Code Signing (#553)

* Start of Code Signing

* Remove Ultz.Native from the filelist

Author: Perksey

.github/workflows/deploy.yml

@@ -19,4 +19,4 @@ jobs:
     - name: Setup NUKE
       run: dotnet tool install Nuke.GlobalTool --global
     - name: Push to NuGet
-      run: nuke PushToNuGet --configuration Release --msbuild-properties ContinuousIntegrationBuild=true SilkEnableSourceLink=true --feature-sets Android iOS --nuget-api-key ${{ secrets.NUGET_TOKEN }}
+      run: nuke PushToNuGet --configuration Release --msbuild-properties ContinuousIntegrationBuild=true SilkEnableSourceLink=true --feature-sets Android iOS --nuget-api-key ${{ secrets.NUGET_TOKEN }} --sign-username "${{ secrets.SIGN_USERNAME }}" --sign-password "${{ secrets.SIGN_PASSWORD }}"

build/codesigning/.gitignore

@@ -0,0 +1 @@
+tool/

build/codesigning/config.json

@@ -0,0 +1,13 @@
+{
+    "SignClient": {
+        "AzureAd": {
+            "AADInstance": "https://login.microsoftonline.com/",
+            "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8",
+            "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e"
+        },
+        "Service": {
+            "Url": "https://codesign.dotnetfoundation.org/",
+            "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001"
+        }
+    }
+}

build/codesigning/filelist.txt

@@ -0,0 +1 @@
+**/Silk.NET*

build/nuke/Build.cs

@@ -14,6 +14,7 @@
 using static Nuke.Common.Tools.MSBuild.MSBuildTasks;
 using static Nuke.Common.Tools.DotNet.DotNetTasks;
 using static Nuke.Common.IO.FileSystemTasks;
+using static Nuke.Common.Tooling.ProcessTasks;
 
 [CheckBuildProjectConfigurations]
 [UnsetVisualStudioEnvironmentVariables]
@@ -77,6 +78,8 @@ bool HasDesktopMsBuild
     [Parameter("NuGet feed")] readonly string NugetFeed = "https://api.nuget.org/v3/index.json";
     [Parameter("NuGet username")] readonly string NugetUsername;
     [Parameter("NuGet password")] readonly string NugetPassword;
+    [Parameter("Code-signing service username")] readonly string SignUsername;
+    [Parameter("Code-signing service password")] readonly string SignPassword;
     [Parameter("Extra properties passed to MSBuild commands")]
     readonly string[] MsbuildProperties = Array.Empty<string>(); 
 
@@ -223,8 +226,8 @@ Dictionary<string, object> ProcessedMsbuildProperties
             {
                 var silkDroid = SourceDirectory / "Windowing" / "Android" / "SilkDroid";
                 using var process = RuntimeInformation.IsOSPlatform(OSPlatform.Linux)
-                    ? ProcessTasks.StartProcess("bash", "-c \"./gradlew clean\"", silkDroid)
-                    : ProcessTasks.StartProcess("cmd", "/c \".\\gradlew clean\"", silkDroid);
+                    ? StartProcess("bash", "-c \"./gradlew clean\"", silkDroid)
+                    : StartProcess("cmd", "/c \".\\gradlew clean\"", silkDroid);
                 process.AssertZeroExitCode();
                 return process.Output;
             }
@@ -365,8 +368,8 @@ Dictionary<string, object> ProcessedMsbuildProperties
                 }
 
                 using var process = RuntimeInformation.IsOSPlatform(OSPlatform.Linux)
-                    ? ProcessTasks.StartProcess("bash", "-c \"./gradlew build\"", silkDroid)
-                    : ProcessTasks.StartProcess("cmd", "/c \".\\gradlew build\"", silkDroid);
+                    ? StartProcess("bash", "-c \"./gradlew build\"", silkDroid)
+                    : StartProcess("cmd", "/c \".\\gradlew build\"", silkDroid);
                 process.AssertZeroExitCode();
                 var ret = process.Output;
                 CopyFile
@@ -417,19 +420,46 @@ Dictionary<string, object> ProcessedMsbuildProperties
     Target FullPack => _ => _
         .DependsOn(BuildLibSilkDroid, RegenerateBindings, Pack);
 
-    Target PushToNuGet => _ => _
+    Target PushToNuGet => _ => _    
         .DependsOn(Pack)
         .Executes(PushPackages);
 
     Target FullPushToNuGet => _ => _
         .DependsOn(FullPack, PushToNuGet);
 
+    static string PackageDirectory => RootDirectory / "build" / "output_packages";
+    static IEnumerable<string> Packages => Directory.GetFiles(PackageDirectory, "*.nupkg")
+        .Where(x => Path.GetFileName(x).StartsWith("Silk.NET") || Path.GetFileName(x).StartsWith("Ultz.Native"));
+
     async Task PushPackages()
     {
         const int rateLimit = 300;
-        var allFiles = Directory.GetFiles(RootDirectory / "build" / "output_packages", "*.nupkg")
-            .Where(x => Path.GetFileName(x).StartsWith("Silk.NET") || Path.GetFileName(x).StartsWith("Ultz.Native"))
-            .Select((x, i) => new {Index = i, Value = x})
+        if (!string.IsNullOrWhiteSpace(SignUsername) && !string.IsNullOrWhiteSpace(SignPassword))
+        {
+            var basePath = RootDirectory / "build" / "codesigning";
+            var execPath = basePath / "tool" / (OperatingSystem.IsWindows() ? "SignClient.exe" : "SignClient");
+            if (!File.Exists(execPath))
+            {
+                DotNetToolInstall(s => s.SetToolInstallationPath(basePath / "tool").SetPackageName("SignClient"));
+            }
+
+            StartProcess
+            (
+                execPath,
+                "sign " +
+                $"--baseDirectory {PackageDirectory} " +
+                "--input \"**/*.nupkg\" " +
+                $"--config \"{basePath / "config.json"}\" " +
+                $"--filelist \"{basePath / "filelist.txt"}\" " +
+                $"--user \"{SignUsername}\" " +
+                $"--secret \"{SignPassword}\" " +
+                "--name \"Silk.NET\" " +
+                "--description \"Silk.NET\" " +
+                "--descriptionUrl \"https://github.com/dotnet/Silk.NET\""
+            ).AssertZeroExitCode();
+        }
+
+        var allFiles = Packages.Select((x, i) => new {Index = i, Value = x})
             .GroupBy(x => x.Index / rateLimit)
             .Select(x => x.Select(v => v.Value).ToList())
             .ToList();