Skip to content

Move Linux to Esrp signing #14210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 6 commits into from
Nov 23, 2020
Merged

Move Linux to Esrp signing #14210

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
55c6e16
move linux to esrp signing
TravisEz13 Nov 17, 2020
605e942
move nuget to esrp signing
TravisEz13 Nov 17, 2020
469ac90
fix nuget config creation
TravisEz13 Nov 17, 2020
cd46ef7
REVERT ME - switch to pgp branch
TravisEz13 Nov 18, 2020
f67733f
Revert "move nuget to esrp signing"
TravisEz13 Nov 19, 2020
730a706
Revert "REVERT ME - switch to pgp branch"
TravisEz13 Nov 20, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions tools/releaseBuild/azureDevOps/templates/insert-nuget-config-azfeed.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
steps:
- powershell: |
Import-Module $(Build.SourcesDirectory)/build.psm1 -Force
New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination $(Build.SourcesDirectory)/src/Modules
Import-Module $env:REPOROOT/build.psm1 -Force
New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination $env:REPOROOT/src/Modules

if(-not (Test-Path "$(Build.SourcesDirectory)/src/Modules/nuget.config"))
if(-not (Test-Path "$env:REPOROOT/src/Modules/nuget.config"))
{
throw "nuget.config is not created"
}
Expand Down
77 changes: 45 additions & 32 deletions tools/releaseBuild/azureDevOps/templates/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,16 @@ jobs:
- job: build_${{ parameters.buildName }}
displayName: Build ${{ parameters.buildName }}
condition: succeeded()
pool: Hosted Ubuntu 1604
pool:
vmImage: ubuntu-16.04
dependsOn: ${{ parameters.parentJob }}
variables:
build: ${{ parameters.buildName }}
runCodesignValidationInjection: false
- name: runCodesignValidationInjection
value: false
- name: build
value: ${{ parameters.buildName }}
- group: ESRP

steps:
- checkout: self
clean: true
Expand All @@ -37,13 +42,13 @@ jobs:


- powershell: |
import-module ./build.psm1
import-module "$env:REPOROOT/build.psm1"
Sync-PSTags -AddRemoteIfMissing
displayName: SyncTags
condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))

- powershell: |
tools/releaseBuild/vstsbuild.ps1 -ReleaseTag $(ReleaseTagVar) -Name '$(build)'
& "$env:REPOROOT/tools/releaseBuild/vstsbuild.ps1" -ReleaseTag $(ReleaseTagVar) -Name '$(build)'

displayName: 'Build and package'
condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))
Expand All @@ -52,10 +57,19 @@ jobs:
displayName: ${{ parameters.uploadDisplayName }} ${{ parameters.buildName }}
dependsOn: build_${{ parameters.buildName }}
condition: succeeded()
pool: Package ES Standard Build
pool:
vmImage: windows-latest
variables:
buildName: ${{ parameters.buildName }}
- name: buildName
value: ${{ parameters.buildName }}
- group: ESRP

steps:
- checkout: self
clean: true

- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

Expand Down Expand Up @@ -86,32 +100,29 @@ jobs:
downloadPath: '$(System.ArtifactsDirectory)\rpm'
condition: and(eq(variables['buildName'], 'RPM'),succeeded())

- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'

- powershell: |
$authenticodefiles = @()
Get-ChildItem -Path '$(System.ArtifactsDirectory)\rpm\*.rpm' -recurse | ForEach-Object { $authenticodefiles += $_.FullName}
tools/releaseBuild/generatePackgeSigning.ps1 -LinuxFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Generate RPM Signing Xml'
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))

- powershell: |
Get-Content "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Capture RPM signing xml'
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))

- task: PkgESCodeSign@10
displayName: 'CodeSign RPM $(System.ArtifactsDirectory)\package.xml'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
displayName: 'Malware Scanning'
inputs:
signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
outPathRoot: '$(Build.StagingDirectory)\signedPackages'
binVersion: $(SigingVersion)
binVersionOverride: $(SigningVersionOverride)
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))

ConnectedServiceName: pwshEsrpScanning
FolderPath: $(System.ArtifactsDirectory)
Pattern: |
**\*.rpm
**\*.deb
**\*.tar.gz
UseMinimatch: true
SessionTimeout: 30

- ${{ if eq(variables['buildName'], 'RPM') }}:
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\rpm
signOutputPath: $(Build.StagingDirectory)\signedPackages
certificateId: "CP-450779-Pgp"
pattern: |
**\*.rpm
useMinimatch: true

# requires windows
- task: AzureFileCopy@4
displayName: 'Upload to Azure - DEB and tar.gz'
inputs:
Expand All @@ -125,6 +136,7 @@ jobs:
parameters:
artifactPath: $(System.ArtifactsDirectory)\finished\release

# requires windows
- task: AzureFileCopy@4
displayName: 'Upload to Azure - RPM - Unsigned'
inputs:
Expand All @@ -135,6 +147,7 @@ jobs:
ContainerName: '$(AzureVersion)'
condition: and(and(succeeded(), ne(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))

# requires windows
- task: AzureFileCopy@4
displayName: 'Upload to Azure - RPM - Signed'
inputs:
Expand Down