works for vsix signing.
pipeline/azure-pipelines.yml
Outdated
| SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath) | ||
| inputs: | ||
| targetType: 'inline' | ||
| script: nuget sign "$env:PACKAGES_PATH" -Overwrite -HashAlgorithm SHA256 -CertificateFingerprint $(SM_CERT_FP) -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256 |
There was a problem hiding this comment.
Can you try to remove the -Override? The docs says this, and I don't see a way how the package could already have a signature in CI
Switch to indicate if the current signature should be overwritten. By default the command will fail if the package already has a signature.
github-actions
bot
assigned ugras-ergun-sonarsource and unassigned pavel-mikula-sonarsource
|
Kudos, SonarCloud Quality Gate passed!
|
github-actions
bot
assigned pavel-mikula-sonarsource and unassigned ugras-ergun-sonarsource
github-actions
bot
assigned ugras-ergun-sonarsource and unassigned pavel-mikula-sonarsource
I ran on the branch with force sign parameter https://dev.azure.com/sonarsource/DotNetTeam%20Project/_build/results?buildId=80535&view=results |
|
|
||
| - task: SSMClientToolsSetup@1 | ||
| displayName: Client Tools Setup | ||
| condition: eq(variables['SHOULD_SIGN'], 'true') |
There was a problem hiding this comment.
I'm not sure I understand who sets SHOULD_SIGN to true and when this happens. Could give me a hint? :)
There was a problem hiding this comment.
There was a problem hiding this comment.
Ok, now I got it. Thanks!
There are too many commits so I will squash them