Use Microbuild to ESRP Sign SignalR files (by Nov 2024)

dotnet / arcade-services

Arcade Engineering Services

MIT License

61 stars 74 forks source link

Use Microbuild to ESRP Sign SignalR files (by Nov 2024) #2411

Open dkurepa opened 1 year ago

dkurepa commented 1 year ago

We added our new ESRP owned GPG key to Microbuild. We should implement this in the Staging pipeline More info at: https://dev.azure.com/dnceng/internal/_workitems/edit/3928 Documentation: https://dev.azure.com/devdiv/DevDiv/_wiki/wikis/DevDiv.wiki/650/MicroBuild-Signing

[x] #2937

andriipatsula commented 1 year ago

@dkurepa Can you provide additional details for this issue? It's unclear what is expected from us.

dkurepa commented 1 year ago

We should replace the way we're currently doing our gpg signing with the use of Microbuild signing

andriipatsula commented 1 year ago

@dkurepa how urgent is this task? When is it expected to be implemented (in a week, month, etc.)? Do you know if we have examples of using Microbuild signing in other pipelines?

dkurepa commented 1 year ago

The goal of this task is to start using the GPG key provided by ESRP. By doing so we won't have the added responsibility of managing the key, because it will all be done for us. It is important that this task is completed before November 2023, because that's when our current key will expire, and it'd be great if we didn't have to anything with it. As for examples, we already use Microbuild in the staging pipeline: https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/templates/steps/signing.yml for windows signing, and https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=/eng/pipeline/templates/steps/linux-signing.yml for linux

MilenaHristova commented 1 year ago

We can use the linux-signing as example:

Install MicroBuild Signing Plugin
create a msbuild target that sets the ItemsToSign and FileExtensionSignInfo properties for the specific file extentions (*.jar and *.pom) and calls Arcades Microsoft.DotNet.SignTool.SignToolTask
run the msbuild target from the pipeline providing it with the right certificate
we can probably unite the different signing types in the future

tkapin commented 1 year ago

This will take ~2-3 weeks, let's convert it into a full epic.

MilenaHristova commented 1 year ago

@dkurepa if you extended it by 2 years then it should expire in November 2024 right?

dkurepa commented 1 year ago

Yes, I just double checked

MilenaHristova commented 1 year ago

Then we have some time with this cc @andriipatsula