[BUILD] Signing OpenTelemetry .NET DLLs Using Sigstore certificate (#…

…5880) Co-authored-by: Mikel Blanchard <[email protected]>
open-telemetry · Oct 28, 2024 · 84ff215 · 84ff215
1 parent d45060b
commit 84ff215
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 0 deletions.
diff --git a/.github/workflows/publish-packages-1.0.yml b/.github/workflows/publish-packages-1.0.yml
@@ -23,6 +23,12 @@ jobs:
 
   build-pack-publish:
     runs-on: windows-latest
+    permissions:
+      contents: read
+      id-token: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      COSIGN_YES: "yes"
 
     outputs:
       artifact-url: ${{ steps.upload-artifacts.outputs.artifact-url }}
@@ -39,12 +45,33 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
 
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@v3
+      with:
+        cosign-release: v2.4.0
+
     - name: dotnet restore
       run: dotnet restore ./build/OpenTelemetry.proj -p:RunningDotNetPack=true
 
     - name: dotnet build
       run: dotnet build ./build/OpenTelemetry.proj --configuration Release --no-restore -p:Deterministic=true -p:BuildNumber=${{ github.run_number }} -p:RunningDotNetPack=true
 
+    - name: Sign DLLs with Cosign Keyless
+      shell: pwsh
+      run: |
+        $projectFiles = Get-ChildItem -Path src/*/*.csproj -File
+
+        foreach ($projectFile in $projectFiles) {
+            $projectName = [System.IO.Path]::GetFileNameWithoutExtension($projectFile)
+
+            Get-ChildItem -Path src/$projectName/bin/Release/*/$projectName.dll -File | ForEach-Object {
+                $fileFullPath = $_.FullName
+                Write-Host "Signing $fileFullPath"
+
+                cosign.exe sign-blob $fileFullPath --yes --output-signature $fileFullPath-keyless.sig --output-certificate $fileFullPath-keyless.pem
+            }
+        }
+
     - name: dotnet pack
       run: dotnet pack ./build/OpenTelemetry.proj --configuration Release --no-restore --no-build -p:PackTag=${{ github.ref_type == 'tag' && github.ref_name || '' }}
 

diff --git a/build/Common.prod.props b/build/Common.prod.props
@@ -60,6 +60,19 @@
     <None Include=".publicApi\**\PublicAPI.*.txt" />
   </ItemGroup>
 
+  <Target Name="IncludeSigningSignaturesInPackages" BeforeTargets="_GetTargetFrameworksOutput">
+    <!-- Note: This target adds any signatures found to nuget packages -->
+    <ItemGroup>
+      <SignatureFiles Include="$(RepoRoot)\src\$(MSBuildProjectName)\bin\$(Configuration)\*\$(MSBuildProjectName).dll-keyless.sig" />
+      <Content Include="@(SignatureFiles)" Link="%(RecursiveDir)%(Filename)%(Extension)" PackagePath="lib" />
+      <CertificateFiles Include="$(RepoRoot)\src\$(MSBuildProjectName)\bin\$(Configuration)\*\$(MSBuildProjectName).dll-keyless.pem" />
+      <Content Include="@(CertificateFiles)" Link="%(RecursiveDir)%(Filename)%(Extension)" PackagePath="lib" />
+    </ItemGroup>
+
+    <Message Importance="high" Text="**IncludeSignaturesInPackagesDebug** SignatureFiles: @(SignatureFiles)" />
+    <Message Importance="high" Text="**IncludeCertificatesInPackagesDebug** SignatureFiles: @(CertificateFiles)" />
+  </Target>
+
   <Target Name="AssemblyVersionTarget" AfterTargets="MinVer" Condition="'$(MinVerVersion)' != '' AND '$(BuildNumber)' != ''">
     <!-- Note: $(BuildNumber) is typically only set for builds initiated by the
     publish workflow. The goal here is to set the assembly FileVersion and