Basic setup for signing assemblies post-build

5 files changed, 50 insertions, 0 deletions

diff --git a/.gitignore b/.gitignore
index ed8b2bc4f..65339dcef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,6 +20,8 @@ _Resharper*/
 .idea/
 .store/
 .vs/
+BC_codesign.p12
+BC_password.txt
 
 *.nuget.props
 *.nuget.targets
diff --git a/BouncyCastle.sln b/BouncyCastle.sln
index b00aad57a..1a47c1fbd 100644
--- a/BouncyCastle.sln
+++ b/BouncyCastle.sln
@@ -9,6 +9,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		Directory.Build.props = Directory.Build.props
 		LICENSE.md = LICENSE.md
 		README.md = README.md
+		signfile.bat = signfile.bat
 		version.json = version.json
 	EndProjectSection
 EndProject
@@ -19,15 +20,20 @@ EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
+		Publish|Any CPU = Publish|Any CPU
 		Release|Any CPU = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
 		{25326952-177B-4D34-9448-3024AF0D7B46}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{25326952-177B-4D34-9448-3024AF0D7B46}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{25326952-177B-4D34-9448-3024AF0D7B46}.Publish|Any CPU.ActiveCfg = Publish|Any CPU
+		{25326952-177B-4D34-9448-3024AF0D7B46}.Publish|Any CPU.Build.0 = Publish|Any CPU
 		{25326952-177B-4D34-9448-3024AF0D7B46}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{25326952-177B-4D34-9448-3024AF0D7B46}.Release|Any CPU.Build.0 = Release|Any CPU
 		{4C1B7AC6-C338-4DB4-BB3A-E6B2F1882E7E}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
 		{4C1B7AC6-C338-4DB4-BB3A-E6B2F1882E7E}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{4C1B7AC6-C338-4DB4-BB3A-E6B2F1882E7E}.Publish|Any CPU.ActiveCfg = Publish|Any CPU
+		{4C1B7AC6-C338-4DB4-BB3A-E6B2F1882E7E}.Publish|Any CPU.Build.0 = Publish|Any CPU
 		{4C1B7AC6-C338-4DB4-BB3A-E6B2F1882E7E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{4C1B7AC6-C338-4DB4-BB3A-E6B2F1882E7E}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
diff --git a/crypto/src/BouncyCastle.Crypto.csproj b/crypto/src/BouncyCastle.Crypto.csproj
index a22f71335..b7fc0cf30 100644
--- a/crypto/src/BouncyCastle.Crypto.csproj
+++ b/crypto/src/BouncyCastle.Crypto.csproj
@@ -24,6 +24,7 @@
 	<Product>BouncyCastle.NET</Product>
 	<PublishRepositoryUrl>true</PublishRepositoryUrl>
     <Title>BouncyCastle.NET Cryptography</Title>
+    <Configurations>Debug;Release;Publish</Configurations>
   </PropertyGroup>
 
   <!-- CI systems other than GitLab might need different conditions -->
@@ -72,6 +73,13 @@
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(Configuration)'=='Publish'">
+    <DefineConstants />
+    <GenerateDocumentationFile>true</GenerateDocumentationFile>
+    <!-- Deterministic build. -->
+    <ContinuousIntegrationBuild>true</ContinuousIntegrationBuild>
+  </PropertyGroup>
+
   <ItemGroup>
     <None Remove="**\*.properties" />
     <None Remove="pqc\crypto\**\*.bz2" />
@@ -102,4 +110,7 @@
 		<!-- Here we can override/use any MSBuild properties set by Nerdbank.GitVersioning -->
     </PropertyGroup>
   </Target>
+  <Target Name="SignAssemblies" AfterTargets="PostBuildEvent" Condition="'$(Configuration)'=='Publish'">
+    <Exec Command="call &quot;$(ProjectDir)..\..\signfile.bat&quot; &quot;$(TargetPath)&quot;" />
+  </Target>
 </Project>
diff --git a/crypto/test/BouncyCastle.Crypto.Tests.csproj b/crypto/test/BouncyCastle.Crypto.Tests.csproj
index 45a03b0e7..94d2eff7b 100644
--- a/crypto/test/BouncyCastle.Crypto.Tests.csproj
+++ b/crypto/test/BouncyCastle.Crypto.Tests.csproj
@@ -8,6 +8,7 @@
     <NoWarn>618;1591</NoWarn>
     <RootNamespace>Org.BouncyCastle</RootNamespace>
     <RunAnalyzersDuringBuild>False</RunAnalyzersDuringBuild>
+    <Configurations>Debug;Release;Publish</Configurations>
   </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)'=='Debug'">
@@ -18,6 +19,10 @@
     <DefineConstants>DEBUG;TRACE</DefineConstants>
   </PropertyGroup>
 
+  <PropertyGroup Condition="'$(Configuration)'=='Publish'">
+    <DefineConstants>DEBUG;TRACE</DefineConstants>
+  </PropertyGroup>
+
   <ItemGroup>
     <Compile Include="src\**\*.cs" Exclude="**\examples\**\*.cs" />
     <EmbeddedResource Include="data\**\*.*" Exclude="**\README.txt" />
diff --git a/signfile.bat b/signfile.bat
new file mode 100644
index 000000000..ddf09a054
--- /dev/null
+++ b/signfile.bat
@@ -0,0 +1,26 @@
+@echo off
+
+set BatchDir=%~dp0
+set Target=%1
+
+set CodesignFile=%BatchDir%BC_codesign.p12
+set PasswordFile=%BatchDir%BC_password.txt
+set TimestampUrl=http://timestamp.comodoca.com
+rem set TimestampUrl=http://timestamp.sectigo.com
+set /p CodesignPass=<"%PasswordFile%"
+
+rem TODO Figure out how to locate this automatically, or somehow use the developer command prompt
+set SignToolDir=C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\
+set SignTool=%SignToolDir%signtool.exe
+
+echo Preparing to sign %Target%
+echo "%SignTool%" sign /f "%CodesignFile%" /fd sha256 /tr "%TimestampUrl%" /td sha256 /p "%CodesignPass%" %Target% || exit /b 1
+echo Waiting for 20 seconds before issuing command (avoid timeserver rejection)
+
+rem Timestamp server requires 15 seconds or more between signing requests
+rem When publishing need to limit parallel build tasks to 1 in Tools|Options|Projects and Solutions|Build and Run
+ping -n 20 127.0.0.1 >NUL
+
+"%SignTool%" sign /f "%CodesignFile%" /fd sha256 /tr "%TimestampUrl%" /td sha256 /p "%CodesignPass%" %Target% || exit /b 1
+
+"%SignTool%" verify /pa /tw %Target% || exit /b 1