Sign individual files in pkg (#13392)

Co-authored-by: Aditya Patwardhan <adityap@microsoft.com>
2020-08-11 14:01:47 -07:00 · 2020-08-11 14:01:47 -07:00 · a00741e6c7
parent 46efd38ef5
commit a00741e6c7
8 changed files with 423 additions and 166 deletions
--- a/tools/packaging/packaging.psm1
+++ b/tools/packaging/packaging.psm1
@ -676,13 +676,14 @@ function Expand-PSSignedBuild
    # That zip file is used for compliance scan.
    Remove-Item -Path (Join-Path -Path $buildPath -ChildPath '*.zip') -Recurse

-    if ($SkipPwshExeCheck)
-    {
-        $windowsExecutablePath = (Join-Path $buildPath -ChildPath 'pwsh.dll')
-    }
-    else
-    {
-        $windowsExecutablePath = (Join-Path $buildPath -ChildPath 'pwsh.exe')
+    if ($SkipPwshExeCheck) {
+        $executablePath = (Join-Path $buildPath -ChildPath 'pwsh.dll')
+    } else {
+        if ($IsMacOS -or $IsLinux) {
+            $executablePath = (Join-Path $buildPath -ChildPath 'pwsh')
+        } else {
+            $executablePath = (Join-Path $buildPath -ChildPath 'pwsh.exe')
+        }
    }

    Restore-PSModuleToBuild -PublishPath $buildPath
@ -694,12 +695,9 @@ function Expand-PSSignedBuild

    $options.PSModuleRestore = $true

-    if (Test-Path -Path $windowsExecutablePath)
-    {
-        $options.Output = $windowsExecutablePath
-    }
-    else
-    {
+    if (Test-Path -Path $executablePath) {
+        $options.Output = $executablePath
+    } else {
        throw 'Could not find pwsh'
    }

--- a/tools/releaseBuild/azureDevOps/releaseBuild.yml
+++ b/tools/releaseBuild/azureDevOps/releaseBuild.yml
@ -19,147 +19,146 @@ resources:
 - repo: self
  clean: true

-jobs:
- template: templates/checkAzureContainer.yml
+stages:
+  - stage: prep
+    jobs:
+      - template: templates/checkAzureContainer.yml

- template: templates/linux.yml
-  parameters:
-    buildName: deb
-    parentJob: DeleteBlob
+  - stage: macos
+    dependsOn: ['prep']
+    jobs:
+      - template: templates/mac.yml

- template: templates/linux.yml
-  parameters:
-    buildName: rpm
-    uploadDisplayName: Upload and Sign
-    parentJob: DeleteBlob
+      - template: templates/mac-file-signing.yml
+        parameters:
+          parentJob: build_macOS

- template: templates/linux.yml
-  parameters:
-    buildName: fxdependent
-    parentJob: DeleteBlob
+      - template: templates/mac-package-build.yml
+        parameters:
+          parentJob: MacFileSigningJob

- template: templates/linux.yml
-  parameters:
-    buildName: alpine
-    parentJob: DeleteBlob
+      - template: templates/mac-package-signing.yml
+        parameters:
+          parentJob: package_macOS

- template: templates/mac.yml
-  parameters:
-    parentJob: DeleteBlob
+  - stage: linux
+    dependsOn: ['prep']
+    jobs:
+      - template: templates/linux.yml
+        parameters:
+          buildName: deb

- template: templates/windows-hosted-build.yml
-  parameters:
-    Architecture: x64
-    parentJob: DeleteBlob
+      - template: templates/linux.yml
+        parameters:
+          buildName: rpm
+          uploadDisplayName: Upload and Sign

- template: templates/windows-hosted-build.yml
-  parameters:
-    Architecture: x86
-    parentJob: DeleteBlob
+      - template: templates/linux.yml
+        parameters:
+          buildName: fxdependent
+          parentJob: build_deb

- template: templates/windows-hosted-build.yml
-  parameters:
-    Architecture: arm
-    parentJob: DeleteBlob
+      - template: templates/linux.yml
+        parameters:
+          buildName: alpine

- template: templates/windows-hosted-build.yml
-  parameters:
-    Architecture: arm64
-    parentJob: DeleteBlob
+  - stage: windows
+    dependsOn: ['prep']
+    jobs:
+      - template: templates/windows-hosted-build.yml
+        parameters:
+          Architecture: x64

