Skip to content

Commit bf10566

Browse files
TravisEz13TravisEz13
committed
Migrate 3rd party signing to ESRP (#14010)
Co-authored-by: Robert Holt <[email protected]> # Conflicts: # tools/releaseBuild/azureDevOps/templates/windows-packaging.yml # Conflicts: # tools/releaseBuild/azureDevOps/templates/windows-packaging.yml
1 parent 6ee7971 commit bf10566

File tree

1 file changed

+32
-28
lines changed

1 file changed

+32
-28
lines changed

tools/releaseBuild/azureDevOps/templates/windows-packaging.yml

Lines changed: 32 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -40,19 +40,6 @@ jobs:
4040
parameters:
4141
ReleaseTagVar: $(ReleaseTagVar)
4242

43-
- task: PkgESSetupBuild@10
44-
displayName: 'Initialize build'
45-
env:
46-
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
47-
inputs:
48-
useDfs: false
49-
productName: PowerShellCore
50-
branchVersion: true
51-
disableWorkspace: true
52-
disableBuildTools: true
53-
disableNugetPack: true
54-
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
55-
5643
- powershell: |
5744
$pkgFilter = if ( '$(Architecture)' -eq 'arm' ) {
5845
"arm32"
@@ -114,8 +101,8 @@ jobs:
114101
$null = New-Item -ItemType Directory -Path $signedFilesDirectory -Force
115102
116103
$itemsToCopyWithRecurse = @(
117-
"$($fullSymbolsFolder)\*.ps1"
118-
"$($fullSymbolsFolder)\Microsoft.PowerShell*.dll"
104+
"$($fullSymbolsFolder)\*.ps1"
105+
"$($fullSymbolsFolder)\Microsoft.PowerShell*.dll"
119106
)
120107
121108
$itemsToCopy = @{
@@ -126,6 +113,11 @@ jobs:
126113
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Diagnostics.format.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics"
127114
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Event.format.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics"
128115
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\GetEvent.types.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics"
116+
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1" = "Modules\Microsoft.PowerShell.Diagnostics"
117+
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1" = "Modules\Microsoft.PowerShell.Host"
118+
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1" = "Modules\Microsoft.PowerShell.Management"
119+
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1" = "Modules\Microsoft.PowerShell.Security"
120+
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1" = "Modules\Microsoft.PowerShell.Utility"
129121
"$($fullSymbolsFolder)\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1" = "Modules\Microsoft.WSMan.Management"
130122
"$($fullSymbolsFolder)\Modules\Microsoft.WSMan.Management\WSMan.format.ps1xml" = "Modules\Microsoft.WSMan.Management"
131123
"$($fullSymbolsFolder)\Modules\PSDiagnostics\PSDiagnostics.ps?1" = "Modules\PSDiagnostics"
@@ -160,6 +152,7 @@ jobs:
160152
**\*.psm1
161153
**\*.ps1xml
162154
**\*.ps1
155+
**\*.exe
163156
useMinimatch: true
164157

165158
- pwsh: |
@@ -172,29 +165,40 @@ jobs:
172165
$dlls = Get-ChildItem $BuildPath\*.dll -Recurse
173166
$signatures = $dlls | Get-AuthenticodeSignature
174167
$missingSignatures = $signatures | Where-Object { $_.status -eq 'notsigned'}| select-object -ExpandProperty Path
175-
& "${env:REPOROOT}/tools/releaseBuild/generatePackgeSigning.ps1" -ThirdPartyFiles $missingSignatures -path "$(System.ArtifactsDirectory)\thirtdparty.xml"
176-
displayName: Create ThirdParty Signing Xml
177-
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
178168
179-
- task: PkgESCodeSign@10
180-
displayName: 'CodeSign ThirdParty $(Architecture)'
181-
env:
182-
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
183-
inputs:
184-
signConfigXml: '$(System.ArtifactsDirectory)\thirtdparty.xml'
185-
inPathRoot: '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
186-
outPathRoot: '$(System.ArtifactsDirectory)\signedThirdParty'
169+
Write-Verbose -verbose "to be signed:`r`n $($missingSignatures | Out-String)"
170+
171+
$filesToSignDirectory = "$(System.ArtifactsDirectory)\thirdPartyToBeSigned"
172+
$null = New-Item -ItemType Directory -Path $filesToSignDirectory -Force
173+
174+
$signedFilesDirectory = "$(System.ArtifactsDirectory)\thirdPartySigned"
175+
$null = New-Item -ItemType Directory -Path $signedFilesDirectory -Force
176+
177+
$missingSignatures | ForEach-Object {
178+
Copy-Item -Path $_ -Destination $filesToSignDirectory
179+
}
180+
181+
displayName: Create ThirdParty Signing Folder
187182
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
188183
184+
- template: EsrpSign.yml@ComplianceRepo
185+
parameters:
186+
buildOutputPath: $(System.ArtifactsDirectory)\thirdPartyToBeSigned
187+
signOutputPath: $(System.ArtifactsDirectory)\thirdPartySigned
188+
certificateId: "CP-231522"
189+
pattern: |
190+
**\*.dll
191+
useMinimatch: true
192+
189193
- powershell: |
190-
Get-ChildItem '$(System.ArtifactsDirectory)\signedThirdParty\*'
194+
Get-ChildItem '$(System.ArtifactsDirectory)\thirdPartySigned\*'
191195
displayName: Captrue ThirdParty Signed files
192196
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
193197
194198
- powershell: |
195199
Import-Module $(PowerShellRoot)/build.psm1 -Force
196200
Import-Module $(PowerShellRoot)/tools/packaging -Force
197-
$signedFilesPath = '$(System.ArtifactsDirectory)\signedThirdParty\'
201+
$signedFilesPath = '$(System.ArtifactsDirectory)\thirdPartySigned'
198202
$BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
199203
200204
Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath

0 commit comments

Comments
 (0)