From 27fff2c1a3e94a4257d8a8b61ad69318fbf36a92 Mon Sep 17 00:00:00 2001 From: "Dustin L. Howett" Date: Fri, 10 May 2024 15:54:56 -0500 Subject: [PATCH] build: move ESRP to a parameterized subtask which takes signingId (#17216) This centralized all our ESRP calls in one file, which will make it easier in the future when we are invariable required to change how we call it again. (cherry picked from commit 5ce7fb74036726c33eb5e565be2ae759aacd72a8) Service-Card-Id: 92577954 Service-Version: 1.20 --- .../templates-v2/job-build-package-wpf.yml | 56 +++++++------- .../templates-v2/job-build-project.yml | 20 ++--- .../job-merge-msix-into-bundle.yml | 74 +++++++++---------- .../templates-v2/job-package-conpty.yml | 56 +++++++------- .../templates-v2/steps-esrp-signing.yml | 22 ++++++ 5 files changed, 117 insertions(+), 111 deletions(-) create mode 100644 build/pipelines/templates-v2/steps-esrp-signing.yml diff --git a/build/pipelines/templates-v2/job-build-package-wpf.yml b/build/pipelines/templates-v2/job-build-package-wpf.yml index a9656a65e68..dd547502e71 100644 --- a/build/pipelines/templates-v2/job-build-package-wpf.yml +++ b/build/pipelines/templates-v2/job-build-package-wpf.yml @@ -100,36 +100,32 @@ jobs: flattenFolders: true - ${{ if eq(parameters.codeSign, true) }}: - - task: EsrpCodeSigning@5 - displayName: Submit *.nupkg to ESRP for code signing - inputs: - ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }} - AppRegistrationClientId: ${{ parameters.signingIdentity.appId }} - AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }} - AuthAKVName: ${{ parameters.signingIdentity.akvName }} - AuthCertName: ${{ parameters.signingIdentity.authCertName }} - AuthSignCertName: ${{ parameters.signingIdentity.signCertName }} - FolderPath: $(Build.ArtifactStagingDirectory)/nupkg - Pattern: '*.nupkg' - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: >- - [ - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetSign", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0" - }, - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetVerify", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0" - } - ] + - template: steps-esrp-signing.yml + parameters: + displayName: Submit *.nupkg to ESRP for code signing + signingIdentity: ${{ parameters.signingIdentity }} + inputs: + FolderPath: $(Build.ArtifactStagingDirectory)/nupkg + Pattern: '*.nupkg' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: >- + [ + { + "KeyCode": "CP-401405", + "OperationCode": "NuGetSign", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + }, + { + "KeyCode": "CP-401405", + "OperationCode": "NuGetVerify", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + } + ] - ${{ if eq(parameters.generateSbom, true) }}: - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 diff --git a/build/pipelines/templates-v2/job-build-project.yml b/build/pipelines/templates-v2/job-build-project.yml index 02ea3aa9b8d..48f2f8ea034 100644 --- a/build/pipelines/templates-v2/job-build-project.yml +++ b/build/pipelines/templates-v2/job-build-project.yml @@ -238,18 +238,14 @@ jobs: # Code-sign everything we just put together. # We run the signing in Terminal.BinDir, because all of the signing batches are relative to the final architecture/configuration output folder. - - task: EsrpCodeSigning@5 - displayName: Submit Signing Request - inputs: - ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }} - AppRegistrationClientId: ${{ parameters.signingIdentity.appId }} - AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }} - AuthAKVName: ${{ parameters.signingIdentity.akvName }} - AuthCertName: ${{ parameters.signingIdentity.authCertName }} - AuthSignCertName: ${{ parameters.signingIdentity.signCertName }} - FolderPath: '$(Terminal.BinDir)' - signType: batchSigning - batchSignPolicyFile: '$(Build.SourcesDirectory)/ESRPSigningConfig.json' + - template: steps-esrp-signing.yml + parameters: + displayName: Submit Signing Request + signingIdentity: ${{ parameters.signingIdentity }} + inputs: + FolderPath: '$(Terminal.BinDir)' + signType: batchSigning + batchSignPolicyFile: '$(Build.SourcesDirectory)/ESRPSigningConfig.json' # We only need to re-pack the MSIX if we actually signed, so this can stay in the codeSign conditional - ${{ if or(parameters.buildTerminal, parameters.buildEverything) }}: diff --git a/build/pipelines/templates-v2/job-merge-msix-into-bundle.yml b/build/pipelines/templates-v2/job-merge-msix-into-bundle.yml index e3644e35bc7..f400e2cb121 100644 --- a/build/pipelines/templates-v2/job-merge-msix-into-bundle.yml +++ b/build/pipelines/templates-v2/job-merge-msix-into-bundle.yml @@ -97,45 +97,41 @@ jobs: displayName: Create msixbundle - ${{ if eq(parameters.codeSign, true) }}: - - task: EsrpCodeSigning@5 - displayName: Submit *.msixbundle to ESRP for code signing - inputs: - ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }} - AppRegistrationClientId: ${{ parameters.signingIdentity.appId }} - AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }} - AuthAKVName: ${{ parameters.signingIdentity.akvName }} - AuthCertName: ${{ parameters.signingIdentity.authCertName }} - AuthSignCertName: ${{ parameters.signingIdentity.signCertName }} - FolderPath: $(System.ArtifactsDirectory)\bundle - Pattern: $(BundleStemName)*.msixbundle - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: >- - [ - { - "KeyCode": "Dynamic", - "CertTemplateName": "WINMSAPP1ST", - "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", - "OperationCode": "SigntoolSign", - "Parameters": { - "OpusName": "Microsoft", - "OpusInfo": "http://www.microsoft.com", - "FileDigest": "/fd \"SHA256\"", - "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - }, - "ToolName": "sign", - "ToolVersion": "1.0" - }, - { - "KeyCode": "Dynamic", - "CertTemplateName": "WINMSAPP1ST", - "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", - "OperationCode": "SigntoolVerify", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0" - } - ] + - template: steps-esrp-signing.yml + parameters: + displayName: Submit *.msixbundle to ESRP for code signing + signingIdentity: ${{ parameters.signingIdentity }} + inputs: + FolderPath: $(System.ArtifactsDirectory)\bundle + Pattern: $(BundleStemName)*.msixbundle + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: >- + [ + { + "KeyCode": "Dynamic", + "CertTemplateName": "WINMSAPP1ST", + "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", + "OperationCode": "SigntoolSign", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "http://www.microsoft.com", + "FileDigest": "/fd \"SHA256\"", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName": "sign", + "ToolVersion": "1.0" + }, + { + "KeyCode": "Dynamic", + "CertTemplateName": "WINMSAPP1ST", + "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US", + "OperationCode": "SigntoolVerify", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + } + ] - ${{ if eq(parameters.generateSbom, true) }}: - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 diff --git a/build/pipelines/templates-v2/job-package-conpty.yml b/build/pipelines/templates-v2/job-package-conpty.yml index e09775f8360..303bb998f5a 100644 --- a/build/pipelines/templates-v2/job-package-conpty.yml +++ b/build/pipelines/templates-v2/job-package-conpty.yml @@ -85,36 +85,32 @@ jobs: versionEnvVar: XES_PACKAGEVERSIONNUMBER - ${{ if eq(parameters.codeSign, true) }}: - - task: EsrpCodeSigning@5 - displayName: Submit *.nupkg to ESRP for code signing - inputs: - ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }} - AppRegistrationClientId: ${{ parameters.signingIdentity.appId }} - AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }} - AuthAKVName: ${{ parameters.signingIdentity.akvName }} - AuthCertName: ${{ parameters.signingIdentity.authCertName }} - AuthSignCertName: ${{ parameters.signingIdentity.signCertName }} - FolderPath: $(Build.ArtifactStagingDirectory)/nupkg - Pattern: '*.nupkg' - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: >- - [ - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetSign", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0" - }, - { - "KeyCode": "CP-401405", - "OperationCode": "NuGetVerify", - "Parameters": {}, - "ToolName": "sign", - "ToolVersion": "1.0" - } - ] + - template: steps-esrp-signing.yml + parameters: + displayName: Submit *.nupkg to ESRP for code signing + signingIdentity: ${{ parameters.signingIdentity }} + inputs: + FolderPath: $(Build.ArtifactStagingDirectory)/nupkg + Pattern: '*.nupkg' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: >- + [ + { + "KeyCode": "CP-401405", + "OperationCode": "NuGetSign", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + }, + { + "KeyCode": "CP-401405", + "OperationCode": "NuGetVerify", + "Parameters": {}, + "ToolName": "sign", + "ToolVersion": "1.0" + } + ] - ${{ if eq(parameters.generateSbom, true) }}: - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 diff --git a/build/pipelines/templates-v2/steps-esrp-signing.yml b/build/pipelines/templates-v2/steps-esrp-signing.yml new file mode 100644 index 00000000000..9a8e6dbd9a7 --- /dev/null +++ b/build/pipelines/templates-v2/steps-esrp-signing.yml @@ -0,0 +1,22 @@ +parameters: + - name: displayName + type: string + default: ESRP Code Signing + - name: inputs + type: object + default: {} + - name: signingIdentity + type: object + default: {} + +steps: + - task: EsrpCodeSigning@5 + displayName: ${{ parameters.displayName }} + inputs: + ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }} + AppRegistrationClientId: ${{ parameters.signingIdentity.appId }} + AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }} + AuthAKVName: ${{ parameters.signingIdentity.akvName }} + AuthCertName: ${{ parameters.signingIdentity.authCertName }} + AuthSignCertName: ${{ parameters.signingIdentity.signCertName }} + ${{ insert }}: ${{ parameters.inputs }}