- template: templates/windows-hosted-build.yml
-  parameters:
-    Architecture: fxdependent
-    parentJob: DeleteBlob
+      - template: templates/windows-hosted-build.yml
+        parameters:
+          Architecture: x86

- template: templates/windows-hosted-build.yml
-  parameters:
-    Architecture: fxdependentWinDesktop
-    parentJob: DeleteBlob
+      - template: templates/windows-hosted-build.yml
+        parameters:
+          Architecture: arm

- template: templates/windows-packaging.yml
-  parameters:
-    Architecture: x64
-    parentJob: build_windows_x64
+      - template: templates/windows-hosted-build.yml
+        parameters:
+          Architecture: arm64

- template: templates/windows-packaging.yml
-  parameters:
-    Architecture: x86
-    parentJob: build_windows_x86
+      - template: templates/windows-hosted-build.yml
+        parameters:
+          Architecture: fxdependent

- template: templates/windows-packaging.yml
-  parameters:
-    Architecture: arm
-    parentJob: build_windows_arm
+      - template: templates/windows-hosted-build.yml
+        parameters:
+          Architecture: fxdependentWinDesktop

- template: templates/windows-packaging.yml
-  parameters:
-    Architecture: arm64
-    parentJob: build_windows_arm64
+      - template: templates/windows-packaging.yml
+        parameters:
+          Architecture: x64
+          parentJob: build_windows_x64

- template: templates/windows-packaging.yml
-  parameters:
-    Architecture: fxdependent
-    parentJob: build_windows_fxdependent
+      - template: templates/windows-packaging.yml
+        parameters:
+          Architecture: x86
+          parentJob: build_windows_x86

- template: templates/windows-packaging.yml
-  parameters:
-    Architecture: fxdependentWinDesktop
-    parentJob: build_windows_fxdependentWinDesktop
+      - template: templates/windows-packaging.yml
+        parameters:
+          Architecture: arm
+          parentJob: build_windows_arm

- template: templates/windows-package-signing.yml
-  parameters:
-    parentJobs:
-      - sign_windows_x64
-      - sign_windows_x86
-      - sign_windows_arm
-      - sign_windows_arm64
-      - sign_windows_fxdependent
-      - sign_windows_fxdependentWinDesktop
+      - template: templates/windows-packaging.yml
+        parameters:
+          Architecture: arm64
+          parentJob: build_windows_arm64

- template: templates/mac-package-signing.yml
+      - template: templates/windows-packaging.yml
+        parameters:
+          Architecture: fxdependent
+          parentJob: build_windows_fxdependent

- template: templates/compliance.yml
-  parameters:
-    parentJobs:
-      - build_windows_x64
-      - build_windows_x86
-      - build_windows_fxdependent
-      - build_windows_fxdependentWinDesktop
+      - template: templates/windows-packaging.yml
+        parameters:
+          Architecture: fxdependentWinDesktop
+          parentJob: build_windows_fxdependentWinDesktop

- template: templates/nuget.yml
-  parameters:
-    parentJobs:
-      - WinPackageSigningJob
-      - upload_deb
-      - upload_rpm
-      - upload_alpine
-      - build_macOS
+      - template: templates/windows-package-signing.yml
+        parameters:
+          parentJobs:
+            - sign_windows_x64
+            - sign_windows_x86
+            - sign_windows_arm
+            - sign_windows_arm64
+            - sign_windows_fxdependent
+            - sign_windows_fxdependentWinDesktop

- template: templates/json.yml
-  parameters:
-    parentJobs:
-      - WinPackageSigningJob
-      - upload_deb
-      - upload_rpm
-      - upload_alpine
-      - MacPackageSigningJob
+  - stage: compliance
+    dependsOn: ['windows']
+    jobs:
+      - template: templates/compliance.yml

- template: templates/testartifacts.yml
+  - stage: nuget_and_json
+    dependsOn: ['windows','linux','macOS']
+    jobs:
+      - template: templates/nuget.yml

- job: release_json
-  displayName: Create and Upload release.json
-  pool:
-    vmImage: 'windows-latest'
-  steps:
-  - template: templates/SetVersionVariables.yml
-    parameters:
-      ReleaseTagVar: $(ReleaseTagVar)
+      - template: templates/json.yml

