Skip to content

Move windows package signing to use ESRP #14060

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adityapatwardhan merged 7 commits into from
Nov 13, 2020
Merged

Move windows package signing to use ESRP #14060

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
ce1bf62
use hosted pool
TravisEz13 Nov 10, 2020
9e67d33
move win package signing to ESRP
TravisEz13 Nov 10, 2020
56d4b5f
Move to ESRP scanning
TravisEz13 Nov 10, 2020
930cca3
add variable group
TravisEz13 Nov 10, 2020
38e3ff0
REVERT: switch to feature compliance branch
TravisEz13 Nov 11, 2020
4d19b12
Fix scanning
TravisEz13 Nov 12, 2020
cc463a6
Update tools/releaseBuild/azureDevOps/releaseBuild.yml
TravisEz13 Nov 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions tools/releaseBuild/azureDevOps/releaseBuild.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ resources:
type: github
endpoint: ComplianceGHRepo
name: PowerShell/compliance
ref: master
Copy link
Member

@adityapatwardhan adityapatwardhan Nov 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is the default and it needs to be in ref/heads/master format
https://docs.microsoft.com/en-us/azure/devops/pipelines/process/resources?view=azure-devops&tabs=schema#resources-repositories

Copy link
Member Author

@TravisEz13 TravisEz13 Nov 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

branch name works and I'm contantly having to add and remove this. I'd like to keep it for easier testing, and returning it back to it's default.

Copy link
Member Author

@TravisEz13 TravisEz13 Nov 12, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See commit: cc463a6 (#14060)


variables:
- name: DOTNET_CLI_TELEMETRY_OPTOUT
Expand Down
62 changes: 27 additions & 35 deletions tools/releaseBuild/azureDevOps/templates/windows-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,15 +8,19 @@ jobs:
${{ parameters.parentJobs }}
condition: succeeded()
pool:
name: Package ES Standard Build
vmImage: windows-latest
variables:
BuildConfiguration: release
BuildPlatform: any cpu
- name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE
value: 1
- group: ESRP

steps:
- checkout: self
clean: true

- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml
- template: SetVersionVariables.yml
parameters:
Expand All @@ -36,36 +40,15 @@ jobs:
# Diagnostics is not critical it passes every time it runs
continueOnError: true

- powershell: |
$authenticodefiles = @(
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msi"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msi"
)

$msixFiles = @(
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x86.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-x64.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm32.msix"
"$(System.ArtifactsDirectory)\signed\PowerShell-$(Version)-win-arm64.msix"
)

tools/releaseBuild/generatePackgeSigning.ps1 -AuthenticodeFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml" -MsixCertType $env:MSIX_TYPE -MsixFiles $msixFiles
displayName: 'Generate Package Signing Xml'

- powershell: |
Get-Content "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Capture signing xml'

- task: PkgESCodeSign@10
displayName: 'CodeSign $(System.ArtifactsDirectory)\package.xml'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
outPathRoot: '$(Build.StagingDirectory)\signedPackages'
binVersion: $(SigingVersion)
binVersionOverride: $(SigningVersionOverride)
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\signed
signOutputPath: $(Build.StagingDirectory)\signedPackages
certificateId: "CP-230012"
pattern: |
**\*.msi
**\*.msix
useMinimatch: true

- powershell: |
new-item -itemtype Directory -path '$(Build.StagingDirectory)\signedPackages'
Expand Down Expand Up @@ -110,8 +93,17 @@ jobs:
msi: no
msix: no

- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'
- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
displayName: 'Malware Scanning'
inputs:
ConnectedServiceName: pwshEsrpScanning
FolderPath: '$(Build.StagingDirectory)'
Pattern: |
**\*.msix
**\*.msi
**\*.zip
UseMinimatch: true
SessionTimeout: 30

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
Expand Down