/// <summary>
/// nuget restore
/// </summary>
public static ITargetDefinition Restore(ITargetDefinition _, IMsBuild build) => _
.DependsOn(build.Clean)
.Executes(
() =>
{
NuGetTasks
.NuGetRestore(
settings =>
settings
.SetSolutionDirectory(build.Solution)
.EnableNoCache()
);
}
);
private bool IsPackageAlreadyPublished()
{
ToolPathResolver.NuGetPackagesConfigFile = Solution.GetProject("_build").Path;
var output = NuGetTasks.NuGet($"list \"PackageId: Sharp.CSS\" -PreRelease -Source {Source}", RootDirectory);
if (output.Count == 0)
{
return(false);
}
var version = output.ElementAt(0).Text.Replace("Sharp.CSS", string.Empty).Trim();
var count = PackagesDirectory.GlobFiles($"*{version}*.nupkg").Count;
return(count > 0);
}
/// <summary>
/// nuget pack
/// </summary>
public static ITargetDefinition Pack(ITargetDefinition _, IMsBuild build) => _
.DependsOn(build.Build)
.Executes(
() =>
{
foreach (var project in build.NuspecDirectory.GlobFiles("*.nuspec"))
{
NuGetTasks
.NuGetPack(
settings =>
settings
.SetTargetPath(project)
.SetConfiguration(build.Configuration)
.SetGitVersionEnvironment(build.GitVersion)
.SetVersion(build.GitVersion.NuGetVersionV2)
.SetOutputDirectory(build.NuGetPackageDirectory)
.SetSymbols(true)
);
}
}
);
async Task SignFiles(IEnumerable <AbsolutePath> filesToSign)
{
// To create a pfx certificate for local testing, use powershell and run:
// $outputLocation = "test_cert.pfx"
// $cert = New-SelfSignedCertificate -DnsName sample.contoso.com -Type CodeSigning -CertStoreLocation Cert:\CurrentUser\My
// $CertPassword = ConvertTo-SecureString -String "Passw0rd" -Force –AsPlainText
// Export-PfxCertificate -Cert "cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath $outputLocation -Password $CertPassword
var tempFileName = Path.GetTempFileName();
const string timestampServer = "http://timestamp.digicert.com/";
try
{
var(certPath, certPassword) = UseTestPfxCertificate
? (@"test_cert.pfx", "Passw0rd")
: await GetSigningMaterial(tempFileName);
Logger.Info("Signing material retrieved");
var binaries = filesToSign
.Where(x => !x.ToString().EndsWith(".nupkg"))
.ToList();
if (binaries.Any())
{
Logger.Info("Signing binaries...");
binaries.ForEach(file => SignBinary(certPath, certPassword, file));
Logger.Info("Binary signing complete");
}
var nupkgs = filesToSign
.Where(x => x.ToString().EndsWith(".nupkg"))
.ToList();
if (nupkgs.Any())
{
Logger.Info("Signing NuGet packages...");
nupkgs.ForEach(file => SignNuGet(certPath, certPassword, file));
Logger.Info("NuGet signing complete");
}
}
finally
{
File.Delete(tempFileName);
}
return;
void SignBinary(string certPath, string certPassword, AbsolutePath binaryPath)
{
Logger.Info($"Signing {binaryPath}");
SignToolTasks.SignTool(
x => x
.SetFiles(binaryPath)
.SetFile(certPath)
.SetPassword(certPassword)
.SetTimestampServerUrl(timestampServer)
);
}
void SignNuGet(string certPath, string certPassword, AbsolutePath binaryPath)
{
Logger.Info($"Signing {binaryPath}");
// nuke doesn't expose the sign tool
try
{
NuGetTasks.NuGet(
$"sign \"{binaryPath}\"" +
$" -CertificatePath {certPath}" +
$" -CertificatePassword {certPassword}" +
$" -Timestamper {timestampServer} -NonInteractive",
logOutput: false,
logInvocation: false,
logTimestamp: false); // don't print to std out/err
}
catch (Exception)
{
// Exception doesn't say anything useful generally and don't want to expose it if it does
// so don't log it
Logger.Error($"Failed to sign nuget package '{binaryPath}");
}
}
async Task <(string CertificateFilePath, string Password)> GetSigningMaterial(string keyFile)
{
// Get the signing keys from SSM
var pfxB64EncodedPart1 = await GetFileValueFromSsmUsingAmazonSdk("keygen.dd_win_agent_codesign.pfx_b64_0");
var pfxB64EncodedPart2 = await GetFileValueFromSsmUsingAmazonSdk("keygen.dd_win_agent_codesign.pfx_b64_1");
var pfxPassword = await GetFileValueFromSsmUsingAmazonSdk("keygen.dd_win_agent_codesign.password");
var pfxB64Encoded = pfxB64EncodedPart1 + pfxB64EncodedPart2;
Logger.Info($"Retrieved base64 encoded pfx. Length: {pfxB64Encoded.Length}");
var pfxB64Decoded = Convert.FromBase64String(pfxB64Encoded);
Logger.Info($"Writing key material to temporary file {keyFile}");
File.WriteAllBytes(keyFile, pfxB64Decoded);
Logger.Info("Verifying key material");
var file = new X509Certificate2(keyFile, pfxPassword);
file.Verify();
return(CertificateFilePath : keyFile, Password : pfxPassword);
public void SignNupkg(string pkgPath, string password)
{
NuGetTasks.NuGet(
$"sign \"{pkgPath}\" -CertificatePath cert.pfx -CertificatePassword {password} -Timestamper http://timestamp.digicert.com",
outputFilter: x => x.Replace(password, "hunter2"));
}
