Open dkurepa opened 1 year ago
@dkurepa Can you provide additional details for this issue? It's unclear what is expected from us.
We should replace the way we're currently doing our gpg signing with the use of Microbuild signing
@dkurepa how urgent is this task? When is it expected to be implemented (in a week, month, etc.)? Do you know if we have examples of using Microbuild signing in other pipelines?
The goal of this task is to start using the GPG key provided by ESRP. By doing so we won't have the added responsibility of managing the key, because it will all be done for us. It is important that this task is completed before November 2023, because that's when our current key will expire, and it'd be great if we didn't have to anything with it. As for examples, we already use Microbuild in the staging pipeline: https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/templates/steps/signing.yml for windows signing, and https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/templates/steps/linux-signing.yml for linux
We can use the linux-signing as example:
ItemsToSign
and FileExtensionSignInfo
properties for the specific file extentions (*.jar
and *.pom
) and calls Arcades Microsoft.DotNet.SignTool.SignToolTask
This will take ~2-3 weeks, let's convert it into a full epic.
@dkurepa if you extended it by 2 years then it should expire in November 2024 right?
Yes, I just double checked
Then we have some time with this cc @andriipatsula
We added our new ESRP owned GPG key to Microbuild. We should implement this in the Staging pipeline More info at: https://dev.azure.com/dnceng/internal/_workitems/edit/3928 Documentation: https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/650/MicroBuild-Signing