ci: switch to signing nuget packages via DigiCert KeyLocker

.github/workflows/Allegro.Prometheus.TrueRpsMetric.publish.yml

@@ -13,6 +13,9 @@ jobs:
       publish: true
       tagName: ${{ github.ref_name }}
     secrets:
-      nugetCertificate: ${{ secrets.NUGET_PRIVATE_KEY_P12 }}
-      nugetCertificatePassword: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
+      SM_CLIENT_CERT_PASSWORD: ${{ secrets.DIGICERT_SM_CLIENT_CERT_PASSWORD }}
+      SM_CLIENT_CERT_FILE_B64: ${{ secrets.DIGICERT_SM_CLIENT_CERT_FILE_B64 }}
+      SM_HOST: ${{ secrets.DIGICERT_SM_HOST }}
+      SM_API_KEY: ${{ secrets.DIGICERT_SM_API_KEY }}
+      SM_CODE_SIGNING_CERT_SHA1_HASH: ${{ secrets.DIGICERT_SM_CODE_SIGNING_CERT_SHA1_HASH }}
       nugetApiKey: ${{ secrets.NUGET_API_KEY }}

.github/workflows/template.yml

@@ -60,19 +60,51 @@ jobs:
         name: package
         path: src/${{ inputs.projectName }}/package
   publish:
-    runs-on: ubuntu-latest
+    runs-on: windows-latest
     if: inputs.publish
     needs: [build]
     steps:
-    - uses: actions/download-artifact@v3
-      with:
-        name: package
-        path: unsigned
-    - name: Save & verify certificate
-      run: |
-        echo ${{ secrets.nugetCertificate }} | base64 -d > cert.p12
-        openssl pkcs12 -in cert.p12 -nodes -passin pass:"${{ secrets.nugetCertificatePassword }}" | openssl x509 -noout -subject || "Certificate validation failed"
-    - name: Sign package
-      run: dotnet nuget sign unsigned/*.nupkg --certificate-path cert.p12 --certificate-password ${{ secrets.nugetCertificatePassword }} --timestamper http://timestamp.digicert.com --output signed
-    - name: Push package
-      run: dotnet nuget push signed/${{needs.build.outputs.nupkgFilename}} --api-key ${{ secrets.nugetApiKey }} --source https://api.nuget.org/v3/index.json
+      - uses: actions/download-artifact@v3
+        with:
+          name: package
+          path: unsigned
+      - name: NuGet Install
+        uses: NuGet/[email protected]
+        with:
+          nuget-version: latest
+      - name: Setup Certificate
+        run: |
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/cognite_code_signing_github_actions.p12
+        shell: bash
+      - name: Set variables
+        id: variables
+        run: |
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 
+          echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_FILE=D:\\cognite_code_signing_github_actions.p12" >> "$GITHUB_ENV"
+        shell: bash
+      - name: Configure Digicert Secure Software Manager
+        uses: digicert/[email protected]
+        env:
+          SM_API_KEY: ${{ env.SM_API_KEY }}
+          SM_CLIENT_CERT_PASSWORD: ${{ env.SM_CLIENT_CERT_PASSWORD }}
+          SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE }}
+      - name: Setup SSM KSP on windows latest 
+        run: | 
+          smksp_registrar.exe list 
+          smctl.exe keypair ls 
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user 
+          smksp_cert_sync.exe 
+          smctl.exe healthcheck
+        shell: cmd 
+      - name: Signing using Nuget
+        run: |
+          dir "%cd%\unsigned"
+          mkdir "%cd%\signed"
+          nuget sign "%cd%\unsigned\*.nupkg" -Timestamper http://timestamp.digicert.com -outputdirectory "%cd%\signed" -CertificateFingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} -HashAlgorithm SHA256 -Verbosity detailed -Overwrite
+          nuget verify -All "%cd%\signed\*.nupkg"
+        shell: cmd
+      - name: Push package
+        run: dotnet nuget push signed/${{needs.build.outputs.nupkgFilename}} --api-key ${{ secrets.nugetApiKey }} --source https://api.nuget.org/v3/index.json