Migrate 3rd party signing to ESRP (#14010)
Co-authored-by: Robert Holt <rjmholt@gmail.com>
This commit is contained in:
parent
52e2b58d7f
commit
5fd45eaa38
|
@ -14,7 +14,7 @@ jobs:
|
|||
condition: succeeded()
|
||||
dependsOn: ${{ parameters.parentJob }}
|
||||
pool:
|
||||
name: Package ES Standard Build
|
||||
vmImage: windows-latest
|
||||
variables:
|
||||
- name: BuildConfiguration
|
||||
value: ${{ parameters.BuildConfiguration }}
|
||||
|
@ -39,19 +39,6 @@ jobs:
|
|||
parameters:
|
||||
ReleaseTagVar: $(ReleaseTagVar)
|
||||
|
||||
- task: PkgESSetupBuild@10
|
||||
displayName: 'Initialize build'
|
||||
env:
|
||||
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
|
||||
inputs:
|
||||
useDfs: false
|
||||
productName: PowerShellCore
|
||||
branchVersion: true
|
||||
disableWorkspace: true
|
||||
disableBuildTools: true
|
||||
disableNugetPack: true
|
||||
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
|
||||
|
||||
- powershell: |
|
||||
$pkgFilter = if ( '$(Architecture)' -eq 'arm' ) {
|
||||
"arm32"
|
||||
|
@ -113,8 +100,8 @@ jobs:
|
|||
$null = New-Item -ItemType Directory -Path $signedFilesDirectory -Force
|
||||
|
||||
$itemsToCopyWithRecurse = @(
|
||||
"$($fullSymbolsFolder)\*.ps1"
|
||||
"$($fullSymbolsFolder)\Microsoft.PowerShell*.dll"
|
||||
"$($fullSymbolsFolder)\*.ps1"
|
||||
"$($fullSymbolsFolder)\Microsoft.PowerShell*.dll"
|
||||
)
|
||||
|
||||
$itemsToCopy = @{
|
||||
|
@ -125,6 +112,11 @@ jobs:
|
|||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Diagnostics.format.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Event.format.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\GetEvent.types.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1" = "Modules\Microsoft.PowerShell.Diagnostics"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1" = "Modules\Microsoft.PowerShell.Host"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1" = "Modules\Microsoft.PowerShell.Management"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1" = "Modules\Microsoft.PowerShell.Security"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1" = "Modules\Microsoft.PowerShell.Utility"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1" = "Modules\Microsoft.WSMan.Management"
|
||||
"$($fullSymbolsFolder)\Modules\Microsoft.WSMan.Management\WSMan.format.ps1xml" = "Modules\Microsoft.WSMan.Management"
|
||||
"$($fullSymbolsFolder)\Modules\PSDiagnostics\PSDiagnostics.ps?1" = "Modules\PSDiagnostics"
|
||||
|
@ -159,6 +151,7 @@ jobs:
|
|||
**\*.psm1
|
||||
**\*.ps1xml
|
||||
**\*.ps1
|
||||
**\*.exe
|
||||
useMinimatch: true
|
||||
|
||||
- pwsh: |
|
||||
|
@ -171,29 +164,40 @@ jobs:
|
|||
$dlls = Get-ChildItem $BuildPath\*.dll -Recurse
|
||||
$signatures = $dlls | Get-AuthenticodeSignature
|
||||
$missingSignatures = $signatures | Where-Object { $_.status -eq 'notsigned'}| select-object -ExpandProperty Path
|
||||
& "${env:REPOROOT}/tools/releaseBuild/generatePackgeSigning.ps1" -ThirdPartyFiles $missingSignatures -path "$(System.ArtifactsDirectory)\thirtdparty.xml"
|
||||
displayName: Create ThirdParty Signing Xml
|
||||
|
||||
Write-Verbose -verbose "to be signed:`r`n $($missingSignatures | Out-String)"
|
||||
|
||||
$filesToSignDirectory = "$(System.ArtifactsDirectory)\thirdPartyToBeSigned"
|
||||
$null = New-Item -ItemType Directory -Path $filesToSignDirectory -Force
|
||||
|
||||
$signedFilesDirectory = "$(System.ArtifactsDirectory)\thirdPartySigned"
|
||||
$null = New-Item -ItemType Directory -Path $signedFilesDirectory -Force
|
||||
|
||||
$missingSignatures | ForEach-Object {
|
||||
Copy-Item -Path $_ -Destination $filesToSignDirectory
|
||||
}
|
||||
|
||||
displayName: Create ThirdParty Signing Folder
|
||||
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
|
||||
|
||||
- task: PkgESCodeSign@10
|
||||
displayName: 'CodeSign ThirdParty $(Architecture)'
|
||||
env:
|
||||
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
|
||||
inputs:
|
||||
signConfigXml: '$(System.ArtifactsDirectory)\thirtdparty.xml'
|
||||
inPathRoot: '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
|
||||
outPathRoot: '$(System.ArtifactsDirectory)\signedThirdParty'
|
||||
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
|
||||
- template: EsrpSign.yml@ComplianceRepo
|
||||
parameters:
|
||||
buildOutputPath: $(System.ArtifactsDirectory)\thirdPartyToBeSigned
|
||||
signOutputPath: $(System.ArtifactsDirectory)\thirdPartySigned
|
||||
certificateId: "CP-231522"
|
||||
pattern: |
|
||||
**\*.dll
|
||||
useMinimatch: true
|
||||
|
||||
- powershell: |
|
||||
Get-ChildItem '$(System.ArtifactsDirectory)\signedThirdParty\*'
|
||||
Get-ChildItem '$(System.ArtifactsDirectory)\thirdPartySigned\*'
|
||||
displayName: Captrue ThirdParty Signed files
|
||||
condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
|
||||
|
||||
- powershell: |
|
||||
Import-Module $(PowerShellRoot)/build.psm1 -Force
|
||||
Import-Module $(PowerShellRoot)/tools/packaging -Force
|
||||
$signedFilesPath = '$(System.ArtifactsDirectory)\signedThirdParty\'
|
||||
$signedFilesPath = '$(System.ArtifactsDirectory)\thirdPartySigned'
|
||||
$BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
|
||||
|
||||
Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath
|
||||
|
|
Loading…
Reference in a new issue