[CI] Use an in-repo copy of devcerts installation script (#8548)

radical · web-flow · commit 85567dc3af2b · 2025-04-04T09:32:52.000-06:00
diff --git a/eng/pipelines/templates/BuildAndTest.yml b/eng/pipelines/templates/BuildAndTest.yml
@@ -60,12 +60,7 @@ steps:
   - ${{ if and(eq(parameters.runAsPublic, 'true'), eq(parameters.runPipelineTests, 'true')) }}:
     # non-helix tests
     - ${{ if ne(parameters.isWindows, 'true') }}:
-      - script: mkdir ${{ parameters.repoArtifactsPath }}/devcert-scripts &&
-                cd ${{ parameters.repoArtifactsPath }}/devcert-scripts &&
-                wget https://raw.githubusercontent.com/BorisWilhelms/create-dotnet-devcert/main/scripts/ubuntu-create-dotnet-devcert.sh &&
-                wget https://raw.githubusercontent.com/BorisWilhelms/create-dotnet-devcert/main/scripts/common.sh &&
-                chmod +x ubuntu-create-dotnet-devcert.sh &&
-                ./ubuntu-create-dotnet-devcert.sh
+      - script: $(Build.SourcesDirectory)/tests/external-scripts/ubuntu-create-dotnet-devcert.sh
         displayName: Install devcerts
 
     - ${{ if eq(parameters.isWindows, 'true') }}:
diff --git a/tests/external-scripts/README.md b/tests/external-scripts/README.md
@@ -0,0 +1,3 @@
+# external-scripts
+
+This is a copy of scripts from https://github.com/BorisWilhelms/create-dotnet-devcert/ . This is being used for now as `dotnet dev-certs https --trust` doesn't seem to be working on our CI.
diff --git a/tests/external-scripts/common.sh b/tests/external-scripts/common.sh
@@ -0,0 +1,98 @@
+#!/bin/sh
+SAVE=0
+
+usage() {
+    echo "Usage: $0 [-s]"
+    echo "Generates a valid ASP.NET Core self-signed certificate for the local machine."
+    echo "The certificate will be imported into the system's certificate store and into various other places."
+    echo "  -s: Also saves the generated crtfile to the home directory"
+    exit 1
+}
+
+while getopts "sh" opt
+do
+    case "$opt" in
+        s)
+            SAVE=1
+            ;;
+        h)
+            usage
+            exit 1
+            ;;
+        *)
+            ;;
+    esac
+done
+
+TMP_PATH=/var/tmp/localhost-dev-cert
+if [ ! -d $TMP_PATH ]; then
+    mkdir $TMP_PATH
+fi
+
+cleanup() {
+    rm -R $TMP_PATH
+}
+
+KEYFILE=$TMP_PATH/dotnet-devcert.key
+CRTFILE=$TMP_PATH/dotnet-devcert.crt
+PFXFILE=$TMP_PATH/dotnet-devcert.pfx
+
+NSSDB_PATHS="$HOME/.pki/nssdb \
+    $HOME/snap/chromium/current/.pki/nssdb \
+    $HOME/snap/postman/current/.pki/nssdb"
+
+CONF_PATH=$TMP_PATH/localhost.conf
+cat >> $CONF_PATH <<EOF
+[req]
+prompt                  = no
+default_bits            = 2048
+distinguished_name      = subject
+req_extensions          = req_ext
+x509_extensions         = x509_ext
+
+[ subject ]
+commonName              = localhost
+
+[req_ext]
+basicConstraints        = critical, CA:true
+subjectAltName          = @alt_names
+
+[x509_ext]
+basicConstraints        = critical, CA:true
+keyUsage                = critical, keyCertSign, cRLSign, digitalSignature,keyEncipherment
+extendedKeyUsage        = critical, serverAuth
+subjectAltName          = critical, @alt_names
+1.3.6.1.4.1.311.84.1.1  = ASN1:UTF8String:ASP.NET Core HTTPS development certificate # Needed to get it imported by dotnet dev-certs
+
+[alt_names]
+DNS.1                   = localhost
+EOF
+
+configure_nssdb() {
+    echo "Configuring nssdb for $1"
+    certutil -d sql:"$1" -D -n dotnet-devcert
+    certutil -d sql:"$1" -A -t "CP,," -n dotnet-devcert -i $CRTFILE
+}
+
+openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout $KEYFILE -out $CRTFILE -config $CONF_PATH --passout pass:
+openssl pkcs12 -export -out $PFXFILE -inkey $KEYFILE -in $CRTFILE --passout pass:
+
+for NSSDB in $NSSDB_PATHS; do
+    if [ -d "$NSSDB" ]; then
+        configure_nssdb "$NSSDB"
+    fi
+done
+
+if [ "$(id -u)" -ne 0 ]; then
+    # shellcheck disable=SC2034 # SUDO will be used in parent scripts.
+    SUDO='sudo'
+fi
+
+dotnet dev-certs https --clean --import $PFXFILE -p ""
+
+if [ "$SAVE" = 1 ]; then
+   cp $CRTFILE $HOME
+   echo "Saved certificate to $HOME/$(basename $CRTFILE)"
+   cp $PFXFILE $HOME
+   echo "Saved certificate to $HOME/$(basename $PFXFILE)"
+fi
diff --git a/tests/external-scripts/ubuntu-create-dotnet-devcert.sh b/tests/external-scripts/ubuntu-create-dotnet-devcert.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+. "$(dirname "$0")/common.sh"
+
+$SUDO rm /etc/ssl/certs/dotnet-devcert.pem
+$SUDO cp $CRTFILE "/usr/local/share/ca-certificates"
+$SUDO update-ca-certificates
+
+cleanup
diff --git a/tests/helix/send-to-helix-inner.proj b/tests/helix/send-to-helix-inner.proj
@@ -19,14 +19,10 @@
     <_DotNetToolJsonPath>$(RepoRoot).config/dotnet-tools.json</_DotNetToolJsonPath>
     <_DotNetToolJsonContent>$([System.IO.File]::ReadAllText($(_DotNetToolJsonPath)))</_DotNetToolJsonContent>
 
