[CON-3172] on release sign nuget packages with new gcp hsm codesigning key

.github/signing_cert.cer

@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIIHWTCCBUGgAwIBAgIQCpHMILHwf3nyTsiLiesqxzANBgkqhkiG9w0BAQsFADBp
+MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xQTA/BgNVBAMT
+OERpZ2lDZXJ0IFRydXN0ZWQgRzQgQ29kZSBTaWduaW5nIFJTQTQwOTYgU0hBMzg0
+IDIwMjEgQ0ExMB4XDTI1MTAxNzAwMDAwMFoXDTI4MTAxNjIzNTk1OVowYTELMAkG
+A1UEBhMCR0IxDzANBgNVBAcTBkxvbmRvbjEZMBcGA1UEChMQUGF5bWVudHNlbnNl
+IEx0ZDELMAkGA1UECxMCSVQxGTAXBgNVBAMTEFBheW1lbnRzZW5zZSBMdGQwggIi
+MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCwt8TRu8c3YXVLlNdwEjjyyUGF
+moknHdaBVrjqnclx1jioJLvcqkdRZZWn/gMF8wxfIng3guPy84O+R6BNqryB+osP
+D2Q6m6Ns1nDjgKRRb9GtnBYH3CnPOgCMbrno52TSWIRbFh30aYyCcyq6nfwtOufG
+4a/zBz1xyR+VBabOT2pZailIHnbPhy49Kr1gXhE0szzc0lUIcYb5emTSp9TXVma3
+5PXJ7WEPddFm8qr03JzmcDIE0GBlTQK67UD7wFq9l1iaF7n/ryvauA17QCDwSSwA
+ov7LwMuU57iAHjEDw8aLggiR0xZf850QVMHPxnPWbgrmBNGXMhNO1Q/6j3g8j7ly
+YSRxguAVL/zrmziJYLKNKeiLPOpP+5IBTQeoFlq9+GIXctxfuOTbahzzHr/aFeHd
+BVhIKj7V5Jo98GjJ8FUX0MbmkTJicI7Bl65eLrxKFwODUtEA74FtDCAC2rUhOnXi
+YXq8cp3+LLnJxF+bNRjgnOxcdqD3otZl7cGbnBcvbjEdguk4qdCOpRNRErSQmqjr
+Cr1JOqeVdIAeexH27UhKkdSgow1LEkb8/eKglL9DERw2b0666ZwAN2kfERmkdCgF
+DYxgYTDlPZVm38TYwAWn89nP3U4nnoRyj8l+jClyDFMvpf0nnD4DiuVdrCTeD6l9
+u79sxiJ2RU3sZyYL9QIDAQABo4ICAzCCAf8wHwYDVR0jBBgwFoAUaDfg67Y7+F8R
+hvv+YXsIiGX0TkIwHQYDVR0OBBYEFIGihPIgnHqk5D1mCehD4lkvNNbyMD4GA1Ud
+IAQ3MDUwMwYGZ4EMAQQBMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cuZGlnaWNl
+cnQuY29tL0NQUzAOBgNVHQ8BAf8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwMw
+gbUGA1UdHwSBrTCBqjBToFGgT4ZNaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL0Rp
+Z2lDZXJ0VHJ1c3RlZEc0Q29kZVNpZ25pbmdSU0E0MDk2U0hBMzg0MjAyMUNBMS5j
+cmwwU6BRoE+GTWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRydXN0
+ZWRHNENvZGVTaWduaW5nUlNBNDA5NlNIQTM4NDIwMjFDQTEuY3JsMIGUBggrBgEF
+BQcBAQSBhzCBhDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29t
+MFwGCCsGAQUFBzAChlBodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNl
+cnRUcnVzdGVkRzRDb2RlU2lnbmluZ1JTQTQwOTZTSEEzODQyMDIxQ0ExLmNydDAJ
+BgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4ICAQAYYvk6BPLFv5E5ZQz3cei56CDt
+ZUnNXsoitiSg7oOdIYQiOK99rQZYKpuDTROCGG2aFOtiJhB8oewWxmRoknoMLoL6
+WZIjp1X5E2T6jK9Dy05YVLFGB+UhaINRHzoLhvv9dXpm2iBjkoN2Da3fCVyHNIrF
+VMo+AV7o48vvmsKZNQ62zF9k0mrQJka+1OJ9H4xdMzy1zlEMkgkOXqLxvz1rR9PK
+JpmMPVrmhaEhNiEwE0Wx+b8eXREd1N3yGEafdMwR7rIcvWT68y7cLgJx9iVS+znh
+MnL1n/qTHxmeqcffiiJh7ybg9q+uwCEkThnQaikZMF7sHkJ5Eui8SRd2AK8HmkXp
+bBPuLSvp24Upd6AErO5aMAkc8/wsWUNkSEzm0JhH+Ui4vYtztzRkCVHHZrw5dU+K
+fJ2gIi3LwXwE+6CU3dA20fZc4RvEE+VwQ8zLs2c1rA3Qv2x/gexaSJdrVZGTEEvW
+SLB/XsGYbIj5zyDZo33Iet5o6wfQWMGirDF7vKlqwafpBErLipDj805h7GGMx7pb
+qVSKomSbUDZGaqQxNJ6xoyI38FHaZQ3RpkDvqXegbQRQwKcBhjuXfFGi5cdak6f9
+o6ysjcG01v1rJ/krQRw4Wsbfhi5FVWldAuonMrjdTgdJSQZ0exb45WS3/UuDmbDA
+NpO1t9/kEbBOBnIrKw==
+-----END CERTIFICATE-----
+
+

