up
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
Some checks failed
Docs CI / lint-and-preview (push) Has been cancelled
Signals CI & Image / signals-ci (push) Has been cancelled
Policy Lint & Smoke / policy-lint (push) Has been cancelled
Policy Simulation / policy-simulate (push) Has been cancelled
SDK Publish & Sign / sdk-publish (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Concelier Attestation Tests / attestation-tests (push) Has been cancelled
devportal-offline / build-offline (push) Has been cancelled
This commit is contained in:
StellaOps Bot
34
scripts/sdk/generate-cert.sh
Normal file
34
scripts/sdk/generate-cert.sh
Normal file
@@ -0,0 +1,34 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
# Generates an offline-friendly code-signing certificate (self-signed) for NuGet package signing.
|
||||
|
||||
OUT_DIR=${OUT_DIR:-out/sdk-signing}
|
||||
SUBJECT=${SUBJECT:-"/CN=StellaOps SDK Signing/O=StellaOps"}
|
||||
DAYS=${DAYS:-3650}
|
||||
PFX_NAME=${PFX_NAME:-sdk-signing.pfx}
|
||||
PASSWORD=${PASSWORD:-""}
|
||||
|
||||
mkdir -p "$OUT_DIR"
|
||||
|
||||
PRIV="$OUT_DIR/sdk-signing.key"
|
||||
CRT="$OUT_DIR/sdk-signing.crt"
|
||||
PFX="$OUT_DIR/$PFX_NAME"
|
||||
|
||||
openssl req -x509 -newkey rsa:4096 -sha256 -days "$DAYS" \
|
||||
-nodes -subj "$SUBJECT" -keyout "$PRIV" -out "$CRT"
|
||||
|
||||
openssl pkcs12 -export -out "$PFX" -inkey "$PRIV" -in "$CRT" -passout pass:"$PASSWORD"
|
||||
|
||||
BASE64_PFX=$(base64 < "$PFX" | tr -d '\n')
|
||||
|
||||
cat > "$OUT_DIR/README.txt" <<EOF
|
||||
PFX file: $PFX
|
||||
Password: ${PASSWORD:-<empty>}
|
||||
Base64:
|
||||
$BASE64_PFX
|
||||
Secrets to set:
|
||||
SDK_SIGNING_CERT_B64=$BASE64_PFX
|
||||
SDK_SIGNING_CERT_PASSWORD=$PASSWORD
|
||||
EOF
|
||||
|
||||
printf "Generated signing cert -> %s (base64 in README)\n" "$PFX"
|
||||
36
scripts/sdk/publish.sh
Normal file
36
scripts/sdk/publish.sh
Normal file
@@ -0,0 +1,36 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
# Publishes signed NuGet packages to a configured feed (file or HTTP).
|
||||
|
||||
PACKAGES_GLOB=${PACKAGES_GLOB:-"out/sdk/*.nupkg"}
|
||||
SOURCE=${SDK_NUGET_SOURCE:-"local-nugets/packages"}
|
||||
API_KEY=${SDK_NUGET_API_KEY:-""}
|
||||
|
||||
mapfile -t packages < <(ls $PACKAGES_GLOB 2>/dev/null || true)
|
||||
if [[ ${#packages[@]} -eq 0 ]]; then
|
||||
echo "No packages found under glob '$PACKAGES_GLOB'; nothing to publish."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
publish_file() {
|
||||
local pkg="$1"
|
||||
mkdir -p "$SOURCE"
|
||||
cp "$pkg" "$SOURCE"/
|
||||
}
|
||||
|
||||
publish_http() {
|
||||
local pkg="$1"
|
||||
dotnet nuget push "$pkg" --source "$SOURCE" --api-key "$API_KEY" --skip-duplicate
|
||||
}
|
||||
|
||||
if [[ "$SOURCE" =~ ^https?:// ]]; then
|
||||
if [[ -z "$API_KEY" ]]; then
|
||||
echo "SDK_NUGET_API_KEY is required for HTTP source $SOURCE" >&2
|
||||
exit 1
|
||||
fi
|
||||
for pkg in "${packages[@]}"; do publish_http "$pkg"; done
|
||||
else
|
||||
for pkg in "${packages[@]}"; do publish_file "$pkg"; done
|
||||
fi
|
||||
|
||||
echo "Published ${#packages[@]} package(s) to $SOURCE"
|
||||
43
scripts/sdk/sign-packages.sh
Normal file
43
scripts/sdk/sign-packages.sh
Normal file
@@ -0,0 +1,43 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
# Signs NuGet packages using a PKCS#12 (PFX) certificate.
|
||||
|
||||
PACKAGES_GLOB=${PACKAGES_GLOB:-"out/sdk/*.nupkg"}
|
||||
OUT_DIR=${OUT_DIR:-out/sdk}
|
||||
TIMESTAMP_URL=${TIMESTAMP_URL:-""} # optional; keep empty for offline
|
||||
|
||||
PFX_PATH=${PFX_PATH:-""}
|
||||
PFX_B64=${SDK_SIGNING_CERT_B64:-}
|
||||
PFX_PASSWORD=${SDK_SIGNING_CERT_PASSWORD:-}
|
||||
|
||||
mkdir -p "$OUT_DIR"
|
||||
|
||||
if [[ -z "$PFX_PATH" ]]; then
|
||||
if [[ -z "$PFX_B64" ]]; then
|
||||
echo "No signing cert provided (SDK_SIGNING_CERT_B64/PFX_PATH); skipping signing."
|
||||
exit 0
|
||||
fi
|
||||
PFX_PATH="$OUT_DIR/sdk-signing.pfx"
|
||||
printf "%s" "$PFX_B64" | base64 -d > "$PFX_PATH"
|
||||
fi
|
||||
|
||||
mapfile -t packages < <(ls $PACKAGES_GLOB 2>/dev/null || true)
|
||||
if [[ ${#packages[@]} -eq 0 ]]; then
|
||||
echo "No packages found under glob '$PACKAGES_GLOB'; nothing to sign."
|
||||
exit 0
|
||||
fi
|
||||
|
||||
for pkg in "${packages[@]}"; do
|
||||
echo "Signing $pkg"
|
||||
ts_args=()
|
||||
if [[ -n "$TIMESTAMP_URL" ]]; then
|
||||
ts_args=(--timestamp-url "$TIMESTAMP_URL")
|
||||
fi
|
||||
dotnet nuget sign "$pkg" \
|
||||
--certificate-path "$PFX_PATH" \
|
||||
--certificate-password "$PFX_PASSWORD" \
|
||||
--hash-algorithm sha256 \
|
||||
"${ts_args[@]}"
|
||||
done
|
||||
|
||||
echo "Signed ${#packages[@]} package(s)."
|
||||
Reference in New Issue
Block a user