-  - powershell: |
-      $metadata = Get-Content '$(Build.SourcesDirectory)/tools/metadata.json' -Raw | ConvertFrom-Json
-      $LTS = $metadata.LTSRelease
-      @{ ReleaseVersion = "$(Version)"; LTSRelease = $LTS } | ConvertTo-Json | Out-File "$(Build.StagingDirectory)\release.json"
-      Get-Content "$(Build.StagingDirectory)\release.json"
-      Write-Host "##vso[artifact.upload containerfolder=metadata;artifactname=metadata]$(Build.StagingDirectory)\release.json"
-    displayName: Create and upload release.json file to build artifact
+  - stage: test_and_release_artifacts
+    dependsOn: ['prep']
+    jobs:
+      - template: templates/testartifacts.yml
+
+      - job: release_json
+        displayName: Create and Upload release.json
+        pool:
+          vmImage: 'windows-latest'
+        steps:
+        - template: templates/SetVersionVariables.yml
+          parameters:
+            ReleaseTagVar: $(ReleaseTagVar)
+
+        - powershell: |
+            $metadata = Get-Content '$(Build.SourcesDirectory)/tools/metadata.json' -Raw | ConvertFrom-Json
+            $LTS = $metadata.LTSRelease
+            @{ ReleaseVersion = "$(Version)"; LTSRelease = $LTS } | ConvertTo-Json | Out-File "$(Build.StagingDirectory)\release.json"
+            Get-Content "$(Build.StagingDirectory)\release.json"
+            Write-Host "##vso[artifact.upload containerfolder=metadata;artifactname=metadata]$(Build.StagingDirectory)\release.json"
+          displayName: Create and upload release.json file to build artifact
--- a/tools/releaseBuild/azureDevOps/templates/mac-file-signing.yml
+++ b/tools/releaseBuild/azureDevOps/templates/mac-file-signing.yml
@ -0,0 +1,108 @@
+parameters:
+    parentJob: ''
+
+jobs:
+  - job: MacFileSigningJob
+    displayName: macOS File signing
+    dependsOn: ${{ parameters.parentJob }}
+    condition: succeeded()
+    pool:
+      name: Package ES Standard Build
+    variables:
+      BuildConfiguration: release
+      BuildPlatform: any cpu
+
+    steps:
+
+    - template: shouldSign.yml
+
+    - template: SetVersionVariables.yml
+      parameters:
+        ReleaseTagVar: $(ReleaseTagVar)
+
+    - task: DownloadBuildArtifacts@0
+      inputs:
+        artifactName: 'macosBinResults'
+        itemPattern: '**/*.zip'
+        downloadPath: '$(System.ArtifactsDirectory)\Symbols'
+
+    - pwsh: |
+        Get-ChildItem "$(System.ArtifactsDirectory)\*" -Recurse
+      displayName: 'Capture Downloaded Artifacts'
+      # Diagnostics is not critical it passes every time it runs
+      continueOnError: true
+
+    - pwsh: |
+        $zipPath = Get-Item '$(System.ArtifactsDirectory)\Symbols\macosBinResults\*symbol*.zip'
+        Write-Verbose -Verbose "Zip Path: $zipPath"
+
+        $expandedFolder = $zipPath.BaseName
+        Write-Host "sending.. vso[task.setvariable variable=SymbolsFolder]$expandedFolder"
+        Write-Host "##vso[task.setvariable variable=SymbolsFolder]$expandedFolder"
+
+        Expand-Archive -Path $zipPath -Destination "$(System.ArtifactsDirectory)\$expandedFolder" -Force
+      displayName: Expand symbols zip
+
+    - pwsh: |
+        Get-ChildItem "$(System.ArtifactsDirectory)\*" -Recurse
+      displayName: 'Capture artifacts dir Binaries'
+
+    - pwsh: |
+        Get-ChildItem "$(System.ArtifactsDirectory)\$(SymbolsFolder)" -Recurse -Include pwsh, *.dylib
+      displayName: 'Capture Expanded Binaries'
+      # Diagnostics is not critical it passes every time it runs
+      continueOnError: true
+
+    - pwsh: |
+        $null = new-item -type directory -path "$(Build.StagingDirectory)\macos"