.github/workflows/release.yml

@@ -10,12 +10,16 @@ jobs:
       BUILD_CONFIG: 'Release'
       PROJECT: 'Dojo.Net.csproj'
 
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+
     defaults:
       run:
         working-directory: ./src
 
-    runs-on: ubuntu-latest
-
     steps:
     - uses: actions/checkout@v4
 
@@ -27,24 +31,66 @@ jobs:
     - name: Restore dependencies
       run: dotnet restore
 
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@v2
+      with:
+        project_id: ${{ secrets.GCP_PROJECT_ID }}
+        workload_identity_provider: ${{ secrets.GCP_WIF_PROVIDER }}
+
+    - name: Setup Google Cloud SDK
+      uses: google-github-actions/setup-gcloud@v3
+
+    - name: Download Jsign
+      working-directory: ${{ github.workspace }}
+      run: |
+        version="7.4"
+        downloadUrl="https://github.com/ebourg/jsign/releases/download/$version/jsign-$version.jar"
+
+        echo "Downloading Jsign v$version from $downloadUrl"
+        wget -q $downloadUrl -O jsign.jar
+
+        echo "Jsign downloaded successfully"
+
+    - name: Restore dependencies
+      run: dotnet restore
+
     - name: Build
-      run: dotnet build --configuration $BUILD_CONFIG -p:Version=${{ github.event.release.tag_name }} --no-restore
+      run: dotnet build --configuration $BUILD_CONFIG -p:Version=${{ github.event.release.tag_name || '0.0.1-test' }} --no-restore
 
     - name: Run tests
       run: dotnet test /p:Configuration=$BUILD_CONFIG --no-restore --no-build --verbosity normal
-
-
-    # RELEASE UNSIGNED FOR NOW, new signing cert in a gcp wallet is being issued,
-    # waiting to get workload identity federation for this repo to be set up
-    # - name: Export certificate
-    #   id: write_file
-    #   uses: timheuer/base64-to-file@v1.1
-    #   with:
-    #     fileName: 'sign.cer'
-    #     encodedString: ${{ secrets.NUGET_SIGNING_CERT }}
-
-    # - name: Sign
-    #   run: dotnet nuget sign **\*.nupkg --certificate-path ${{ steps.write_file.outputs.filePath }} --certificate-password ${{ secrets.NUGET_SIGNING_CERT_PASSWORD }} --timestamper http://timestamp.digicert.com
+
+    - name: Sign NuGet packages
+      run: |
+        certPath="${{ github.workspace }}/.github/signing_cert.cer"
+        jsignJar="${{ github.workspace }}/jsign.jar"
+        kmsKeyPath="projects/${{ secrets.GCP_PROJECT_ID }}/locations/europe-west2/keyRings/EVCodeSigningKeyRing/cryptoKeys/EVCodeSignDojo/cryptoKeyVersions/1"
+        accessToken=$(gcloud auth print-access-token)
+
+        echo "Signing NuGet packages with Jsign + Google Cloud KMS"
+
+        # Find all .nupkg files (excluding symbols packages)
+        find . -name "*.nupkg" ! -name "*.symbols.nupkg" | while read package; do
+          echo "Signing $package"
+
+          java -jar "$jsignJar" \
+            --storetype GOOGLECLOUD \
+            --keystore "projects/${{ secrets.GCP_PROJECT_ID }}/locations/europe-west2/keyRings/EVCodeSigningKeyRing" \
+            --storepass "$accessToken" \
+            --alias "EVCodeSignDojo/cryptoKeyVersions/1" \
+            --certfile "$certPath" \
+            --tsaurl "http://timestamp.digicert.com" \
+            --tsmode RFC3161 \
+            "$package"
+
+          if [ $? -ne 0 ]; then
+            echo "Failed to sign package: $package"
+            exit 1
+          fi
+        done
+
+        echo "All packages signed successfully"
 
     - name: Publish
-      run: dotnet nuget push **/*.nupkg --source 'https://api.nuget.org/v3/index.json' --api-key ${{secrets.NUGET_API_KEY}}
+      if: ${{ github.event_name == 'release' }}
+      run: dotnet nuget push '**/*.nupkg' --source 'https://api.nuget.org/v3/index.json' --api-key ${{secrets.NUGET_API_KEY}} --skip-duplicate

CODEOWNERS

@@ -1 +1,2 @@
 * @Dojo-Engineering/remote-payments
+* @Dojo-Engineering/core_payments-integration_platform