Run InspectCode in your GitHub Actions

Jozef Izso — Sat, 25 Apr 2020 18:49:10 +0000

When you build .NET projects and you are using GitHub Actions to build your code, you cna now run code inspections with InspectCode without hassle.

InspectCode is a tool from the free ReSharper Command Line Tools (CTL). It can do solution-wide analysis of .NET code.

To use it in GitHub Actions, just add this code to your workflow file:

steps:
- uses: goit/setup-resharper@v1
  with:
    version: '2020.1'
- run: InspectCode SolutionFile.sln

The goit/setup-resharper action will download the ReSharper CTL and cache it locally (using the actions/tool-cache). ReSharper tools will be added to the %PATH% variable so you can use them anywhere in your build scripts.

As ReSharper CTL tools are supported on Windows, Linux and macOS (versions 2019.3 and newer) you can use the also for non-Windows builds. The setup action supports any ReSharper CTL newer then 2018.2.

Go to GitHub Marketplace to use this action, or checkout the source code at https://github.com/goit/setup-resharper

.gitattributes templates

Jozef Izso — Sat, 26 May 2018 10:01:10 +0000

gitattributes.io is a service for generating .gitattribute files from templates. The service is inspired by gitignore.io where you can quickly bootstrap your .gitignore files.

Choose templates on web interface, or use the very simple API to list template names and generate new .gitattribute file content.

To generate .gitattributes file for you web project, just call:

https://gitattributes.io/api/web

Working on a C++ project in Visual Studio? Separate multiple template names with a comma:

https://gitattributes.io/api/c++,visualstudio

The list of all template names is available at api/list endpoint:

https://gitattributes.io/api/list

This service was made possible by the project from alexkaratarakis who created the original alexkaratarakis/gitattributes repository with .gitattributes templates. You can contribute to gitattributes.io project at github.com/gitattributes

Digital Signatures in Open Source Projects

Jozef Izso — Fri, 25 May 2018 20:47:26 +0000

Originaly posted at Digital signatures for binaries in open source projects

Digital signatures provides proof that the file was authored by a trusted entity. They allow to verify the integrity of applications distributed in binary form. On Windows, software authors use Authenticode to sign the application and its setup package so Windows can verify who made the application and it allows IT adminstrators to create policies for running only trusted applications.

Open source applications (for Windows) usually are not signed because the Authenticode certificates are expensive and the learning curve for signing is quite steap.

I chose Certum to get certificate for my open source applications. The Authenticode certificate from Certum costs only around 28 EUR. If you does not have any compatible smart card which would store the certificate private key, you can buy one from Certum, but this makes the certificate a bit expensive (for hobby purposes) - the smart card costs 80 EUR and shipping is 30 EUR.

Ordering the certificate from Certum was a bit complicated and painful process as their website likes to switch to Polish language out of a sudden. Authenticode certificates must be issued to natural persons (or legal entities) so the process is not automated (as with Let's Encrypt domain validation) and you must provide them your ID card and some utility bills or bank statement to verify you identity.

Out of the box, you can use the certificate to sign applications (EXE, DLL and MSI files) with signtool.exe using the default SHA1 algorithms. You must run the proCertum CardManager application so signtool.exe can communicate with the smart card when signing binaries. Each time you are signing a file, CardManager will ask for a PIN to the certificate.

Sign application

To sign application named VCardSplitter.exe using certificate named Open Source Developer, Jozef Izso, use this command:

signtool.exe sign /n "Open Source Developer, Jozef Izso" VCardSplitter.exe

This will just sign the file. You must also add the timestamp to the signature so the signature will remain valid even after certificate expires.

signtool.exe sign /n "Open Source Developer, Jozef Izso" /fd sha1 /t http://timestamp.verisign.com/scripts/timstamp.dll VCardSplitter.exe

Signing using SHA256 algorithm

Microsoft requires new applications to be signed using SHA256 algorithm. When you configure signtool.exe to use SHA256, you will receive error when signing files. To resolve this issue, open proCertum CardManager, click Options, enable EV Code Signing - replace CSP with minidriver library and click Ok. This will reconfigure the system and the SHA256 algorithms will work correctly. Note: the certificate for open source developers from Certum is not the EV (Extended Validation) certificate. It just hapens the CSP method of signing with smart card is only compatible with the old SHA1 signatures.

With minidriver mode enable, you can sign your binaries like this:

signtool.exe sign /n "Open Source Developer, Jozef Izso" /fd sha256 /tr http://timestamp.comodoca.com VCardSplitter.exe

Signing NuGet packages

NuGet 4.6 enables signing of nuget packages. It requires the signature to be SHA256 so make sure you enabled the minidriver mode.
Signing is similar to the signtool.exe process:

nuget.exe sign library.1.0.0.nupkg -CertificateSubjectName "Open Source Developer, Jozef Izso" -Timestamper http://timestamp.comodoca.com

Switching the CSP and minidrive mode in proCertum CardManager

The proCertum CardManager uses special app called cryptoCardRegister.exe to switch between the CSP and minidriver modes of signing.
This can be change from the proCertum CardManager user interface:

Open proCertum CardManager application
Click Options button
Enable or disable the EV Code Signing - replace CSP with minidriver library checkbox
Click Ok

If you have troubles with using the UI to change the mode, you can execute cryptoCardRegister.exe directly from command prompt.

To enable CSP mode manually, use administrative prompt to run:

"C:\Program Files (x86)\Certum\proCertum CardManager\cryptoCardRegister.exe" csp

To enable minidriver mode manually, use administrative prompt to run:

"C:\Program Files (x86)\Certum\proCertum CardManager\cryptoCardRegister.exe" md

Conclusion

Digital signatures can ensure your Windows binaries can be verified to come from trusted source. As open source developer, you must invest about 100-150 EUR to get the first certificate. The certificate from Certum will be issued to you as a natural person and it will be named Open Source Developer, . After correctly changing the CardManager configuration, you can sign you Windows applications, libraries, installation packages and also nuget packages. Signing cannot be automated as you must enter the PIN each time you sign a file. This prohibits scenarios like automatic signing of build output on continous integrations services like AppVeyor.

I hope code signing certificates will get more available to open source developers and projects and cloud services could be used to automate signing as part of the build process. This would make the ecosystem of open source libraries for Windows more trusted.

Forem: Jozef Izso