Skip to content

Move macOS and nuget to esrp signing #14324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 11 commits into from
Dec 7, 2020
Merged

Move macOS and nuget to esrp signing #14324

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
e2522d2
move nuget to esrp signing
TravisEz13 Nov 17, 2020
f0af739
move to malware signing templates
TravisEz13 Nov 20, 2020
a094b67
move macos to esrp signing
TravisEz13 Nov 20, 2020
3548afb
REVERT ME: move to using macos compliance branch
TravisEz13 Dec 2, 2020
704dbf1
explicitly checkout the other repo
TravisEz13 Dec 2, 2020
788829c
fix build sources in nuget
TravisEz13 Dec 2, 2020
e101909
add variable group
TravisEz13 Dec 2, 2020
a668a51
scan before upload
TravisEz13 Dec 3, 2020
15003e5
finish macos signing
TravisEz13 Dec 3, 2020
f25e009
Revert "scan before upload"
TravisEz13 Dec 3, 2020
0c4d203
Revert "REVERT ME: move to using macos compliance branch"
TravisEz13 Dec 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 10 additions & 11 deletions tools/releaseBuild/azureDevOps/templates/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,9 @@ jobs:
- checkout: self
clean: true

- checkout: ComplianceRepo
clean: true

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
Expand Down Expand Up @@ -100,17 +103,13 @@ jobs:
downloadPath: '$(System.ArtifactsDirectory)\rpm'
condition: and(eq(variables['buildName'], 'RPM'),succeeded())

- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
displayName: 'Malware Scanning'
inputs:
ConnectedServiceName: pwshEsrpScanning
FolderPath: $(System.ArtifactsDirectory)
Pattern: |
**\*.rpm
**\*.deb
**\*.tar.gz
UseMinimatch: true
SessionTimeout: 30
- template: EsrpScan.yml@ComplianceRepo
parameters:
scanPath: $(System.ArtifactsDirectory)
pattern: |
**\*.rpm
**\*.deb
**\*.tar.gz

- ${{ if eq(variables['buildName'], 'RPM') }}:
- template: EsrpSign.yml@ComplianceRepo
Expand Down
42 changes: 17 additions & 25 deletions tools/releaseBuild/azureDevOps/templates/mac-file-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,15 @@ jobs:
pool:
name: Package ES Standard Build
variables:
BuildConfiguration: release
BuildPlatform: any cpu
- group: ESRP

steps:
- checkout: self
clean: true

- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

- template: SetVersionVariables.yml
Expand Down Expand Up @@ -63,27 +65,14 @@ jobs:
Write-Host $zipFile
displayName: 'Compress macOS binary files'

- pwsh: |
$pkgFiles = "$(Build.StagingDirectory)\macos\powershell-files-$(Version)-osx-x64.zip", "$(Build.StagingDirectory)\macos\powershell-lts-$(Version)-osx-x64.zip"
tools/releaseBuild/generatePackgeSigning.ps1 -MacDeveloperFiles $pkgFiles -path "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Generate macOS binary Signing Xml'

- pwsh: |
Get-Content "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Capture macOS signing xml'
# Diagnostics is not critical it passes every time it runs
continueOnError: true

- task: PkgESCodeSign@10
displayName: 'CodeSign $(System.ArtifactsDirectory)\package.xml'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
outPathRoot: '$(Build.StagingDirectory)\signedMacOSPackages'
binVersion: $(SigingVersion)
binVersionOverride: $(SigningVersionOverride)
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(Build.StagingDirectory)\macos
signOutputPath: $(Build.StagingDirectory)\signedMacOSPackages
certificateId: "CP-401337-Apple"
pattern: |
**\*.zip
useMinimatch: true

- pwsh: |
$destination = "$(System.ArtifactsDirectory)\azureMacOs"
Expand All @@ -100,8 +89,11 @@ jobs:
artifactName: signedMacOsBins
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))

- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'
- template: EsrpScan.yml@ComplianceRepo
parameters:
scanPath: $(System.ArtifactsDirectory)\azureMacOs
pattern: |
**\*