-    <_CreateDotNetDevCertsDirectory>$(ArtifactsObjDir)create-dotnet-devcert</_CreateDotNetDevCertsDirectory>
-
     <_AzureFunctionsCliUrl Condition="'$(OS)' == 'Windows_NT'">https://github.com/Azure/azure-functions-core-tools/releases/download/4.0.6280/Azure.Functions.Cli.min.win-x64_net8.4.0.6280.zip</_AzureFunctionsCliUrl>
     <_AzureFunctionsCliUrl Condition="'$(OS)' != 'Windows_NT'">https://github.com/Azure/azure-functions-core-tools/releases/download/4.0.6280/Azure.Functions.Cli.linux-x64_net8.4.0.6280.zip</_AzureFunctionsCliUrl>
 
     <_DefaultSdkDirNameForTests>dotnet-tests</_DefaultSdkDirNameForTests>
-
-    <PrepareDependenciesDependsOn>_StageCreateDotNetDevCertScripts</PrepareDependenciesDependsOn>
   </PropertyGroup>
 
   <PropertyGroup>
@@ -164,11 +160,6 @@
 
   <Target Name="PrepareDependencies" DependsOnTargets="$(PrepareDependenciesDependsOn)" />
 
-  <Target Name="_StageCreateDotNetDevCertScripts" Condition="'$(NeedsCreateDotNetDevScripts)' == 'true' and '$(OS)' != 'Windows_NT' and !Exists($(_CreateDotNetDevCertsDirectory))">
-    <DownloadFile SourceUrl="https://raw.githubusercontent.com/BorisWilhelms/create-dotnet-devcert/main/scripts/ubuntu-create-dotnet-devcert.sh" DestinationFolder="$(_CreateDotNetDevCertsDirectory)" />
-    <DownloadFile SourceUrl="https://raw.githubusercontent.com/BorisWilhelms/create-dotnet-devcert/main/scripts/common.sh" DestinationFolder="$(_CreateDotNetDevCertsDirectory)" />
-  </Target>
-
   <Target Name="BuildHelixWorkItems" DependsOnTargets="$(BuildHelixWorkItemsDependsOn)" BeforeTargets="Build">
     <MSBuild Projects="$(RepoRoot)\eng\dcppack\Aspire.Hosting.Orchestration.$(NETCoreSdkRuntimeIdentifier).csproj" Targets="GetDCPBinaryLocation">
       <Output TaskParameter="TargetOutputs" PropertyName="DCPBinaryLocation" />
@@ -187,7 +178,7 @@
     </PropertyGroup>
 
     <ItemGroup Label="Common payload">
-      <HelixCorrelationPayload Condition="'$(NeedsCreateDotNetDevScripts)' == 'true'" Include="$(_CreateDotNetDevCertsDirectory)" Destination="create-dotnet-devcert" />
+      <HelixCorrelationPayload Condition="'$(NeedsCreateDotNetDevScripts)' == 'true'" Include="$(RepoRoot)tests\external-scripts" Destination="create-dotnet-devcert" />
       <HelixCorrelationPayload Condition="'$(DockerCliToolDir)' != ''" Include="$(DockerCliToolDir)" Destination="docker-cli" />
     </ItemGroup>
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+# external-scripts`
	`2`	`+`
	`3`	+This is a copy of scripts from https://github.com/BorisWilhelms/create-dotnet-devcert/ . This is being used for now as `dotnet dev-certs https --trust` doesn't seem to be working on our CI.