TrueCloudLab/frostfs-sdk-csharp
18
0
Fork 5
Code Issues 4 Pull requests Projects Releases Packages 3 Activity Actions
frostfs-sdk-csharp/release
History
Exact
Vitaliy Potyarkin 30af614558
All checks were successful
DCO / DCO (pull_request) Successful in 21s
Details
lint-build / dotnet8.0 (pull_request) Successful in 41s
Details
[#57] Add helpers for signing Nuget packages 
Discussion: OBJECT-16744
Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
2025-04-10 18:40:13 +03:00
..
ca.cert [#57] Add helpers for signing Nuget packages 2025-04-10 18:40:13 +03:00
codesign.mk [#57] Add helpers for signing Nuget packages 2025-04-10 18:40:13 +03:00
README.md [#57] Add helpers for signing Nuget packages 2025-04-10 18:40:13 +03:00

README.md

Release process

Preparing release

TBD

Trusting TrueCloudLab code signing CA certificate

Verifying signatures (and signing) TrueCloudLab packages requires adding TrueCloudLab Code Signing CA to the list of trusted roots.

On Linux this can be done by appending release/ca.cert to one of:

  • /etc/pki/ca-trust/extracted/pem/objsign-ca-bundle.pem: compatible with update-ca-trust and originally proposed in .NET design docs
  • …/dotnet/sdk/X.Y.ZZZ/trustedroots/codesignctl.pem: fallback codesigning certificate trust list for .NET

Signing Nuget packages

Repository maintainer places maintainer.cert and maintainer.key (see below regarding obtaining these files) into release/ directory and then executes:

$ make build sign

Uploading packages to Nuget registry

IMPORTANT: the following steps upload all *.nupkg files located under src/. Maintainer MUST make sure that no unnecessary package versions will be uploaded to the registry.

Configure registry credentials (once per machine):

$ make nuget-registry NUGET_REGISTRY_USER=username NUGET_REGISTRY_PASSWORD=token

Publish all locally built packages (implicitly clear existing *.nupkg and rebuild current version only):

$ make clean build sign publish

Obtaining release signing certificate

Repository maintainer owns and keeps safe the release signing key (maintainer.key). Private key should never leave maintainer's machine and should be considered a highly sensitive secret.

  • Generating new maintainer key and the corresponding CSR:

    $ make maintainer.csr
...lines skipped...
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
IMPORTANT: Keep maintainer.key private!

Certificate signing request is ready.
Send maintainer.csr to CA administrator to obtain the certificate.

    Resulting CSR (maintainer.csr) does not contain any sensitive cryptographic material and may be passed to CA administrator through regular communication channels.

  • CA administrator then issues the certificate (make maintainer.cert) and sends it back to the maintainer to be used in combination with maintainer.key

This procedure should be repeated once per machine per maintainer.cert lifetime (1 year) - typically just once per year since we expect the maintainer to use only a single computer to sign releases.