TrueCloudLab/frostfs-sdk-csharp
18
0
Fork 5
Code Issues 4 Pull requests Projects Releases Packages Activity Actions

[OBJECT-16744] Add helpers for signing Nuget packages #57

Merged
PavelGrossSpb merged 2 commits from potyarkin/frostfs-sdk-csharp:feature/code-signing into master 2025-04-11 10:19:26 +00:00
Conversation 1 Commits 2 Files changed 6 +253 -3
potyarkin commented 2025-04-10 15:38:57 +00:00
Member
Copy link

This PR introduces code signing for Nuget packages:

  • Root of trust is self-signed TrueCloudLab CA
  • Maintainer certificate is issued by CA administrator for one year
  • Maintainer private key MUST not leave the machine it was generated on
  • Users need to add TrueCloudLab Code Signing CA to the list of trusted roots
  • We use timestamp.digicert.com as a third-party RFC3161 timestamp authority
  • We do not use CRLs

The rest of documentation in the README.

Existing workflow for automated publishing of unsigned release nugets will be switched off. It will still be available for manual trigger as an escape hatch.

This PR introduces code signing for Nuget packages: - Root of trust is self-signed TrueCloudLab CA - Maintainer certificate is issued by CA administrator for one year - Maintainer private key MUST not leave the machine it was generated on - Users need to add [TrueCloudLab Code Signing CA](https://git.frostfs.info/potyarkin/frostfs-sdk-csharp/src/commit/9248874a9ec1bbfa1385bfc2d1b14fb148993db0/release/ca.cert) to the list of trusted roots - We use timestamp.digicert.com as a third-party RFC3161 timestamp authority - We do not use CRLs The rest of documentation in the [README](https://git.frostfs.info/potyarkin/frostfs-sdk-csharp/src/commit/9248874a9ec1bbfa1385bfc2d1b14fb148993db0/release/README.md). Existing workflow for automated publishing of unsigned release nugets will be switched off. It will still be available for manual trigger as an escape hatch.
potyarkin added 1 commit 2025-04-10 15:38:57 +00:00
[OBJECT-16744] Add helpers for signing Nuget packages
Some checks failed
DCO / DCO (pull_request) Failing after 22s
Details
lint-build / dotnet8.0 (pull_request) Successful in 38s
Details
9248874a9e 
Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
requested review from PavelGrossSpb 2025-04-10 15:38:57 +00:00
potyarkin force-pushed feature/code-signing from 9248874a9e to 30af614558 2025-04-10 15:41:14 +00:00 Compare
potyarkin commented 2025-04-10 15:45:37 +00:00
Author
Member
Copy link

@PavelGrossSpb, after merging this:

  • Run make maintainer.csr in repo top-level directory
    • Use a strong unique passphrase for maintainer.key
  • Send maintainer.csr to me via corporate IM
  • Do not ever share maintainer.key with anyone!
  • I will generate maintainer.cert and will send it back to you
@PavelGrossSpb, after merging this: - Run `make maintainer.csr` in repo top-level directory - Use a strong unique passphrase for `maintainer.key` - Send `maintainer.csr` to me via corporate IM - Do not ever share `maintainer.key` with anyone! - I will generate `maintainer.cert` and will send it back to you
potyarkin added 1 commit 2025-04-11 07:34:52 +00:00
[#57] ci: Disable automatic publishing of unsigned nugets
All checks were successful
DCO / DCO (pull_request) Successful in 23s
Details
lint-build / dotnet8.0 (pull_request) Successful in 41s
Details
lint-build / dotnet8.0 (push) Successful in 1m22s
Details
b390778201 
We're switching to non-automatic process for publishing signed nugets,
unsigned workflow will still be available as an escape hatch but it won't
ever be triggered automatically.

Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
PavelGrossSpb approved these changes 2025-04-11 10:19:17 +00:00
PavelGrossSpb merged commit b390778201 into master 2025-04-11 10:19:26 +00:00
potyarkin deleted branch feature/code-signing 2025-04-11 10:20:09 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
PavelGrossSpb
Labels
Clear labels
  
Infrastructure

Infrastructure, Automation, CI/CD or DevOps related stuff

  
blocked

The issue or PR is blocked by something

  
bug

Something is not working

  
config

Configuration format update or breaking change

  
discussion

Talking about something in order to reach a decision or to exchange ideas

  
documentation

Documentation related

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
go

Language features adoption

  
help wanted

Extra attention is needed

  
internal

   
invalid

Something is wrong

  
kludge

This is a kludge and we know it

  
observability

Related to metrics, tracing and logs

  
perfomance

Perfomance related

  
question

More information is needed

  
refactoring

Refactoring

  
wontfix

This won't be fixed

No labels
Infrastructure
blocked
bug
config
discussion
documentation
duplicate
enhancement
go
help wanted
internal
invalid
kludge
observability
perfomance
question
refactoring
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: TrueCloudLab/frostfs-sdk-csharp#57
No description provided.
Delete branch "potyarkin/frostfs-sdk-csharp:feature/code-signing"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?