Add support for ClickOnce (#54)

japarson · web-flow · commit 07c81171dd46 · 2024-10-08T17:51:16.000-07:00
* Add support for ClickOnce

* Fix formatting in README
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ jobs:
         run: dotnet build --configuration Release --no-restore WpfApp
 
       - name: Sign files with Trusted Signing
-        uses: azure/trusted-signing-action@v0.4.0
+        uses: azure/trusted-signing-action@v0.5.0
         with:
           azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
@@ -279,6 +279,15 @@ pkcs7-oid: 1.3.6.1.5.5.7.3.3
 enhanced-key-usage: 1.3.6.1.5.5.7.3.3
 ```
 
+### ClickOnce
+```yaml
+# The application name for any ClickOnce files being signed.
+clickonce-application-name: My ClickOnce application name.
+
+# The publisher name for any ClickOnce files being signed.
+clickonce-publisher-name: My ClickOnce publisher name.
+```
+
 ### Miscellaneous
 ```yaml
 # The number of seconds that the Trusted Signing service will wait for all files to be signed before it exits. The default value is 300 seconds.
@@ -295,6 +304,38 @@ trace: false
 ```
 
 ## Best Practices
+### ClickOnce
+Generally you will want to sign an entire package and all its contents i.e. the deployment manifest (`.application` or `.vsto`), application manifest (`.exe.manifest` or `.dll.manifest`) and the underlying `.exe` and `.dll` files themselves. To do this, ensure that the entire contents of the package are available (i.e. the whole `publish` folder from your build) and pass the deployment manifest (`.application` or `.vsto`) as the file to sign - the rest of the files will be detected and signed in the proper order automatically.
+
+In the example below, it is only necessary to pass `ClickOnceApp.application` and `setup.exe` to the Trusted Signing Action. The remaining "Application Files" will be signed automatically.
+
+```txt
+C:\TEST\ASSETS\SAMPLE-FILES\CLICKONCE
+│   ClickOnceApp.application
+│   setup.exe
+└───Application Files
+    └───ClickOnceApp_1_0_0_0
+            ClickOnceApp.deps.json.deploy
+            ClickOnceApp.dll.deploy
+            ClickOnceApp.dll.manifest
+            ClickOnceApp.exe.deploy
+            ClickOnceApp.runtimeconfig.json.deploy
+            Launcher.exe.deploy
+```
+
+The following inputs are ignored when signing ClickOnce files:
+- `append-signature`
+- `generate-digest-path`
+- `generate-digest-xml`
+- `ingest-digest-path`
+- `sign-digest`
+- `generate-page-hashes`
+- `suppress-page-hashes`
+- `generate-pkcs7`
+- `pkcs7-options`
+- `pkcs7-oid`
+- `enhanced-key-usage`
+
 ### Timestamping
 The files must be signed with timestamping enabled in order for the signatures to be valid for longer than 3 days. It is recommended to use the Trusted Signing timestamp server:
 ```yaml
diff --git a/action.yml b/action.yml
@@ -191,6 +191,12 @@ inputs:
     description: A boolean value (true/false) that controls trace logging. The default value is false.
     required: false
     default: 'false'
+  clickonce-application-name:
+    description: The application name for any ClickOnce files being signed.
+    required: false
+  clickonce-publisher-name:
+    description: The publisher name for any ClickOnce files being signed.
+    required: false
 
 runs:
   using: 'composite'
@@ -202,9 +208,10 @@ runs:
         $defaultPath = $env:PSModulePath -split ';' | Select-Object -First 1
         "PSMODULEPATH=$defaultPath" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
         
-        "TRUSTED_SIGNING_MODULE_VERSION=0.4.1" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+        "TRUSTED_SIGNING_MODULE_VERSION=0.5.0" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
         "BUILD_TOOLS_NUGET_VERSION=10.0.22621.3233" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
         "TRUSTED_SIGNING_NUGET_VERSION=1.0.53" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+        "DOTNET_SIGNCLI_NUGET_VERSION=0.9.1-beta.24469.1" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
 
     - name: Cache TrustedSigning PowerShell module
       id: cache-module
@@ -236,6 +243,16 @@ runs:
         key: Microsoft.Trusted.Signing.Client-${{ steps.set-variables.outputs.TRUSTED_SIGNING_NUGET_VERSION }}
       if: ${{ inputs.cache-dependencies == 'true' }}
 
+    - name: Cache SignCli NuGet package
+      id: cache-signcli
+      uses: actions/cache@v4
+      env:
+        cache-name: cache-signcli
+      with:
+        path: ~\AppData\Local\TrustedSigning\sign\sign.${{ steps.set-variables.outputs.DOTNET_SIGNCLI_NUGET_VERSION }}
+        key: SignCli-${{ steps.set-variables.outputs.DOTNET_SIGNCLI_NUGET_VERSION }}
+      if: ${{ inputs.cache-dependencies == 'true' }}
+
     - name: Install Trusted Signing module
       shell: 'pwsh'
       run: |
@@ -452,5 +469,15 @@ runs:
           }
         }
 
+        $clickOnceApplicationName = "${{ inputs.clickonce-application-name }}"
+        if (-Not [string]::IsNullOrWhiteSpace($clickOnceApplicationName)) {
+          $params["ClickOnceApplicationName"] = $clickOnceApplicationName
+        }
+
+        $clickOncePublisherName = "${{ inputs.clickonce-publisher-name }}"
+        if (-Not [string]::IsNullOrWhiteSpace($clickOncePublisherName)) {
+          $params["ClickOncePublisherName"] = $clickOncePublisherName
+        }
+
         Invoke-TrustedSigning @params
       shell: pwsh
