Skip to content

[release/v7.3.0] Add authenticode signing for assemblies on linux builds #18449

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 27 commits into from
Nov 3, 2022
Merged

[release/v7.3.0] Add authenticode signing for assemblies on linux builds #18449

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
5e53b19
Split packaging to separate step
adityapatwardhan Oct 31, 2022
8cbb734
Fix yaml download task
adityapatwardhan Oct 31, 2022
44cd8c5
fixes
adityapatwardhan Oct 31, 2022
ce77e28
Fix publish and download
adityapatwardhan Oct 31, 2022
01566b2
Fixes
adityapatwardhan Oct 31, 2022
a2cbcd5
Separate build and packaging
adityapatwardhan Oct 31, 2022
dd87bc3
Remove duplicate
adityapatwardhan Oct 31, 2022
c8c585a
Remove duplicate 2
adityapatwardhan Oct 31, 2022
9d968b5
Fix meta downloads and job deps
adityapatwardhan Nov 1, 2022
ee330e8
Add alpine packaging
adityapatwardhan Nov 1, 2022
c4db27d
Multiple fixes
adityapatwardhan Nov 1, 2022
ff18e85
Fix yaml condition
adityapatwardhan Nov 1, 2022
7975753
Fix build types
adityapatwardhan Nov 1, 2022
2185872
Fix build downloads
adityapatwardhan Nov 1, 2022
ab8c8ed
Fix alpine and fxdependent packaging
adityapatwardhan Nov 1, 2022
a38db12
Fix typo
adityapatwardhan Nov 1, 2022
4cb9a2d
Fix fxd package name
adityapatwardhan Nov 1, 2022
b779828
Add signing
adityapatwardhan Nov 1, 2022
a09b235
Fix indent
adityapatwardhan Nov 1, 2022
04c9a61
Fix indent 2
adityapatwardhan Nov 1, 2022
d191053
Make signing a template
adityapatwardhan Nov 1, 2022
421eb50
Call the correct template
adityapatwardhan Nov 1, 2022
3514774
Fix template
adityapatwardhan Nov 1, 2022
6298127
Fix variable name
adityapatwardhan Nov 1, 2022
dba429e
Use the correct artifacts to sign
adityapatwardhan Nov 1, 2022
0f20d54
Fix dependencies
adityapatwardhan Nov 2, 2022
23b7f36
Apply suggestions from code review
adityapatwardhan Nov 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion tools/releaseBuild/azureDevOps/releaseBuild.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ stages:
- template: templates/linux.yml
parameters:
buildName: rpm
uploadDisplayName: Upload and Sign
parentJob: build_deb

- template: templates/linux.yml
parameters:
Expand All @@ -111,6 +111,29 @@ stages:
parameters:
buildName: alpine

- template: templates/linux-authenticode-sign.yml

- template: templates/linux-packaging.yml
parameters:
buildName: deb
parentJob: sign_linux_builds

- template: templates/linux-packaging.yml
parameters:
buildName: rpm
uploadDisplayName: Upload and Sign
parentJob: sign_linux_builds

- template: templates/linux-packaging.yml
parameters:
buildName: alpine
parentJob: sign_linux_builds

- template: templates/linux-packaging.yml
parameters:
buildName: fxdependent
parentJob: sign_linux_builds

- stage: windows
dependsOn: ['prep']
jobs:
Expand Down
127 changes: 127 additions & 0 deletions tools/releaseBuild/azureDevOps/templates/linux-authenticode-sign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
jobs:
- job: sign_linux_builds
displayName: Sign all linux builds
condition: succeeded()
pool:
name: PowerShell1ES
demands:
- ImageOverride -equals PSMMS2019-Secure
dependsOn: ['build_fxdependent', 'build_rpm']
variables:
- name: runCodesignValidationInjection
value: false
- name: NugetSecurityAnalysisWarningLevel
value: none
- group: ESRP

steps:
- checkout: self
clean: true

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuild
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuild
displayName: Download deb build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildMinSize
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildMinSize
displayName: Download min-size build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildArm32
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildArm32
displayName: Download arm32 build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildArm64
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildArm64
displayName: Download arm64 build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshMarinerBuildAmd64
path: $(Build.ArtifactStagingDirectory)/pwshMarinerBuildAmd64
displayName: Download mariner build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildAlpine
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildAlpine
displayName: Download alpine build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildFxdependent
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildFxdependent
displayName: Download fxdependent build

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: cloneToOfficialPath.yml

- template: insert-nuget-config-azfeed.yml
parameters:
repoRoot: $(PowerShellRoot)

- powershell: |
Set-Location $env:POWERSHELLROOT
import-module "$env:POWERSHELLROOT/build.psm1"
Sync-PSTags -AddRemoteIfMissing
displayName: SyncTags
condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))

- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuild
buildPrefixName: 'PowerShell Linux'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildMinSize
buildPrefixName: 'PowerShell Linux Minimum Size'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildArm32
buildPrefixName: 'PowerShell Linux Arm32'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildArm64
buildPrefixName: 'PowerShell Linux Arm64'

- template: signBuildFiles.yml
parameters:
binLocation: pwshMarinerBuildAmd64
buildPrefixName: 'PowerShell Linux x64 Framework Dependent'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildAlpine
buildPrefixName: 'PowerShell Linux Alpine x64'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildFxdependent
buildPrefixName: 'PowerShell Linux Framework Dependent'

#- template: Sbom.yml@ComplianceRepo
# parameters:
# BuildDropPath: '$(System.ArtifactsDirectory)/$(BIN_LOCATION)'
# Build_Repository_Uri: $(Github_Build_Repository_Uri)
# displayName: ${{ parameters.buildName }} SBOM
# PackageName: $(PACKAGE_NAME)
# PackageVersion: $(Version)
# sourceScanPath: '$(PowerShellRoot)/tools'
Loading