Skip to content

Enable signing daily release build with lifetime certificate #15642

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
adityapatwardhan merged 1 commit into from
Jun 24, 2021
Merged

Enable signing daily release build with lifetime certificate #15642

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions tools/releaseBuild/azureDevOps/templates/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,10 @@ jobs:
- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)
- template: shouldSign.yml

- task: DownloadBuildArtifacts@0
displayName: 'Download Deb Artifacts'
Expand Down
4 changes: 2 additions & 2 deletions tools/releaseBuild/azureDevOps/templates/mac-file-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,12 @@ jobs:
- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: shouldSign.yml

- task: DownloadBuildArtifacts@0
inputs:
artifactName: 'macosBinResults'
Expand Down
8 changes: 2 additions & 6 deletions tools/releaseBuild/azureDevOps/templates/mac-package-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,12 @@ jobs:
sudo chown $env:USER /PowerShell
displayName: 'Create /PowerShell'

- template: shouldSign.yml

#- task: <task type name>@<version>
# inputs:
# <task specific inputs>
# displayName: '<display name of task>'
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: shouldSign.yml

- template: cloneToOfficialPath.yml

- task: DownloadBuildArtifacts@0
Expand Down
4 changes: 2 additions & 2 deletions tools/releaseBuild/azureDevOps/templates/nuget.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,12 +98,12 @@ jobs:
packageSources: 'https://nuget.org/api/v2'
installRoot: '$(GenAPIToolPath)'

- template: shouldSign.yml

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: shouldSign.yml

- task: NuGetToolInstaller@1
displayName: 'Install NuGet.exe'

Expand Down
16 changes: 14 additions & 2 deletions tools/releaseBuild/azureDevOps/templates/shouldSign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
steps:
- powershell: |
$shouldSign = $true
if($env:BUILD_REASON -ne 'Manual')
Copy link
Collaborator

@rjmholt rjmholt Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that builds that are not manual and are not daily will now be signed with the standard Authenticode cert?

Copy link
Member Author

@adityapatwardhan adityapatwardhan Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we do not have any builds for this pipeline that are not manual and not daily. The builds we have are:

  1. Daily build - kicked off automatically so not manual. -> signed
  2. Manual kicked off for release - so not daily
  3. Manually kicked off for testing - so not daily

The pipeline also has an option to skip signing using the pipeline schedule time parameter.

Copy link
Collaborator

@rjmholt rjmholt Jun 23, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No automated on-push branch build?

Copy link
Member Author

@adityapatwardhan adityapatwardhan Jun 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on-push is disabled for the pipeline.

$authenticodeCert = 'CP-230012'
$msixCert = 'CP-230012'

if($env:IS_DAILY -eq 'true')
{
$shouldSign = $false
$authenticodeCert = 'CP-460906'
}

if($env:SKIP_SIGNING -eq 'Yes')
Expand All @@ -14,4 +17,13 @@ steps:
$vstsCommandString = "vso[task.setvariable variable=SHOULD_SIGN]$($shouldSign.ToString().ToLowerInvariant())"
Write-Host "sending " + $vstsCommandString
Write-Host "##$vstsCommandString"

$vstsCommandString = "vso[task.setvariable variable=MSIX_CERT]$($msixCert)"
Write-Host "sending " + $vstsCommandString
Write-Host "##$vstsCommandString"

$vstsCommandString = "vso[task.setvariable variable=AUTHENTICODE_CERT]$($authenticodeCert)"
Write-Host "sending " + $vstsCommandString
Write-Host "##$vstsCommandString"

displayName: 'Set SHOULD_SIGN Variable'
17 changes: 14 additions & 3 deletions tools/releaseBuild/azureDevOps/templates/windows-package-signing.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,12 @@ jobs:
- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: shouldSign.yml

- task: DownloadBuildArtifacts@0
displayName: 'Download artifacts'
inputs:
Expand All @@ -44,13 +45,23 @@ jobs:
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\signed
signOutputPath: $(Build.StagingDirectory)\signedPackages
certificateId: "CP-230012"
certificateId: $(MSIX_CERT)
pattern: |
**\*.msix
useMinimatch: true
shouldSign: $(SHOULD_SIGN)
displayName: Sign msix

- template: EsrpSign.yml@ComplianceRepo
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\signed
signOutputPath: $(Build.StagingDirectory)\signedPackages
certificateId: $(AUTHENTICODE_CERT)
pattern: |
**\*.exe
useMinimatch: true
shouldSign: $(SHOULD_SIGN)
displayName: Sign exe and msix
displayName: Sign exe

- powershell: |
new-item -itemtype Directory -path '$(Build.StagingDirectory)\signedPackages'
Expand Down
9 changes: 5 additions & 4 deletions tools/releaseBuild/azureDevOps/templates/windows-packaging.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,11 +34,12 @@ jobs:
- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml
- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: shouldSign.yml

- powershell: |
$pkgFilter = if ( '$(Architecture)' -eq 'arm' ) { "arm32" } else { '$(Architecture)' }
if ($env:BuildConfiguration -eq 'minSize') { $pkgFilter += '-gc' }
Expand Down Expand Up @@ -153,7 +154,7 @@ jobs:
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\toBeSigned
signOutputPath: $(System.ArtifactsDirectory)\signed
certificateId: "CP-230012"
certificateId: "$(AUTHENTICODE_CERT)"
pattern: |
**\*.dll
**\*.psd1
Expand Down Expand Up @@ -278,7 +279,7 @@ jobs:
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\pkgSigned
signOutputPath: $(Build.StagingDirectory)\signedPackages
certificateId: "CP-230012"
certificateId: "$(AUTHENTICODE_CERT)"
pattern: |
**\*.msi
useMinimatch: true
Expand Down Expand Up @@ -322,7 +323,7 @@ jobs:
parameters:
buildOutputPath: $(System.ArtifactsDirectory)\unsignedEngine
signOutputPath: $(System.ArtifactsDirectory)\signedEngine
certificateId: "CP-230012"
certificateId: "$(AUTHENTICODE_CERT)"
pattern: |
**\*.exe
useMinimatch: true
Expand Down