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
Expand Down
38 changes: 12 additions & 26 deletions tools/releaseBuild/azureDevOps/templates/mac-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,15 @@ jobs:
pool:
name: Package ES Standard Build
variables:
BuildConfiguration: release
BuildPlatform: any cpu
- group: ESRP

steps:
- checkout: self
clean: true

- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

- template: SetVersionVariables.yml
Expand Down Expand Up @@ -50,27 +52,14 @@ jobs:
}
displayName: 'Compress macOS Package'

- pwsh: |
$pkgFiles = "$(Build.StagingDirectory)\macos\powershell-$(Version)-osx-x64.zip", "$(Build.StagingDirectory)\macos\powershell-lts-$(Version)-osx-x64.zip"
tools/releaseBuild/generatePackgeSigning.ps1 -MacDeveloperFiles $pkgFiles -path "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Generate macOS Package Signing Xml'

- pwsh: |
Get-Content "$(System.ArtifactsDirectory)\package.xml"
displayName: 'Capture macOS signing xml'
# Diagnostics is not critical it passes every time it runs
continueOnError: true

- task: PkgESCodeSign@10
displayName: 'CodeSign $(System.ArtifactsDirectory)\package.xml'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
outPathRoot: '$(Build.StagingDirectory)\signedMacOSPackages'
binVersion: $(SigingVersion)
binVersionOverride: $(SigningVersionOverride)
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(Build.StagingDirectory)\macos
signOutputPath: $(Build.StagingDirectory)\signedMacOSPackages
certificateId: "CP-401337-Apple"
pattern: |
**\*.zip
useMinimatch: true

- template: upload-final-results.yml
parameters:
Expand Down Expand Up @@ -120,9 +109,6 @@ jobs:
ContainerName: '$(AzureVersion)'
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))

- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
displayName: 'Run Defender Scan'

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
inputs:
Expand Down
70 changes: 36 additions & 34 deletions tools/releaseBuild/azureDevOps/templates/nuget.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,35 @@ jobs:
timeoutInMinutes: 90

variables:
runCodesignValidationInjection: false
GenAPIToolPath: '$(System.ArtifactsDirectory)/GenAPI'
PackagePath: '$(System.ArtifactsDirectory)/UnifiedPackagePath'
winFxdPath: '$(System.ArtifactsDirectory)/winFxd'
winFxdWinDesktopPath: '$(System.ArtifactsDirectory)/winFxdWinDesktop'
linuxFxdPath: '$(System.ArtifactsDirectory)/linuxFxd'
- name: runCodesignValidationInjection
value: false
- name: build
value: ${{ parameters.buildName }}
- group: ESRP
- name: GenAPIToolPath
value: '$(System.ArtifactsDirectory)/GenAPI'
- name: PackagePath
value: '$(System.ArtifactsDirectory)/UnifiedPackagePath'
- name: winFxdPath
value: '$(System.ArtifactsDirectory)/winFxd'
- name: winFxdWinDesktopPath
value: '$(System.ArtifactsDirectory)/winFxdWinDesktop'
- name: linuxFxdPath
value: '$(System.ArtifactsDirectory)/linuxFxd'

steps:
- checkout: self
clean: true

- checkout: ComplianceRepo
clean: true

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- powershell: |
$content = Get-Content "$(Build.SourcesDirectory)/global.json" -Raw | ConvertFrom-Json
$content = Get-Content "$env:REPOROOT/global.json" -Raw | ConvertFrom-Json
$vstsCommandString = "vso[task.setvariable variable=SDKVersion]$($content.sdk.version)"
Write-Host "sending " + $vstsCommandString
Write-Host "##$vstsCommandString"
Expand Down Expand Up @@ -90,8 +106,8 @@ jobs:
displayName: 'Install NuGet.exe'

