Skip to content

Commit bb6ebd1

Browse files
TravisEz13TravisEz13
committed
Move Linux to Esrp signing (#14210)
# Conflicts: # tools/releaseBuild/azureDevOps/templates/linux.yml # Conflicts: # tools/releaseBuild/azureDevOps/templates/linux.yml
1 parent bf10566 commit bb6ebd1

File tree

2 files changed

+50
-34
lines changed

2 files changed

+50
-34
lines changed

tools/releaseBuild/azureDevOps/templates/insert-nuget-config-azfeed.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,9 @@
11
steps:
22
- powershell: |
3-
Import-Module $(Build.SourcesDirectory)/build.psm1 -Force
4-
New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination $(Build.SourcesDirectory)/src/Modules
3+
Import-Module $env:REPOROOT/build.psm1 -Force
4+
New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination $env:REPOROOT/src/Modules
55
6-
if(-not (Test-Path "$(Build.SourcesDirectory)/src/Modules/nuget.config"))
6+
if(-not (Test-Path "$env:REPOROOT/src/Modules/nuget.config"))
77
{
88
throw "nuget.config is not created"
99
}

tools/releaseBuild/azureDevOps/templates/linux.yml

Lines changed: 47 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -7,11 +7,19 @@ jobs:
77
- job: build_${{ parameters.buildName }}
88
displayName: Build ${{ parameters.buildName }}
99
condition: succeeded()
10-
pool: Hosted Ubuntu 1604
10+
pool:
11+
vmImage: ubuntu-16.04
1112
dependsOn: ${{ parameters.parentJob }}
1213
variables:
13-
build: ${{ parameters.buildName }}
14+
- name: runCodesignValidationInjection
15+
value: false
16+
- name: build
17+
value: ${{ parameters.buildName }}
18+
- group: ESRP
19+
1420
steps:
21+
- checkout: self
22+
clean: true
1523

1624
- template: SetVersionVariables.yml
1725
parameters:
@@ -34,13 +42,13 @@ jobs:
3442

3543

3644
- powershell: |
37-
import-module ./build.psm1
45+
import-module "$env:REPOROOT/build.psm1"
3846
Sync-PSTags -AddRemoteIfMissing
3947
displayName: SyncTags
4048
condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))
4149
4250
- powershell: |
43-
tools/releaseBuild/vstsbuild.ps1 -ReleaseTag $(ReleaseTagVar) -Name '$(build)'
51+
& "$env:REPOROOT/tools/releaseBuild/vstsbuild.ps1" -ReleaseTag $(ReleaseTagVar) -Name '$(build)'
4452
4553
displayName: 'Build and package'
4654
condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))
@@ -49,10 +57,19 @@ jobs:
4957
displayName: ${{ parameters.uploadDisplayName }} ${{ parameters.buildName }}
5058
dependsOn: build_${{ parameters.buildName }}
5159
condition: succeeded()
52-
pool: Package ES Standard Build
60+
pool:
61+
vmImage: windows-latest
5362
variables:
54-
buildName: ${{ parameters.buildName }}
63+
- name: buildName
64+
value: ${{ parameters.buildName }}
65+
- group: ESRP
66+
5567
steps:
68+
- checkout: self
69+
clean: true
70+
71+
- checkout: ComplianceRepo
72+
clean: true
5673

5774
- template: shouldSign.yml
5875

@@ -83,32 +100,29 @@ jobs:
83100
downloadPath: '$(System.ArtifactsDirectory)\rpm'
84101
condition: and(eq(variables['buildName'], 'RPM'),succeeded())
85102

86-
- task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
87-
displayName: 'Run Defender Scan'
88-
89-
- powershell: |
90-
$authenticodefiles = @()
91-
Get-ChildItem -Path '$(System.ArtifactsDirectory)\rpm\*.rpm' -recurse | ForEach-Object { $authenticodefiles += $_.FullName}
92-
tools/releaseBuild/generatePackgeSigning.ps1 -LinuxFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"
93-
displayName: 'Generate RPM Signing Xml'
94-
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
95-
96-
- powershell: |
97-
Get-Content "$(System.ArtifactsDirectory)\package.xml"
98-
displayName: 'Capture RPM signing xml'
99-
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
100-
101-
- task: PkgESCodeSign@10
102-
displayName: 'CodeSign RPM $(System.ArtifactsDirectory)\package.xml'
103-
env:
104-
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
103+
- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
104+
displayName: 'Malware Scanning'
105105
inputs:
106-
signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
107-
outPathRoot: '$(Build.StagingDirectory)\signedPackages'
108-
binVersion: $(SigingVersion)
109-
binVersionOverride: $(SigningVersionOverride)
110-
condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
111-
106+
ConnectedServiceName: pwshEsrpScanning
107+
FolderPath: $(System.ArtifactsDirectory)
108+
Pattern: |
109+
**\*.rpm
110+
**\*.deb
111+
**\*.tar.gz
112+
UseMinimatch: true
113+
SessionTimeout: 30
114+
115+
- ${{ if eq(variables['buildName'], 'RPM') }}:
116+
- template: EsrpSign.yml@ComplianceRepo
117+
parameters:
118+
buildOutputPath: $(System.ArtifactsDirectory)\rpm
119+
signOutputPath: $(Build.StagingDirectory)\signedPackages
120+
certificateId: "CP-450779-Pgp"
121+
pattern: |
122+
**\*.rpm
123+
useMinimatch: true
124+
125+
# requires windows
112126
- task: AzureFileCopy@4
113127
displayName: 'Upload to Azure - DEB and tar.gz'
114128
inputs:
@@ -122,6 +136,7 @@ jobs:
122136
parameters:
123137
artifactPath: $(System.ArtifactsDirectory)\finished\release
124138

139+
# requires windows
125140
- task: AzureFileCopy@4
126141
displayName: 'Upload to Azure - RPM - Unsigned'
127142
inputs:
@@ -132,6 +147,7 @@ jobs:
132147
ContainerName: '$(AzureVersion)'
133148
condition: and(and(succeeded(), ne(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
134149

150+
# requires windows
135151
- task: AzureFileCopy@4
136152
displayName: 'Upload to Azure - RPM - Signed'
137153
inputs:

0 commit comments

Comments
 (0)