up

scripts/sdk/sign-packages.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/env bash
+set -euo pipefail
+# Signs NuGet packages using a PKCS#12 (PFX) certificate.
+
+PACKAGES_GLOB=${PACKAGES_GLOB:-"out/sdk/*.nupkg"}
+OUT_DIR=${OUT_DIR:-out/sdk}
+TIMESTAMP_URL=${TIMESTAMP_URL:-""} # optional; keep empty for offline
+
+PFX_PATH=${PFX_PATH:-""}
+PFX_B64=${SDK_SIGNING_CERT_B64:-}
+PFX_PASSWORD=${SDK_SIGNING_CERT_PASSWORD:-}
+
+mkdir -p "$OUT_DIR"
+
+if [[ -z "$PFX_PATH" ]]; then
+  if [[ -z "$PFX_B64" ]]; then
+    echo "No signing cert provided (SDK_SIGNING_CERT_B64/PFX_PATH); skipping signing."
+    exit 0
+  fi
+  PFX_PATH="$OUT_DIR/sdk-signing.pfx"
+  printf "%s" "$PFX_B64" | base64 -d > "$PFX_PATH"
+fi
+
+mapfile -t packages < <(ls $PACKAGES_GLOB 2>/dev/null || true)
+if [[ ${#packages[@]} -eq 0 ]]; then
+  echo "No packages found under glob '$PACKAGES_GLOB'; nothing to sign."
+  exit 0
+fi
+
+for pkg in "${packages[@]}"; do
+  echo "Signing $pkg"
+  ts_args=()
+  if [[ -n "$TIMESTAMP_URL" ]]; then
+    ts_args=(--timestamp-url "$TIMESTAMP_URL")
+  fi
+  dotnet nuget sign "$pkg" \
+    --certificate-path "$PFX_PATH" \
+    --certificate-password "$PFX_PASSWORD" \
+    --hash-algorithm sha256 \
+    "${ts_args[@]}"
+done
+
+echo "Signed ${#packages[@]} package(s)."