+        $zipFile = "$(Build.StagingDirectory)\macos\powershell-files-$(Version)-osx-x64.zip"
+        Get-ChildItem "$(System.ArtifactsDirectory)\$(SymbolsFolder)" -Recurse -Include pwsh, *.dylib |
+          Compress-Archive -Destination $zipFile
+        Write-Host $zipFile
+      displayName: 'Compress macOS binary files'
+
+    - pwsh: |
+        $pkgFiles = "$(Build.StagingDirectory)\macos\powershell-files-$(Version)-osx-x64.zip", "$(Build.StagingDirectory)\macos\powershell-lts-$(Version)-osx-x64.zip"
+        tools/releaseBuild/generatePackgeSigning.ps1 -MacDeveloperFiles $pkgFiles -path "$(System.ArtifactsDirectory)\package.xml"
+      displayName: 'Generate macOS binary Signing Xml'
+
+    - pwsh: |
+        Get-Content "$(System.ArtifactsDirectory)\package.xml"
+      displayName: 'Capture macOS signing xml'
+      # Diagnostics is not critical it passes every time it runs
+      continueOnError: true
+
+    - task: PkgESCodeSign@10
+      displayName: 'CodeSign $(System.ArtifactsDirectory)\package.xml'
+      env:
+        SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+      inputs:
+        signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
+        outPathRoot: '$(Build.StagingDirectory)\signedMacOSPackages'
+        binVersion: $(SigingVersion)
+        binVersionOverride: $(SigningVersionOverride)
+      condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+    - pwsh: |
+        $destination = "$(System.ArtifactsDirectory)\azureMacOs"
+        New-Item -Path $destination -Type Directory
+        $zipPath = Get-ChildItem "$(Build.StagingDirectory)\signedMacOSPackages\powershell-*.zip" -Recurse | select-object -expandproperty fullname
+        foreach ($z in $zipPath) { Expand-Archive -Path $z -DestinationPath $destination }
+      displayName: 'Extract and copy macOS artifacts for upload'
+      condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+    - template: upload-final-results.yml
+      parameters:
+        artifactPath: $(System.ArtifactsDirectory)\azureMacOs
+        artifactFilter: "*"
+        artifactName: signedMacOsBins
+        condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+    - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
+      displayName: 'Run Defender Scan'
+
+    - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+      displayName: 'Component Detection'
+      inputs:
+        sourceScanPath: '$(Build.SourcesDirectory)'
+        snapshotForceEnabled: true
--- a/tools/releaseBuild/azureDevOps/templates/mac-package-build.yml
+++ b/tools/releaseBuild/azureDevOps/templates/mac-package-build.yml
@ -0,0 +1,110 @@
+parameters:
+  parentJob: ''
+  jobName: 'package_macOS'
+
+jobs:
+- job: ${{ parameters.jobName }}
+  displayName: Package macOS
+  dependsOn: ${{ parameters.parentJob }}
+  condition: succeeded()
+  pool: Hosted Mac Internal
+  variables:
+    # Turn off Homebrew analytics
+    HOMEBREW_NO_ANALYTICS: 1
+    runCodesignValidationInjection: false
+  steps:
+  - pwsh: |
+      # create folder
+      sudo mkdir /PowerShell
+
+      # make the current user the owner
+      sudo chown $env:USER /PowerShell
+    displayName: 'Create /PowerShell'
+
+  - pwsh: |
+      Write-Host "##vso[task.setvariable variable=PowerShellRoot]/PowerShell"
+      git clone $env:BUILD_REPOSITORY_LOCALPATH /PowerShell
+    displayName: Clone PowerShell Repo to /PowerShell
+
+  - template: shouldSign.yml
+
+  #- task: <task type name>@<version>
+  #  inputs:
+  #    <task specific inputs>
+  #  displayName: '<display name of task>'
+  - template: SetVersionVariables.yml
