From 87d67fe79cf9394b7d6095188e75a4318a574736 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Thu, 27 Jun 2024 20:42:02 +0200
Subject: [PATCH] Sign the NuGet package again with dotnet sign.

---
 .github/workflows/main.yml             | 64 +++++++++++---------------
 build/windows/install.dependencies.cmd |  3 ++
 2 files changed, 29 insertions(+), 38 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 512fa2fc5b..31ca1c5cf3 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -191,25 +191,6 @@ jobs:
       run: './build.Magick.NET.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}" Release'
       working-directory: build/windows
 
-    - name: 'Azure CLI login with federated credential'
-      if: github.event_name != 'pull_request'
-      uses: azure/login@v2
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Sign binaries
-      if: github.event_name != 'pull_request'
-      uses: azure/trusted-signing-action@v0.3.20
-      with:
-        endpoint: https://eus.codesigning.azure.net/
-        trusted-signing-account-name: ImageMagick
-        certificate-profile-name: ImageMagick
-        files-folder: 'src/Magick.NET/bin'
-        files-folder-filter: dll
-        files-folder-recurse: true
-
     - name: Set NuGet version
       run: ./set.version.ps1
       working-directory: publish
@@ -218,6 +199,19 @@ jobs:
       run: './publish.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"'
       working-directory: publish
 
+    - name: Azure CLI login with federated credential
+      if: github.event_name != 'pull_request'
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Sign NuGet package
+      if: ${{ github.event_name != 'pull_request' }}
+      run: sign code trusted-signing --trusted-signing-account ImageMagick --trusted-signing-certificate-profile ImageMagick --trusted-signing-endpoint https://eus.codesigning.azure.net --verbosity information *.nupkg
+      working-directory: publish/output
+
     - name: Upload library
       uses: actions/upload-artifact@v4
       with:
@@ -260,25 +254,6 @@ jobs:
       run: './build.Magick.NET.cmd "Q8" "Any CPU" Release'
       working-directory: build/windows
 
-    - name: 'Azure CLI login with federated credential'
-      if: github.event_name != 'pull_request'
-      uses: azure/login@v2
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Sign binaries
-      if: github.event_name != 'pull_request'
-      uses: azure/trusted-signing-action@v0.3.20
-      with:
-        endpoint: https://eus.codesigning.azure.net/
-        trusted-signing-account-name: ImageMagick
-        certificate-profile-name: ImageMagick
-        files-folder: 'src/Magick.NET.${{ matrix.libraryName }}/bin'
-        files-folder-filter: dll
-        files-folder-recurse: true
-
     - name: Set NuGet version
       run: ./set.version.ps1
       working-directory: publish
@@ -287,6 +262,19 @@ jobs:
       run: './publish.library.cmd "Magick.NET.${{ matrix.libraryName }}"'
       working-directory: publish
 
+    - name: Azure CLI login with federated credential
+      if: github.event_name != 'pull_request'
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Sign NuGet package
+      if: ${{ github.event_name != 'pull_request' }}
+      run: sign code trusted-signing --trusted-signing-account ImageMagick --trusted-signing-certificate-profile ImageMagick --trusted-signing-endpoint https://eus.codesigning.azure.net --verbosity information *.nupkg
+      working-directory: publish/output
+
     - name: Upload library
       uses: actions/upload-artifact@v4
       with:
diff --git a/build/windows/install.dependencies.cmd b/build/windows/install.dependencies.cmd
index d22104dbf7..58e882864f 100644
--- a/build/windows/install.dependencies.cmd
+++ b/build/windows/install.dependencies.cmd
@@ -5,3 +5,6 @@ if %errorlevel% neq 0 exit /b %errorlevel%
 
 ..\..\tools\windows\gs1000w32.exe /S
 if %errorlevel% neq 0 exit /b %errorlevel%
+
+dotnet tool install --global sign --version 0.9.1-beta.24325.5
+if %errorlevel% neq 0 exit /b %errorlevel%