From f7d6df300a7b73180e56c00ae4c93cd3b4a9012d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Herceg?= <tomas.herceg@riganti.cz>
Date: Wed, 12 Jul 2023 10:28:46 +0200
Subject: [PATCH] Migrated to the new signing tool

---
 .github/workflows/publish-internal.yml | 16 ++++++--------
 ci/scripts/Publish-NuGetPackages.ps1   | 29 +++++++++++++++++---------
 src/.config/dotnet-tools.json          | 12 +++++------
 3 files changed, 31 insertions(+), 26 deletions(-)

diff --git a/.github/workflows/publish-internal.yml b/.github/workflows/publish-internal.yml
index 0901e6b01d..566cc4b9be 100644
--- a/.github/workflows/publish-internal.yml
+++ b/.github/workflows/publish-internal.yml
@@ -72,14 +72,7 @@ jobs:
 
     - name: Set up
       uses: ./.github/setup
-
-    - name: Prepare signclient config
-      if: ${{ inputs.signature-type == 'DotNetFoundation' }}
-      run: Write-Output "$env:SIGN_CONFIG" | Out-File "${{ github.workspace }}/signconfig.json"
-      env:
-        SIGN_CONFIG: ${{ secrets.SIGN_CONFIG }}
-      working-directory: ${{ github.workspace }}/src
-
+   
     - name: Add internal NuGet feed
       run: ./ci/scripts/Add-InternalNuGetFeed.ps1 `
           -internalFeed "${{ secrets.AZURE_ARTIFACTS_FEED }}" `
@@ -92,8 +85,11 @@ jobs:
           -root "${{ github.workspace }}" `
           -version "${{ needs.read-input.outputs.version }}" `
           -signatureType "DotNetFoundation" `
-          -dnfUser "${{ secrets.SIGN_USER }}" `
-          -dnfSecret "${{ secrets.SIGN_SECRET }}"
+          -dnfUrl "${{ secrets.SIGN_DNF_KEYVAULT_URL }}" `
+          -dnfClientId "${{ secrets.SIGN_DNF_CLIENT_ID }}" `
+          -dnfTenantId "${{ secrets.SIGN_DNF_TENANT_ID }}" `
+          -dnfSecret "${{ secrets.SIGN_DNF_SECRET }}" `
+          -dnfCertificate "${{ secrets.SIGN_DNF_CERTIFICATE_NAME }}"
 
     - name: Publish NuGet packages (Riganti)
       if: ${{ inputs.signature-type == 'Riganti' }}
diff --git a/ci/scripts/Publish-NuGetPackages.ps1 b/ci/scripts/Publish-NuGetPackages.ps1
index aaae486207..22f54fceed 100644
--- a/ci/scripts/Publish-NuGetPackages.ps1
+++ b/ci/scripts/Publish-NuGetPackages.ps1
@@ -3,8 +3,11 @@ param(
     [string][parameter(Mandatory = $true)]$version,
     [string]$internalFeedName = "riganti",
     [string]$signatureType = "DotNetFoundation",
-    [string]$dnfUser,
+    [string]$dnfUrl,
+    [string]$dnfClientId,
+    [string]$dnfTenantId,
     [string]$dnfSecret,
+    [string]$dnfCertificate,
     [string]$rigantiUrl,
     [string]$rigantiClientId,
     [string]$rigantiTenantId,
@@ -15,8 +18,12 @@ param(
 $root = Resolve-Path "$root"
 
 if ("$signatureType" -eq "DotNetFoundation") {
-    if (([string]::IsNullOrEmpty($dnfUser) -or [string]::IsNullOrEmpty($dnfSecret))) {
-        throw "-dnfUser and -dnfSecret are required when signing using signclient"
+    if ([string]::IsNullOrEmpty($dnfUrl) `
+        -or [string]::IsNullOrEmpty($dnfClientId) `
+        -or [string]::IsNullOrEmpty($dnfTenantId) `
+        -or [string]::IsNullOrEmpty($dnfSecret) `
+        -or [string]::IsNullOrEmpty($dnfCertificate)) {
+        throw "-dnfUrl, -dnfClientId, -dnfTenantId, -dnfSecret, and -dnfCertificate when signing using dotnet sign"
     }
 } elseif ("$signatureType" -eq "Riganti") {
     if ([string]::IsNullOrEmpty($rigantiUrl) `
@@ -80,15 +87,17 @@ function Set-AllPackageSignatures {
             $packageName = [System.IO.Path]::GetFileNameWithoutExtension($package);
 
             if ($signatureType -eq "DotNetFoundation") {
-                dotnet signclient sign `
+                dotnet sign code azure-key-vault `
+					"$package" `
                     --baseDirectory "$root/artifacts/packages" `
-                    --input "$package" `
-                    --config "$root/signconfig.json" `
-                    --user "$dnfUser" `
-                    --secret "$dnfSecret" `
-                    --name "$packageName" `
+					--publisher-name "DotVVM"
                     --description "$("$packageName" + " " + $env:DOTVVM_VERSION)" `
-                    --descriptionUrl "https://github.com/riganti/dotvvm"
+                    --descriptionUrl "https://github.com/riganti/dotvvm" `
+					--azure-key-vault-url "$dnfUrl" `
+                    --azure-key-vault-client-id "$dnfClientId" `
+                    --azure-key-vault-tenant-id "$dnfTenantId" `
+                    --azure-key-vault-client-secret "$dnfSecret" `
+                    --azure-key-vault-certificate "$dnfCertificate"
             }
             elseif ($signatureType -eq "Riganti") {
                 dotnet NuGetKeyVaultSignTool sign `
diff --git a/src/.config/dotnet-tools.json b/src/.config/dotnet-tools.json
index ab607c6ed9..762a929601 100644
--- a/src/.config/dotnet-tools.json
+++ b/src/.config/dotnet-tools.json
@@ -2,17 +2,17 @@
   "version": 1,
   "isRoot": true,
   "tools": {
-    "signclient": {
-      "version": "1.2.33",
-      "commands": [
-        "SignClient"
-      ]
-    },
     "nugetkeyvaultsigntool": {
       "version": "3.2.3",
       "commands": [
         "NuGetKeyVaultSignTool"
       ]
+    },
+    "sign": {
+      "version": "0.9.1-beta.23356.1",
+      "commands": [
+        "sign"
+      ]
     }
   }
 }
\ No newline at end of file