+    parameters:
+      ReleaseTagVar: $(ReleaseTagVar)
+
+
+  - task: DownloadBuildArtifacts@0
+    inputs:
+      artifactName: 'macosBinResults'
+      itemPattern: '**/*.zip'
+      downloadPath: '$(System.ArtifactsDirectory)/Symbols'
+
+  - task: DownloadBuildArtifacts@0
+    inputs:
+      artifactName: 'signedMacOsBins'
+      itemPattern: '**/*'
+      downloadPath: '$(System.ArtifactsDirectory)/macOsBins'
+
+  - pwsh: |
+      Get-ChildItem "$(System.ArtifactsDirectory)\*" -Recurse
+    displayName: 'Capture Downloaded Artifacts'
+    # Diagnostics is not critical it passes every time it runs
+    continueOnError: true
+
+  - pwsh: |
+      $zipPath = Get-Item '$(System.ArtifactsDirectory)\Symbols\macosBinResults\*symbol*.zip'
+      Write-Verbose -Verbose "Zip Path: $zipPath"
+
+      $expandedFolder = $zipPath.BaseName
+      Write-Host "sending.. vso[task.setvariable variable=SymbolsFolder]$expandedFolder"
+      Write-Host "##vso[task.setvariable variable=SymbolsFolder]$expandedFolder"
+
+      Expand-Archive -Path $zipPath -Destination "$(System.ArtifactsDirectory)\$expandedFolder" -Force
+    displayName: Expand symbols zip
+
+  - pwsh: |
+      Import-Module $(PowerShellRoot)/build.psm1 -Force
+      Import-Module $(PowerShellRoot)/tools/packaging -Force
+      $signedFilesPath = '$(System.ArtifactsDirectory)/macOsBins/signedMacOsBins/'
+      $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
+
+      Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath
+    displayName: Merge signed files with Build
+    condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+  - pwsh: |
+      Import-Module $(PowerShellRoot)/build.psm1 -Force
+      Import-Module $(PowerShellRoot)/tools/packaging -Force
+
+      $destFolder = '$(System.ArtifactsDirectory)\signedZip'
+      $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
+
+      $null = New-Item -ItemType Directory -Path $destFolder -Force
+
+      $BuildPackagePath = New-PSBuildZip -BuildPath $BuildPath -DestinationFolder $destFolder
+
+      Write-Verbose -Verbose "New-PSSignedBuildZip returned `$BuildPackagePath as: $BuildPackagePath"
+      Write-Host "##vso[artifact.upload containerfolder=results;artifactname=results]$BuildPackagePath"
+
+      $vstsCommandString = "vso[task.setvariable variable=BuildPackagePath]$BuildPackagePath"
+      Write-Host ("sending " + $vstsCommandString)
+      Write-Host "##$vstsCommandString"
+    displayName: Compress signed files
+
+  - pwsh: |
+      tools/releaseBuild/macOS/PowerShellPackageVsts.ps1 -location $(PowerShellRoot) -BootStrap
+    displayName: 'Bootstrap VM'
+
+  - pwsh: |
+      $(Build.SourcesDirectory)/tools/releaseBuild/macOS/PowerShellPackageVsts.ps1 -ReleaseTag $(ReleaseTagVar) -Destination $(System.ArtifactsDirectory) -location $(PowerShellRoot) -ArtifactName macosPkgResults -BuildZip $(BuildPackagePath) -ExtraPackage "tar"
+    displayName: 'Package'
+
+  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+    displayName: 'Component Detection'
+    inputs:
+      sourceScanPath: '$(Build.SourcesDirectory)'
+      snapshotForceEnabled: true
--- a/tools/releaseBuild/azureDevOps/templates/mac-package-signing.yml
+++ b/tools/releaseBuild/azureDevOps/templates/mac-package-signing.yml
@ -1,7 +1,10 @@
+parameters:
+  parentJob: ''
+
 jobs:
 - job: MacPackageSigningJob
  displayName: macOS Package signing
-  dependsOn: build_macOS
+  dependsOn: ${{ parameters.parentJob }}
  condition: succeeded()
  pool:
    name: Package ES Standard Build
@ -18,26 +21,24 @@ jobs:
      ReleaseTagVar: $(ReleaseTagVar)

