Release 2.5.1 (#1648)

**Changes:**

- Update MSAL and Avalonia to latest versions (#1640).
- Changes to release workflow to publish NuGet signing certificate
(#1594, #1644, #1647).
- Updates to Managed Identity and Service Principal docs.

.github/workflows/release.yml

@@ -177,10 +177,10 @@ jobs:
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
     - name: Sign payload files with Azure Code Signing
-      uses: azure/azure-code-signing-action@v0.3.1
+      uses: azure/trusted-signing-action@v0.3.20
       with:
         endpoint: https://wus2.codesigning.azure.net/
-        code-signing-account-name: git-fundamentals-signing
+        trusted-signing-account-name: git-fundamentals-signing
         certificate-profile-name: git-fundamentals-windows-signing
         files-folder: ${{ github.workspace }}\payload
         files-folder-filter: exe,dll
@@ -204,10 +204,10 @@ jobs:
          -Destination $env:GITHUB_WORKSPACE\installers
 
     - name: Sign installers with Azure Code Signing
-      uses: azure/azure-code-signing-action@v0.3.1
+      uses: azure/trusted-signing-action@v0.3.20
       with:
         endpoint: https://wus2.codesigning.azure.net/
-        code-signing-account-name: git-fundamentals-signing
+        trusted-signing-account-name: git-fundamentals-signing
         certificate-profile-name: git-fundamentals-windows-signing
         files-folder: ${{ github.workspace }}\installers
         files-folder-filter: exe
@@ -349,31 +349,16 @@ jobs:
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-    - name: Download/extract Sign CLI tool
-      env:
-        AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
-        ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
-        SCT: ${{ secrets.SIGN_CLI_TOOL }}
+    - name: Install sign CLI tool
       run: |
-        az storage blob download --file sign-cli.zip --auth-mode login `
-          --account-name $env:AST --container-name $env:ASC --name $env:SCT
-        Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
+        dotnet tool install -g --version 0.9.1-beta.24325.5
 
     - name: Sign payload
-      env:
-        ACST: ${{ secrets.AZURE_TENANT_ID }}
-        ACSI: ${{ secrets.AZURE_CLIENT_ID }}
-        ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
       run: |
-        ./sign-cli/sign.exe code azcodesign payload/* `
-          -acsu https://wus2.codesigning.azure.net/ `
-          -acsa git-fundamentals-signing `
-          -acscp git-fundamentals-windows-signing `
-          -d "Git Fundamentals Windows Signing Certificate" `
-          -u "https://github.com/git-ecosystem/git-credential-manager" `
-          -acst $env:ACST `
-          -acsi $env:ACSI `
-          -acss $env:ACSS
+        sign.exe code trusted-signing payload/* `
+          -tse https://wus2.codesigning.azure.net/ `
+          -tsa git-fundamentals-signing `
+          -tscp git-fundamentals-windows-signing
 
     - name: Lay out signed payload, images, and symbols
       shell: bash
@@ -440,37 +425,37 @@ jobs:
         tenant-id: ${{ secrets.AZURE_TENANT_ID }}
         subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-    - name: Download/extract Sign CLI tool
-      env:
-        AST: ${{ secrets.AZURE_STORAGE_ACCOUNT }}
-        ASC: ${{ secrets.AZURE_STORAGE_CONTAINER }}
-        SCT: ${{ secrets.SIGN_CLI_TOOL }}
+    - name: Install sign CLI tool
       run: |
-        az storage blob download --file sign-cli.zip --auth-mode login `
-          --account-name $env:AST --container-name $env:ASC --name $env:SCT
-        Expand-Archive -Path sign-cli.zip -DestinationPath .\sign-cli
+        dotnet tool install -g --version 0.9.1-beta.24325.5
 
