Skip to content

Commit e899c01

Browse files
miss-islingtonzooba
miss-islington
and
zooba
authored
Enable signing of nuget.org packages and update to supported timestamp server (GH-23132)
(cherry picked from commit db6434c) Co-authored-by: Steve Dower <steve.dower@python.org>
1 parent 9bc0787 commit e899c01

File tree

5 files changed

+17
-8
lines changed

5 files changed

+17
-8
lines changed

.azure-pipelines/windows-release/stage-pack-msix.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -120,10 +120,11 @@ jobs:
120120
artifactName: unsigned_msix
121121
downloadPath: $(Build.BinariesDirectory)
122122

123+
# MSIX must be signed and timestamped simultaneously
123124
- powershell: |
124125
$failed = $true
125126
foreach ($retry in 1..3) {
126-
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "$(SigningDescription)" (gi *.msix)
127+
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "$(SigningDescription)" (gi *.msix)
127128
if ($?) {
128129
$failed = $false
129130
break

.azure-pipelines/windows-release/stage-pack-nuget.yml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ jobs:
44
condition: and(succeeded(), eq(variables['DoNuget'], 'true'))
55

66
pool:
7-
vmImage: windows-2019
7+
name: 'Windows Release'
88

99
workspace:
1010
clean: all
@@ -36,6 +36,14 @@ jobs:
3636
nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive
3737
displayName: 'Create nuget package'
3838
39+
- powershell: |
40+
gci *.nupkg | %{
41+
nuget sign "$_" -CertificateSubjectName "$(SigningCertificate)" -Timestamper http://timestamp.digicert.com/ -Overwrite
42+
}
43+
displayName: 'Sign nuget package'
44+
workingDirectory: $(Build.ArtifactStagingDirectory)
45+
condition: and(succeeded(), variables['SigningCertificate'])
46+
3947
- task: PublishBuildArtifacts@1
4048
displayName: 'Publish Artifact: nuget'
4149
inputs:

.azure-pipelines/windows-release/stage-sign.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -57,7 +57,7 @@ jobs:
5757
$files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
5858
$failed = $true
5959
foreach ($retry in 1..10) {
60-
signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files
60+
signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files
6161
if ($?) {
6262
$failed = $false
6363
break

PCbuild/pyproject.props

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -176,8 +176,8 @@ public override bool Execute() {
176176
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot81)\bin\x86</SdkBinPath>
177177
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86</SdkBinPath>
178178
<SdkBinPath Condition="!Exists($(SdkBinPath))">$(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\</SdkBinPath>
179-
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
180-
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)"</_SignCommand>
179+
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)"</_SignCommand>
180+
<_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)"</_SignCommand>
181181
<_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe"</_MakeCatCommand>
182182
</PropertyGroup>
183183

Tools/msi/sdktools.psm1

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,11 @@ function Sign-File {
3737

3838
foreach ($a in $files) {
3939
if ($certsha1) {
40-
SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
40+
SignTool sign /sha1 $certsha1 /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
4141
} elseif ($certname) {
42-
SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
42+
SignTool sign /a /n $certname /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
4343
} elseif ($certfile) {
44-
SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a
44+
SignTool sign /f $certfile /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a
4545
}
4646
}
4747
}

0 commit comments

Comments
 (0)