How to sign a nuget package while using Github actions for publishing

Question

We were using successfully Github actions for publishing one of our Nuget packages, and recently our company published another package on our Nuget organization account which is signed and it's managed by another team. so suddenly we noticed our Github publish actions aren't working anymore because our package is not signed and due to Nuget rules if one package is signed under an organization then all the future publishes must use signed packages.

We tried to find a way to do this with Github actions but we were not able to find any example or tutorial online.

Now we are back to publishing the package manually, does anybody know how to sign and publish a package with a Github action? the package is open source so there must be a way to keep the certificate secret not inside the public repository.

This is our Action:

name: Publish Nuget Package When Pre-Released

on:
  release:
    types: [prereleased]

jobs:
  build:
    runs-on: ubuntu-latest

    env:
      BUILD_CONFIG: 'Release'
      PROJECT: 'src/OpenAPI.Net/OpenAPI.Net.csproj'

    steps:
    - uses: actions/checkout@v2

    - name: Setup NuGet
      uses: NuGet/setup-nuget@v1.0.5
      with:
        nuget-api-key: ${{secrets.NUGET_API_KEY}}
        nuget-version: 'latest'

    - name: Restore dependencies
      run: nuget restore $PROJECT

    - name: Setup .NET
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: '6.0.x'

    - name: Build
      run: dotnet build $PROJECT --configuration $BUILD_CONFIG --no-restore
    
    - name: Set Execution Permission For decrypt_certificate.sh
      run: chmod +x ./decrypt_certificate.sh

    - name: Decrypt Certificate
      run: ./decrypt_certificate.sh
      env:
          CERTIFICATE_GPG_PASSPHRASE: ${{secrets.CERTIFICATE_GPG_PASSPHRASE}}

    - name: Importing Certificate
      run: sudo cp $HOME/secrets/certificate.pfx /usr/share/ca-certificates/certificate.pfx ; sudo dpkg-reconfigure ca-certificates ; sudo update-ca-certificates ; git config --global http.sslCAInfo /usr/share/ca-certificates/certificate.pfx

    - name: Sign Package
      run: nuget sign **\*.nupkg -CertificatePath $HOME/secrets/certificate.pfx -Timestamper http://timestamp.digicert.com/ -CertificatePassword ${{secrets.CERTIFICATE_PASSWORD}} -NonInteractive

    - name: Publish Package
      run: nuget push **\*.nupkg -Source 'https://api.nuget.org/v3/index.json'

    - name: Publish Symbols
      run: nuget push **\*.snupkg -Source 'https://api.nuget.org/v3/index.json'

And it fails in Sign Package step with this error:

NU3018: PartialChain: PartialChain

WARNING: NU3018: RevocationStatusUnknown: RevocationStatusUnknown

WARNING: NU3018: OfflineRevocation: OfflineRevocation

NU3018: Certificate chain validation failed.

Error: Process completed with exit code 1.

We used GPG to encrypt the certificate file and then decrypt it based on Github secrets documentation, and it works fine.

I have used this same certificate on my local system and it works fine, I have published several versions of our package by using this certificate.

Answer 1

We found the issue, it looks like PFX files aren't working on Linux.

So we decided to run the action on Windows, but there was no built-in tool for decrypting the certificate, we developed our own by using AES.

It's a lightweight .NET encryption/decryption tool to encrypt the certificate file on local system and then use the tool to decrypt back the encrypted file on Github actions.

It uses AES, Github Repository: https://github.com/afhacker/FileEncrypt/

We were able to successfully publish the package on Nuget with it and now everything is working fine!

Please check the FileEncrypt readme if you faced similar issue.