Skip to content

[release/v7.2.9] Add authenticode signing for assemblies on linux builds #18920

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TravisEz13 merged 27 commits into from
Jan 10, 2023
Merged

[release/v7.2.9] Add authenticode signing for assemblies on linux builds #18920

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
1c90011
Split packaging to separate step
adityapatwardhan Oct 31, 2022
5834f45
Fix yaml download task
adityapatwardhan Oct 31, 2022
fa1efe1
fixes
adityapatwardhan Oct 31, 2022
6367134
Fix publish and download
adityapatwardhan Oct 31, 2022
ac70d03
Fixes
adityapatwardhan Oct 31, 2022
a060c41
Separate build and packaging
adityapatwardhan Oct 31, 2022
0e31c8e
Remove duplicate
adityapatwardhan Oct 31, 2022
5106387
Remove duplicate 2
adityapatwardhan Oct 31, 2022
986fa4f
Fix meta downloads and job deps
adityapatwardhan Nov 1, 2022
1197a18
Add alpine packaging
adityapatwardhan Nov 1, 2022
2da5e2f
Multiple fixes
adityapatwardhan Nov 1, 2022
ea311c4
Fix yaml condition
adityapatwardhan Nov 1, 2022
f57b7c2
Fix build types
adityapatwardhan Nov 1, 2022
c7413da
Fix build downloads
adityapatwardhan Nov 1, 2022
d6b76b2
Fix alpine and fxdependent packaging
adityapatwardhan Nov 1, 2022
4b4549e
Fix typo
adityapatwardhan Nov 1, 2022
e692c84
Fix fxd package name
adityapatwardhan Nov 1, 2022
988ab97
Add signing
adityapatwardhan Nov 1, 2022
aaa1084
Fix indent
adityapatwardhan Nov 1, 2022
3672749
Fix indent 2
adityapatwardhan Nov 1, 2022
84f95f4
Make signing a template
adityapatwardhan Nov 1, 2022
d05f56d
Call the correct template
adityapatwardhan Nov 1, 2022
c546209
Fix template
adityapatwardhan Nov 1, 2022
f8564a0
Fix variable name
adityapatwardhan Nov 1, 2022
fc9fac1
Use the correct artifacts to sign
adityapatwardhan Nov 1, 2022
dd07c54
Fix dependencies
adityapatwardhan Nov 2, 2022
a0ac103
Apply suggestions from code review
adityapatwardhan Nov 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 24 additions & 1 deletion tools/releaseBuild/azureDevOps/releaseBuild.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ stages:
- template: templates/linux.yml
parameters:
buildName: rpm
uploadDisplayName: Upload and Sign
parentJob: build_deb

- template: templates/linux.yml
parameters:
Expand All @@ -111,6 +111,29 @@ stages:
parameters:
buildName: alpine

- template: templates/linux-authenticode-sign.yml

- template: templates/linux-packaging.yml
parameters:
buildName: deb
parentJob: sign_linux_builds

- template: templates/linux-packaging.yml
parameters:
buildName: rpm
uploadDisplayName: Upload and Sign
parentJob: sign_linux_builds

- template: templates/linux-packaging.yml
parameters:
buildName: alpine
parentJob: sign_linux_builds

- template: templates/linux-packaging.yml
parameters:
buildName: fxdependent
parentJob: sign_linux_builds

- stage: windows
dependsOn: ['prep']
jobs:
Expand Down
127 changes: 127 additions & 0 deletions tools/releaseBuild/azureDevOps/templates/linux-authenticode-sign.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
jobs:
- job: sign_linux_builds
displayName: Sign all linux builds
condition: succeeded()
pool:
name: PowerShell1ES
demands:
- ImageOverride -equals PSMMS2019-Secure
dependsOn: ['build_fxdependent', 'build_rpm']
variables:
- name: runCodesignValidationInjection
value: false
- name: NugetSecurityAnalysisWarningLevel
value: none
- group: ESRP

steps:
- checkout: self
clean: true

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuild
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuild
displayName: Download deb build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildMinSize
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildMinSize
displayName: Download min-size build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildArm32
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildArm32
displayName: Download arm32 build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildArm64
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildArm64
displayName: Download arm64 build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshMarinerBuildAmd64
path: $(Build.ArtifactStagingDirectory)/pwshMarinerBuildAmd64
displayName: Download mariner build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildAlpine
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildAlpine
displayName: Download alpine build

- task: DownloadPipelineArtifact@2
inputs:
artifact: pwshLinuxBuildFxdependent
path: $(Build.ArtifactStagingDirectory)/pwshLinuxBuildFxdependent
displayName: Download fxdependent build

- template: SetVersionVariables.yml
parameters:
ReleaseTagVar: $(ReleaseTagVar)

- template: cloneToOfficialPath.yml

- template: insert-nuget-config-azfeed.yml
parameters:
repoRoot: $(PowerShellRoot)

- powershell: |
Set-Location $env:POWERSHELLROOT
import-module "$env:POWERSHELLROOT/build.psm1"
Sync-PSTags -AddRemoteIfMissing
displayName: SyncTags
condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))

- checkout: ComplianceRepo
clean: true

- template: shouldSign.yml

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuild
buildPrefixName: 'PowerShell Linux'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildMinSize
buildPrefixName: 'PowerShell Linux Minimum Size'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildArm32
buildPrefixName: 'PowerShell Linux Arm32'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildArm64
buildPrefixName: 'PowerShell Linux Arm64'

- template: signBuildFiles.yml
parameters:
binLocation: pwshMarinerBuildAmd64
buildPrefixName: 'PowerShell Linux x64 Framework Dependent'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildAlpine
buildPrefixName: 'PowerShell Linux Alpine x64'

- template: signBuildFiles.yml
parameters:
binLocation: pwshLinuxBuildFxdependent
buildPrefixName: 'PowerShell Linux Framework Dependent'

#- template: Sbom.yml@ComplianceRepo
# parameters:
# BuildDropPath: '$(System.ArtifactsDirectory)/$(BIN_LOCATION)'
# Build_Repository_Uri: $(Github_Build_Repository_Uri)
# displayName: ${{ parameters.buildName }} SBOM
# PackageName: $(PACKAGE_NAME)
# PackageVersion: $(Version)
# sourceScanPath: '$(PowerShellRoot)/tools'
Loading