release: migrate .net tool off esrp (git-ecosystem#1571)

# Summary This PR updates .NET tool payload/package signing to use the Sign CLI tool instead of ESRP. The most significant changes include the addition of a new step to download/extract the Sign CLI tool from Azure Blob Storage, the modification of signing steps to use the downloaded tool, and the removal of ESRP-related scripts. # Benefits Migrating away from ESRP comes with the following major benefits: 1. ESRP was designed for signing large-scale applications like Windows and Office, not lightweight OSS like GCM. Thus, we were somewhat abusing the ESRP service to make it work for our use case. Azure Trusted Signing (previously known as Azure Code Signing) fully supports our needs out of the box. 0. Speed - the end-to-end test runs I have completed have been running in about half the time of the workflow that was using ESRP (~10 minutes instead of ~20 minutes 🎉). # Testing I have successfully completed two end-to-end runs of the `release` workflow with these updates [in my fork](https://github.com/ldennington/git-credential-manager). # Details Changes to the release workflow: * [`.github/workflows/release.yml`](diffhunk://#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34L334): Zipping/unzipping steps for the unsigned payload and package were removed. The setup and running of the ESRP client were replaced with the downloading and extraction of the Sign CLI tool and the signing of the payload and package using this tool. Scripts removed: * [`.github/run_esrp_signing.py`](diffhunk://#diff-f60e53cf3706460a8d644a811df8197038395559c28d2a1bb2cc56dd235552b3L1-L135): The entire Python script for running the ESRP client has been removed. * [`.github/set_up_esrp.ps1`](diffhunk://#diff-14487115d5ba1dd214217419b4826e1789f7a917789eb0fccd90965a6510f5a0L1-L12): The PowerShell script for setting up the ESRP client has been removed.

Author: ldennington

.github/run_esrp_signing.py

@@ -331,7 +331,6 @@ jobs:
 
  dotnet-tool-payload-sign:
  name: Sign .NET tool payload
- # ESRP service requires signing to run on Windows
  runs-on: windows-latest
  environment: release
  needs: dotnet-tool-build
@@ -343,49 +342,44 @@ jobs:
  with:
  name: tmp.dotnet-tool-build
 
- - name: Zip unsigned payload
- shell: pwsh
- run: |
- Compress-Archive -Path payload payload/payload.zip
- cd payload
- Get-ChildItem -Exclude payload.zip | Remove-Item -Recurse -Force
-
  - name: Log into Azure
  uses: azure/login@v1
  with:
  client-id: ${{ secrets.AZURE_CLIENT_ID }}
  tenant-id: ${{ secrets.AZURE_TENANT_ID }}
  subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
- - name: Set up ESRP client
- shell: pwsh
+ - name: Download/extract Sign CLI tool
  env:
- AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
- AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
- AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
- ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
- AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
- REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+ AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
+ ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
+ SCT: ${{ secrets.SIGN_CLI_TOOL }}
  run: |
- .github\set_up_esrp.ps1
+ az storage blob download --file sign-cli.zip --auth-mode login `
+ --account-name $env:AST --container-name $env:ASC --name $env:SCT
+ Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
 
- - name: Run ESRP client
- shell: pwsh
+ - name: Sign payload
  env:
- AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
- NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }}
- NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }}
+ ACST: ${{ secrets.AZURE_TENANT_ID }}
+ ACSI: ${{ secrets.AZURE_CLIENT_ID }}
+ ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
  run: |
- python .github\run_esrp_signing.py payload `
- $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
+ ./sign-cli/sign.exe code azcodesign payload/* `
+ -acsu https://wus2.codesigning.azure.net/ `
+ -acsa git-fundamentals-signing `
+ -acscp git-fundamentals-windows-signing `
+ -d "Git Fundamentals Windows Signing Certificate" `
+ -u "https://github.com/git-ecosystem/git-credential-manager" `
+ -acst $env:ACST `
+ -acsi $env:ACSI `
+ -acss $env:ACSS
 
  - name: Lay out signed payload, images, and symbols
  shell: bash
  run: |
  mkdir dotnet-tool-payload-sign
- rm -rf payload
- mv images payload.sym -t dotnet-tool-payload-sign
- unzip signed/payload.zip -d dotnet-tool-payload-sign
+ mv images payload.sym payload -t dotnet-tool-payload-sign
 
  - name: Upload signed payload
  uses: actions/upload-artifact@v4
@@ -427,7 +421,6 @@ jobs:
 
  dotnet-tool-sign:
  name: Sign .NET tool package
- # ESRP service requires signing to run on Windows
  runs-on: windows-latest
  environment: release
  needs: dotnet-tool-pack
@@ -440,52 +433,44 @@ jobs:
  name: tmp.dotnet-tool-package-unsigned
  path: nupkg
 
- - name: Zip unsigned package
- shell: pwsh
- run: |
- Compress-Archive -Path nupkg/*.nupkg nupkg/gcm-nupkg.zip
- cd nupkg
- Get-ChildItem -Exclude gcm-nupkg.zip | Remove-Item -Recurse -Force
-
  - name: Log into Azure
  uses: azure/login@v1
  with:
  client-id: ${{ secrets.AZURE_CLIENT_ID }}
  tenant-id: ${{ secrets.AZURE_TENANT_ID }}
  subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
- - name: Set up ESRP client
- shell: pwsh
+ - name: Download/extract Sign CLI tool
  env:
- AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
- AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
- AZURE_STORAGE_CONTAINER: ${{ secrets.AZURE_STORAGE_CONTAINER }}
- ESRP_TOOL: ${{ secrets.ESRP_TOOL }}
- AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
- REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+ AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
+ ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
+ SCT: ${{ secrets.SIGN_CLI_TOOL }}
  run: |
- .github\set_up_esrp.ps1
+ az storage blob download --file sign-cli.zip --auth-mode login `
+ --account-name $env:AST --container-name $env:ASC --name $env:SCT
+ Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
 
  - name: Sign package
- shell: pwsh
  env:
- AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
- NUGET_KEY_CODE: ${{ secrets.NUGET_KEY_CODE }}
- NUGET_OPERATION_CODE: ${{ secrets.NUGET_OPERATION_CODE }}
- run: |
- python .github\run_esrp_signing.py nupkg $env:NUGET_KEY_CODE $env:NUGET_OPERATION_CODE
-
- - name: Unzip signed package
- shell: pwsh
+ ACST: ${{ secrets.AZURE_TENANT_ID }}
+ ACSI: ${{ secrets.AZURE_CLIENT_ID }}
+ ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
  run: |
- Expand-Archive -LiteralPath signed\gcm-nupkg.zip -DestinationPath .\signed -Force
- Remove-Item signed\gcm-nupkg.zip -Force
+ ./sign-cli/sign.exe code azcodesign nupkg/* `
+ -acsu https://wus2.codesigning.azure.net/ `
+ -acsa git-fundamentals-signing `
+ -acscp git-fundamentals-windows-signing `
+ -d "Git Fundamentals Windows Signing Certificate" `
+ -u "https://github.com/git-ecosystem/git-credential-manager" `
+ -acst $env:ACST `
+ -acsi $env:ACSI `
+ -acss $env:ACSS
 
  - name: Publish signed package
  uses: actions/upload-artifact@v4
  with:
  name: dotnet-tool-sign
- path: signed/*.nupkg
+ path: nupkg/*.nupkg
 
 # ================================
 # Validate