Junaed/fssdk 12756 remove authenticode step#417
Open
junaed-optimizely wants to merge 4 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR simplifies the csharp_release.yml release workflow by removing the Authenticode signing job and updating the packaging flow to work directly from the build artifacts (unsigned DLLs).
Changes:
- Removed the
signjob and updatedpackto depend directly on the build jobs. - Updated
packto download and organize unsigned DLL artifacts (framework + netstandard targets) instead of signed artifacts. - Added
nuget/setup-nuget@v2to ensure NuGet is available on the packaging runner.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the Authenticode signing step from the release pipeline.
Manual Authenticode signing of individual DLLs is no longer a standard practice for libraries distributed via NuGet.
The .NET ecosystem has shifted toward NuGet's own package signing (author and repository signatures) as the primary trust and integrity mechanism, making a separate DLL-level Authenticode step unnecessary overhead.
The signing job in our pipeline was also never operational. It contained placeholder paths and an explicit halt, so this removal reflects both an industry shift and the cleanup of dead infrastructure.
Changes
Issues