- powershell: |
Import-Module $env:BUILD_SOURCESDIRECTORY\build.psm1
Import-Module $env:BUILD_SOURCESDIRECTORY\tools\packaging
Import-Module $env:REPOROOT\build.psm1
Import-Module $env:REPOROOT\tools\packaging
Find-Dotnet
New-ILNugetPackage -PackagePath "$(PackagePath)" -PackageVersion "$(Version)" -WinFxdBinPath '$(winFxdPath)' -LinuxFxdBinPath '$(linuxFxdPath)' -GenAPIToolPath "$(GenAPIToolPath)"
displayName: 'Create Nuget Package Folders'
Expand All @@ -103,8 +119,8 @@ jobs:
displayName: Capture fxd folders

- powershell: |
Import-Module $env:BUILD_SOURCESDIRECTORY\build.psm1
Import-Module $env:BUILD_SOURCESDIRECTORY\tools\packaging
Import-Module $env:REPOROOT\build.psm1
Import-Module $env:REPOROOT\tools\packaging
Find-Dotnet
# Create unified package first
New-GlobalToolNupkg -UnifiedPackage -LinuxBinPath "$(linuxFxdPath)" -WindowsBinPath "$(winFxdPath)" -WindowsDesktopBinPath "$(winFxdWinDesktopPath)" -PackageVersion "$(Version)" -DestinationPath "$(PackagePath)\globaltool"
Expand All @@ -117,28 +133,14 @@ jobs:
Get-ChildItem "$(PackagePath)" -Recurse
displayName: Capture generated packages

- powershell: |
$packages = Get-ChildItem "$(PackagePath)\*.nupkg", "$(PackagePath)\globaltool\*.nupkg" | Select-Object -ExpandProperty FullName

if($packages.Count -lt 1)
{
throw "No packages created"
}

$(Build.SourcesDirectory)\tools\releaseBuild\generatePackgeSigning.ps1 -Path $(PackagePath)\NugetSigning.xml -NuPkgFiles $packages
displayName: Create signing file

- task: PkgESCodeSign@10
displayName: 'CodeSign Nuget Packages'
env:
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
inputs:
signConfigXml: '$(PackagePath)\NugetSigning.xml'
inPathRoot: '$(PackagePath)'
outPathRoot: '$(System.ArtifactsDirectory)\signed'
binVersion: $(SigingVersion)
binVersionOverride: $(SigningVersionOverride)
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(PackagePath)
signOutputPath: $(System.ArtifactsDirectory)\signed
certificateId: "CP-401405"
pattern: |
**\*.nupkg
useMinimatch: true

- pwsh: |
if (-not (Test-Path '$(System.ArtifactsDirectory)\signed\')) { $null = New-Item -ItemType Directory -Path '$(System.ArtifactsDirectory)\signed\' }
Expand All @@ -148,7 +150,7 @@ jobs:
condition: eq(variables['SHOULD_SIGN'], 'false')

- powershell: |
Import-Module $(Build.SourcesDirectory)\build.psm1 -Force
Import-Module "${env:REPOROOT}\build.psm1" -Force
Get-ChildItem -Recurse "$(System.ArtifactsDirectory)\signed\*.nupkg" -Verbose | ForEach-Object { Start-NativeExecution -sb { nuget.exe verify -All $_.FullName } }
displayName: Verify all packages are signed
condition: eq(variables['SHOULD_SIGN'], 'true')
Expand Down
18 changes: 7 additions & 11 deletions tools/releaseBuild/azureDevOps/templates/windows-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,17 +93,13 @@ jobs:
msi: no
msix: no

- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
displayName: 'Malware Scanning'
inputs:
ConnectedServiceName: pwshEsrpScanning
FolderPath: '$(Build.StagingDirectory)'
Pattern: |
**\*.msix
**\*.msi
**\*.zip
UseMinimatch: true
SessionTimeout: 30
- template: EsrpScan.yml@ComplianceRepo
parameters:
scanPath: $(Build.StagingDirectory)
pattern: |
**\*.msix
**\*.msi
**\*.zip

- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
displayName: 'Component Detection'
Expand Down