     - name: Sign package
-      env:
-        ACST: ${{ secrets.AZURE_TENANT_ID }}
-        ACSI: ${{ secrets.AZURE_CLIENT_ID }}
-        ACSS: ${{ secrets.AZURE_CLIENT_SECRET }}
       run: |
-        ./sign-cli/sign.exe code azcodesign nupkg/* `
-          -acsu https://wus2.codesigning.azure.net/ `
-          -acsa git-fundamentals-signing `
-          -acscp git-fundamentals-windows-signing `
-          -d "Git Fundamentals Windows Signing Certificate" `
-          -u "https://github.com/git-ecosystem/git-credential-manager" `
-          -acst $env:ACST `
-          -acsi $env:ACSI `
-          -acss $env:ACSS
-
-    - name: Publish signed package
+        sign.exe code trusted-signing nupkg/* `
+          -tse https://wus2.codesigning.azure.net/ `
+          -tsa git-fundamentals-signing `
+          -tscp git-fundamentals-windows-signing
+
+        mv nupkg/* .
+
+    # Remove this once NuGet supports the subscriber identity validation EKU:
+    # https://github.com/NuGet/NuGetGallery/issues/10027
+    - name: Extract signing certificate from package
+      shell: pwsh
+      run: |
+        dotnet tool install --global Knapcode.CertificateExtractor
+        $nupkg = gci *.nupkg
+        nuget-cert-extractor --file $nupkg --output certs --code-signing --author --leaf
+        $cert = gci certs\*.cer
+        mv $cert .\nuget-signing.cer
+
+    - name: Publish signed package and certificate
       uses: actions/upload-artifact@v4
       with:
         name: dotnet-tool-sign
-        path: nupkg/*.nupkg
+        path: |
+          *.nupkg
+          *.cer
 
 # ================================
 #           Validate

VERSION

@@ -1 +1 @@
-2.5.0.0
+2.5.1.0

docs/azrepos-misp.md

@@ -49,12 +49,15 @@ Value|Description
 -|-
 `system`|System-Assigned Managed Identity
 `[guid]`|User-Assigned Managed Identity with the specified client ID
-`id://[guid]`|User-Assigned Managed Identity with the specified client ID
-`resource://[guid]`|User-Assigned Managed Identity for the associated resource
+`id://[guid]` **|User-Assigned Managed Identity with the specified client ID
+`resource://[guid]` **|User-Assigned Managed Identity for the associated resource
 
 You can obtain the `[guid]` from the Azure Portal or by using the Azure CLI
 to inspect the Managed Identity or resource.
 
+** Note there is an open issue that prevents successfull authentication when
+using these formats: https://github.com/git-ecosystem/git-credential-manager/issues/1570
+
 ## Service Principals
 
 Azure Service Principals are used to authenticate and authorize applications and

src/shared/Core/Core.csproj

@@ -13,25 +13,25 @@
   <ItemGroup Condition="'$(TargetFramework)' == 'net472'">
     <Reference Include="System.Net.Http" />
     <Reference Include="System.Web" />
-    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.60.3" />
-    <PackageReference Include="Avalonia.Win32" Version="11.0.10" />
+    <PackageReference Include="Microsoft.Identity.Client.Broker" Version="4.61.3" />
+    <PackageReference Include="Avalonia.Win32" Version="11.0.11" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' != 'net472'">
-    <PackageReference Include="Avalonia.Desktop" Version="11.0.10" />
+    <PackageReference Include="Avalonia.Desktop" Version="11.0.11" />
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.Identity.Client" Version="4.60.3" />
-    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.60.3" />
+    <PackageReference Include="Microsoft.Identity.Client" Version="4.61.3" />
+    <PackageReference Include="Microsoft.Identity.Client.Extensions.Msal" Version="4.61.3" />
     <PackageReference Include="System.CommandLine" Version="2.0.0-beta4.22272.1" />
-    <PackageReference Include="Avalonia" Version="11.0.10" />
-    <PackageReference Include="Avalonia.Skia" Version="11.0.10" />
-    <PackageReference Include="Avalonia.Themes.Fluent" Version="11.0.10" />
+    <PackageReference Include="Avalonia" Version="11.0.11" />
+    <PackageReference Include="Avalonia.Skia" Version="11.0.11" />
+    <PackageReference Include="Avalonia.Themes.Fluent" Version="11.0.11" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(Configuration)' == 'Debug'">
-    <PackageReference Include="Avalonia.Diagnostics" Version="11.0.10" />
+    <PackageReference Include="Avalonia.Diagnostics" Version="11.0.11" />
   </ItemGroup>
 
 </Project>