Skip to content

Lock AzureSignTool to 7.0.1 #4845

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
andrewnester merged 2 commits into from
Mar 27, 2026
Merged

Lock AzureSignTool to 7.0.1 #4845

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f8158cb
Lock AzureSignTool to 7.0.1
andrewnester Mar 26, 2026
2e37d1a
added comment
andrewnester Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,10 +98,13 @@ jobs:
echo "::add-mask::$accessToken"
echo "AZURE_VAULT_TOKEN=$accessToken" >> $env:GITHUB_ENV

# AzureSignTool is installed from nuget.org (https://www.nuget.org/packages/AzureSignTool/7.0.1)
# Security: On Windows, NuGet verifies repository signatures by default. The package is
# version-pinned and pulled over HTTPS from nuget.org's CDN. Source: https://github.com/vcsjones/AzureSignTool
- name: Install AzureSignTool
shell: pwsh
run: |
dotnet tool install --global AzureSignTool
dotnet tool install --global AzureSignTool --version 7.0.1
Copy link
Copy Markdown
Contributor

@pietern pietern Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a checksum we can verify here? If not, could you add a comment stating how this installation works, where it pulls binaries from, etc. Would be good to know this version cannot be hijacked.

Copy link
Copy Markdown
Contributor Author

@andrewnester andrewnester Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not natively, I've added a comment describing how dotnet works

2e37d1a

Copy link
Copy Markdown
Contributor

@pietern pietern Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TY!


- name: Run GoReleaser for Windows
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
Expand Down
Loading