Skip to content

ci: sign nupkgs against Azure Key Vault using NuGetKeyVaultSignTool#10

Merged
anaiberta merged 5 commits into
5.2-GXfrom
feature/azure-keyvault-signing
May 14, 2026
Merged

ci: sign nupkgs against Azure Key Vault using NuGetKeyVaultSignTool#10
anaiberta merged 5 commits into
5.2-GXfrom
feature/azure-keyvault-signing

Conversation

@anaiberta

Copy link
Copy Markdown

Code signing requirements now mandate HSM-compatible certificate storage: local PFX files are no longer viable. The certificate has moved to an Azure Key Vault, so the workflow needs a tool that can sign nupkgs using a remote key -- 'dotnet nuget sign' only supports local PFX paths.

Replace the PFX-based 'dotnet nuget sign' step with NuGetKeyVaultSignTool 3.2.3, pinned via a new .config/dotnet-tools.json manifest. The workflow restores the tool, acquires an access token for https://vault.azure.net through a client_credentials grant against Entra ID, and signs every produced nupkg using the remote certificate.

Required GitHub configuration:

  • secrets.AZURE_CODE_SIGNING_VAULT_URL
  • vars.AZURE_CODE_SIGNING_CERT_NAME
  • vars.AZURE_CODE_SIGNING_TIMESTAMP_SERVER
  • secrets.AZURE_CODE_SIGNING_TENANT
  • secrets.AZURE_CODE_SIGNING_APP_ID
  • secrets.AZURE_CODE_SIGNING_APP_PASSWORD

Once validated, the legacy secrets can be removed:

  • secrets.CODE_SIGN_CERTIFICATE_BASE64
  • secrets.CODE_SIGN_CERTIFICATE_PASSWORD
  • secrets.CODE_SIGN_CERTIFICATE_TIMESTAMPER_URL

anaiberta added 5 commits May 14, 2026 09:28
Code signing requirements now mandate HSM-compatible certificate storage:
local PFX files are no longer viable. The certificate has moved to an
Azure Key Vault, so the workflow needs a tool that can sign nupkgs using
a remote key -- 'dotnet nuget sign' only supports local PFX paths.

Replace the PFX-based 'dotnet nuget sign' step with NuGetKeyVaultSignTool
3.2.3, pinned via a new .config/dotnet-tools.json manifest. The workflow
restores the tool, acquires an access token for https://vault.azure.net
through a client_credentials grant against Entra ID, and signs every
produced nupkg using the remote certificate.

Required GitHub configuration:
- secrets.AZURE_CODE_SIGNING_VAULT_URL
- vars.AZURE_CODE_SIGNING_CERT_NAME
- vars.AZURE_CODE_SIGNING_TIMESTAMP_SERVER
- secrets.AZURE_CODE_SIGNING_TENANT
- secrets.AZURE_CODE_SIGNING_APP_ID
- secrets.AZURE_CODE_SIGNING_APP_PASSWORD

Once validated, the legacy secrets can be removed:
- secrets.CODE_SIGN_CERTIFICATE_BASE64
- secrets.CODE_SIGN_CERTIFICATE_PASSWORD
- secrets.CODE_SIGN_CERTIFICATE_TIMESTAMPER_URL
GitHub deprecated Node.js 20 action runtimes and will force them onto
Node.js 24 starting June 2, 2026. The pinned versions of actions/checkout
and actions/setup-dotnet still ship Node 20 binaries and trigger the
deprecation warning on every run.

Bump to the latest releases whose action.yml declares 'using: node24':
- actions/checkout v2 -> v6
- actions/setup-dotnet v2 -> v5
Adds 'feature/azure-keyvault-signing' to the push triggers so the full
build/sign/publish pipeline runs against this branch and we can confirm
the Azure Key Vault signing step works end-to-end before merging.

Must be reverted before this PR is merged.
The previous TEMP commit added 'feature/azure-keyvault-signing' to the
push triggers so the signing step could be exercised, but that also
caused 'Configure Azure Artifacts feed' and 'Publish' to push a real
prerelease nupkg to Azure Artifacts. We only want to validate signing,
not pollute the feed.

Add a ref_name guard to both publish-related steps so the workflow
stops after the Sign step on this branch.

Must be reverted (together with the push-trigger entry) before merge.
Reverts the two TEMP commits added to exercise the new signing step on
this branch:
- 'ci: TEMP run build on feature branch to validate signing' (eb7c2b0)
- 'ci: TEMP skip publish on test branch, sign-only run' (9183690)

The signing step has been confirmed working end-to-end, so the push
trigger entry and the ref_name guards on Configure/Publish are no
longer needed.
@anaiberta anaiberta requested a review from claudiamurialdo May 14, 2026 12:46
@anaiberta anaiberta merged commit 205f2cc into 5.2-GX May 14, 2026
1 check passed
@anaiberta anaiberta deleted the feature/azure-keyvault-signing branch May 14, 2026 12:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant