Add strong-names to .NET assemblies. (#206)

aws · Sep 4, 2018 · 6d92b60 · 6d92b60
1 parent 2f34962
commit 6d92b60
Show file tree

Hide file tree

Showing 5 changed files with 82 additions and 8 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 .vscode
 
+*.snk
 *.js
 *.d.ts
 dist/

diff --git a/buildspec.yaml b/buildspec.yaml
@@ -4,6 +4,9 @@ phases:
   install:
     commands:
       - /bin/bash ./install.sh
+  pre_build:
+    commands:
+      - /bin/bash ./fetch-dotnet-snk.sh
   build:
     commands:
       - /bin/bash ./build.sh

diff --git a/fetch-dotnet-snk.sh b/fetch-dotnet-snk.sh
@@ -0,0 +1,56 @@
+#!/bin/bash
+set -euo pipefail
+
+# This script retrieves the .snk file needed to create strong names for .NET assemblies.
+
+function echo_usage() {
+    echo "USAGE: Set the following environment variables, then run ./fetch-dotnet-snk.sh with no arguments."
+    echo -e "\tDOTNET_STRONG_NAME_ENABLED=true"
+    echo -e "\tDOTNET_STRONG_NAME_ROLE_ARN=<ARN of a role with access to the secret. You must have iam:AssumeRole permissions for this role.>"
+    echo -e "\tDOTNET_STRONG_NAME_SECRET_REGION=<The AWS region (i.e. us-east-2) in which in the secret is stored.>"
+    echo -e "\tDOTNET_STRONG_NAME_SECRET_ID=<The name (i.e. production/my/key) or ARN of the secret containing the .snk file.>"
+}
+
+if [ -z ${DOTNET_STRONG_NAME_ENABLED:-} ]; then
+    echo "Environment variable DOTNET_STRONG_NAME_ENABLED is not set. Skipping strong-name signing."
+    exit 0
+fi
+
+echo "Retrieving SNK..."
+
+apt update -y
+apt install jq -y
+
+if [ -z ${DOTNET_STRONG_NAME_ROLE_ARN:-} ]; then
+    echo "Strong name signing is enabled, but DOTNET_STRONG_NAME_ROLE_ARN is not set."
+    echo_usage()
+    exit 1
+fi
+
+if [ -z ${DOTNET_STRONG_NAME_SECRET_REGION:-}]; then
+    echo "Strong name signing is enabled, but DOTNET_STRONG_NAME_SECRET_REGION is not set."
+    echo_usage()
+    exit 1
+fi
+
+if [ -z ${DOTNET_STRONG_NAME_SECRET_ID:-} ]; then
+    echo "Strong name signing is enabled, but DOTNET_STRONG_NAME_SECRET_ID is not set."
+    echo_usage()
+    exit 1
+fi
+
+ROLE=$(aws sts assume-role --region ${DOTNET_STRONG_NAME_SECRET_REGION:-} --role-arn ${DOTNET_STRONG_NAME_ROLE_ARN:-} --role-session-name "jsii-dotnet-snk")
+export AWS_ACCESS_KEY_ID=$(echo $ROLE | jq -r .Credentials.AccessKeyId)
+export AWS_SECRET_ACCESS_KEY=$(echo $ROLE | jq -r .Credentials.SecretAccessKey)
+export AWS_SESSION_TOKEN=$(echo $ROLE | jq .Credentials.SessionToken)
+
+SNK_SECRET=$(aws secretsmanager get-secret-value --region ${DOTNET_STRONG_NAME_SECRET_REGION:-} --secret-id ${DOTNET_STRONG_NAME_SECRET_ID:-})
+TMP_DIR=$(mktemp -d)
+TMP_KEY="$TMP_DIR/key.snk"
+echo $SNK_SECRET | jq -r .SecretBinary | base64 --decode > $TMP_KEY
+
+cp $TMP_KEY packages/jsii-dotnet-jsonmodel/src/Amazon.JSII.JsonModel/
+cp $TMP_KEY packages/jsii-dotnet-generator/src/Amazon.JSII.Generator/
+cp $TMP_KEY packages/jsii-dotnet-runtime/src/Amazon.JSII.Runtime/
+
+rm -rf $TMP_DIR
diff --git a/packages/jsii-dotnet-generator/NuGet.Metadata.props.t.js b/packages/jsii-dotnet-generator/NuGet.Metadata.props.t.js
@@ -11,7 +11,7 @@ process.stdout.write(`<Project>
     <Authors>${package.author.name}</Authors>
     <Company>${package.author.name}</Company>
     <AssemblyOriginatorKeyFile>key.snk</AssemblyOriginatorKeyFile>
-    <SignAssembly Condition="Exists('$(AssemblyOriginatorKeyFile)')">True</SignAssembly>
+    <SignAssembly Condition=" '$(ENABLE_DOTNET_STRONG_NAME_SIGNING)' != '' ">True</SignAssembly>
   </PropertyGroup>
 </Project>
 `);
diff --git a/packages/jsii-runtime/package-lock.json b/packages/jsii-runtime/package-lock.json
-Original file line number
+Diff line change
@@ -1,5 +1,6 @@
     .vscode
+    *.snk
     *.js
     *.d.ts
     dist/
@@ Expand Down @@