Code Signing Certificate Request: Nerdbank.GitVersioning

[AArnott]

Please fill in the information below

• Project Name: Nerdbank.GitVersioning
• LastPass Email (or send offline): andrewarnott@gmail.com

Certificate onboarding checklist:

• Register trade name @ChrisSfanos
• Create organization with DigiCert
• Create configuration in Code Signing Service
• Provide credentials in shared folder in LastPass
• Request certificate from DigiCert
• Received certificate and finalize sign service configuration

[clairernovotny]

@AArnott on the certificate subject, do you want it to say Nerdbank or Nerdbank.GitVersioning?

[AArnott]

I have several other projects I'd like to use this on. So Nerdbank (or my full name) would be preferable.

[clairernovotny]

@ChrisSfanos can you please use Nerdbank for the d/b/a registration?

[ChrisSfanos]

Trade name has been registered

[clairernovotny]

Andrew, I just invited you to the shared LastPass where the cert is setup and configured.

Three things:

1. Here's a template of how to add code signing to the build pipeline: https://github.com/novotnyllc/CodeSigningDemo
2. Once signing is configured, please add dotnetfoundation as a co-owner in NuGet.
3. For the nbgv tool package, you'll need a whitelist.txt to include on your binaries and not the other ones in the nupkg.

I'm happy to review any PR's/pipelines

[AArnott]

Thanks.
nbgv isn't the only package that contains 3rd party binaries. My nerdbank.gitversioning package itself also contains 3rd party binaries (e.g. libgit2sharp). So I'm planning to use the special file list to sign all the binaries built from this repo and leave the rest alone. Does that sound reasonable?

[AArnott]

dotnet/Nerdbank.GitVersioning#446

[AArnott]

Is it kosher to use this signing cert for my other projects that aren't part of the .NET Foundation?

[clairernovotny]

It's probably not the best idea as the cert belongs to the "Nerdbank" Foundation project. One option could be to transfer the other project to the Foundation. ReactiveUI has a bunch of libraries (like Refit, Splat, Punchcard, and Akavache) that are all pretty much handled by the same team. Other projects do something similar (like Castle).

[AArnott]

OK, I'll avoid over-using the cert then.

I have other software like Nerdbank.Streams. The popularity is certainly not at the level of Nerdbank.GitVersioning, so I assume it's not a dotnetfoundation project candidate. But I'd be happy to learn otherwise.

[AArnott]

How can I get the (public) .cer file for this certificate? nuget.org is rejecting a push of a signed package until I first upload this file.

[clairernovotny]

Add dotnetfoundation as a co-owner as we've already registered the cer there. You can also export it from the certificate viewer, but NuGet has asked .NET Foundation projects to be be added as a co-owner anyway.

[AArnott]

Where is this certificate viewer you mention? What do I export the .cer file from? A file that is already signed?
I'll go ahead and add the owner as you say, but I would like to get the .cer file too.

[clairernovotny]

any file that's already signed. In explorer, view the certificate and then on one of the taps there's a "copy to file...".

Anther ways is in NuGet Package Explorer, click the cert there and then one of the tabs has a "copy to file..." button.

[AArnott]

I'm beginning to wonder if this means I can't service older versions of packages unless I also get them to be signed as well. I guess I should have based my code sign commit on my v2.x branch. I guess I can do that if I ever need to service them.

[clairernovotny]

Once NuGet has a cert attached, future submissions for it will need to be signed. The code signing commit could be cherry-picked to the 2.x branch if needed.