TrueCloudLab/frostfs-sdk-csharp
18
0
Fork 5
Code Issues 4 Pull requests Projects Releases Packages 3 Activity Actions
frostfs-sdk-csharp/release/codesign.mk
Vitaliy Potyarkin 30af614558
All checks were successful
DCO / DCO (pull_request) Successful in 21s
Details
lint-build / dotnet8.0 (pull_request) Successful in 41s
Details
[#57] Add helpers for signing Nuget packages 
Discussion: OBJECT-16744
Signed-off-by: Vitaliy Potyarkin <v.potyarkin@yadro.com>
2025-04-10 18:40:13 +03:00

74 lines
2.1 KiB
Makefile
Raw Permalink Blame History

PKI_ROLE?=maintainer
PKI_DIR?=release
# Note: Only RSA signatures are supported (NU3013)
# https://learn.microsoft.com/en-us/nuget/reference/errors-and-warnings/nu3013)
ifeq ($(PKI_ROLE),maintainer)
.PHONY: maintainer.csr
maintainer.csr: $(PKI_DIR)/maintainer.csr
$(PKI_DIR)/maintainer.csr: KEY=$(patsubst %.csr,%.key,$@)
$(PKI_DIR)/maintainer.csr:
openssl req \
-new \
-newkey rsa:4096 \
-keyout $(KEY) \
-out $@ \
-sha256 \
-addext keyUsage=critical,digitalSignature \
-addext extendedKeyUsage=critical,codeSigning,msCodeCom \
-subj "/C=RU/O=TrueCloudLab/OU=TrueCloudLab/CN=frostfs-sdk-csharp Release Team"
@echo "IMPORTANT: Keep $(KEY) private!\n"
@echo "Certificate signing request is ready.\nSend $@ to CA administrator to obtain the certificate."
$(PKI_DIR)/maintainer.pfx: $(PKI_DIR)/maintainer.cert $(PKI_DIR)/maintainer.key $(PKI_DIR)/ca.cert
openssl verify \
-CAfile $(PKI_DIR)/ca.cert \
$(PKI_DIR)/maintainer.cert
openssl pkcs12 \
-export \
-out $@ \
-inkey $(PKI_DIR)/maintainer.key \
-in $(PKI_DIR)/maintainer.cert \
-CAfile $(PKI_DIR)/ca.cert \
-chain \
-passout pass:
endif
ifeq ($(PKI_ROLE),ca)
.PHONY: maintainer.cert
maintainer.cert: $(PKI_DIR)/maintainer.cert
$(PKI_DIR)/maintainer.cert: CSR=$(patsubst %.cert,%.csr,$@)
$(PKI_DIR)/maintainer.cert: $(PKI_DIR)/ca.key $(PKI_DIR)/ca.cert
openssl req -noout -text -in $(CSR)
@read -p "Review the CSR above. Press Enter to continue, Ctrl+C to cancel
" -r null
openssl x509 \
-req \
-days 365 \
-in $(CSR) \
-copy_extensions copy \
-ext keyUsage,extendedKeyUsage \
-CA $(PKI_DIR)/ca.cert \
-CAkey $(PKI_DIR)/ca.key \
-CAcreateserial \
-out $@
echo >> $@
cat $(PKI_DIR)/ca.cert >> $@
openssl x509 -noout -text -in $@ -fingerprint -sha256
@echo "Certificate is ready.\nSend $@ back to maintainer."
$(PKI_DIR)/ca.key: CERT=$(patsubst %.key,%.cert,$@)
$(PKI_DIR)/ca.key:
openssl req \
-x509 \
-newkey rsa:4096 \
-keyout $@ \
-out $(CERT) \
-sha256 \
-days 3650 \
-addext keyUsage=critical,keyCertSign \
-subj "/C=RU/O=TrueCloudLab/OU=TrueCloudLab/CN=TrueCloudLab Code Signing Certificate Authority"
@echo "IMPORTANT: Keep $@ private!\n"
endif
Reference in a new issue View git blame Copy permalink