dotnet
Use Microbuild to ESRP Sign SignalR files (by Nov 2024)
We added our new ESRP owned GPG key to Microbuild. We should implement this in the Staging pipeline More info at: https://dev.azure.com/dnceng/internal/_workitems/edit/3928 Documentation: https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/650/MicroBuild-Signing
- [x] #2937
@dkurepa Can you provide additional details for this issue? It's unclear what is expected from us.
We should replace the way we're currently doing our gpg signing with the use of Microbuild signing
@dkurepa how urgent is this task? When is it expected to be implemented (in a week, month, etc.)? Do you know if we have examples of using Microbuild signing in other pipelines?
The goal of this task is to start using the GPG key provided by ESRP. By doing so we won't have the added responsibility of managing the key, because it will all be done for us. It is important that this task is completed before November 2023, because that's when our current key will expire, and it'd be great if we didn't have to anything with it. As for examples, we already use Microbuild in the staging pipeline: https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/templates/steps/signing.yml for windows signing, and https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/templates/steps/linux-signing.yml for linux
We can use the linux-signing as example:
- Install MicroBuild Signing Plugin
- create a msbuild target that sets the
ItemsToSignandFileExtensionSignInfoproperties for the specific file extentions (*.jarand*.pom) and calls ArcadesMicrosoft.DotNet.SignTool.SignToolTask - run the msbuild target from the pipeline providing it with the right certificate
- we can probably unite the different signing types in the future
@dkurepa if you extended it by 2 years then it should expire in November 2024 right?