  - task: DownloadBuildArtifacts@0
-    displayName: 'Download artifacts'
    inputs:
-      downloadType: specific
-      itemPattern: |
-        **/*.tar.gz
-        **/*.pkg
+      artifactName: 'macosPkgResults'
+      itemPattern: '**/*'
+      downloadPath: '$(System.ArtifactsDirectory)'

-  - powershell: |
+  - pwsh: |
      dir "$(System.ArtifactsDirectory)\*" -Recurse
    displayName: 'Capture Downloaded Artifacts'
    # Diagnostics is not critical it passes every time it runs
    continueOnError: true

-  - powershell: |
+  - pwsh: |
      $null = new-item -type directory -path "$(Build.StagingDirectory)\macos"
      $zipFile = "$(Build.StagingDirectory)\macos\powershell-$(Version)-osx-x64.zip"
-      Compress-Archive -Path "$(System.ArtifactsDirectory)\results\powershell-$(Version)-osx-x64.pkg" -Destination $zipFile
+      Compress-Archive -Path "$(System.ArtifactsDirectory)\macosPkgResults\powershell-$(Version)-osx-x64.pkg" -Destination $zipFile
      Write-Host $zipFile

-      $ltsPkgPath = "$(System.ArtifactsDirectory)\results\powershell-lts-$(Version)-osx-x64.pkg"
+      $ltsPkgPath = "$(System.ArtifactsDirectory)\macosPkgResults\powershell-lts-$(Version)-osx-x64.pkg"

      if(Test-Path $ltsPkgPath)
      {
@ -47,12 +48,12 @@ jobs:
      }
    displayName: 'Compress macOS Package'

-  - powershell: |
+  - pwsh: |
      $pkgFiles = "$(Build.StagingDirectory)\macos\powershell-$(Version)-osx-x64.zip", "$(Build.StagingDirectory)\macos\powershell-lts-$(Version)-osx-x64.zip"
      tools/releaseBuild/generatePackgeSigning.ps1 -MacDeveloperFiles $pkgFiles -path "$(System.ArtifactsDirectory)\package.xml"
    displayName: 'Generate macOS Package Signing Xml'

-  - powershell: |
+  - pwsh: |
      Get-Content "$(System.ArtifactsDirectory)\package.xml"
    displayName: 'Capture macOS signing xml'
    # Diagnostics is not critical it passes every time it runs
@ -71,10 +72,10 @@ jobs:

  - template: upload-final-results.yml
    parameters:
-      artifactPath: $(System.ArtifactsDirectory)\results
+      artifactPath: $(System.ArtifactsDirectory)\macosPkgResults
      artifactFilter: "*.tar.gz"

-  - powershell: |
+  - pwsh: |
      $destination = "$(System.ArtifactsDirectory)\azureMacOs"
      New-Item -Path $destination -Type Directory
      $zipPath = dir "$(Build.StagingDirectory)\signedMacOSPackages\powershell-*.zip" -Recurse | select-object -expandproperty fullname
@ -90,7 +91,7 @@ jobs:
      artifactFilter: "*.pkg"
      condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))

-  - powershell: |
+  - pwsh: |
      $null = new-item -type directory -path "$(Build.StagingDirectory)\macos-unsigned"
      Copy-Item -Path "$(System.ArtifactsDirectory)\results\powershell-$(Version)-osx-x64.pkg" -Destination "$(Build.StagingDirectory)\macos-unsigned"
      Copy-Item -Path "$(System.ArtifactsDirectory)\results\powershell-$(Version)-osx-x64.tar.gz" -Destination "$(Build.StagingDirectory)\macos-unsigned"
--- a/tools/releaseBuild/azureDevOps/templates/mac.yml
+++ b/tools/releaseBuild/azureDevOps/templates/mac.yml
@ -1,13 +1,11 @@
 parameters:
  jobName: 'build_macOS'
-  parentJob: ''

 jobs:
 - job: ${{ parameters.jobName }}
  displayName: Build macOS
  condition: succeeded()
  pool: Hosted Mac Internal
-  dependsOn: ${{ parameters.parentJob }}
  variables:
    # Turn off Homebrew analytics
    HOMEBREW_NO_ANALYTICS: 1
@ -21,7 +19,7 @@ jobs:
    parameters:
      ReleaseTagVar: $(ReleaseTagVar)

-  - powershell: |
+  - pwsh: |
      # create folder
      sudo mkdir /PowerShell

@ -29,16 +27,16 @@ jobs:
      sudo chown $env:USER /PowerShell
    displayName: 'Create /PowerShell'

-  - powershell: |
+  - pwsh: |
      Write-Host "##vso[task.setvariable variable=PowerShellRoot]/PowerShell"
      git clone $env:BUILD_REPOSITORY_LOCALPATH /PowerShell
    displayName: Clone PowerShell Repo to /PowerShell

-  - powershell: |
+  - pwsh: |
      tools/releaseBuild/macOS/PowerShellPackageVsts.ps1 -location $(PowerShellRoot) -BootStrap
    displayName: 'Bootstrap VM'

-  - powershell: |
+  - pwsh: |
      Import-Module $(Build.SourcesDirectory)/build.psm1 -Force
      New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination "$(PowerShellRoot)/src/Modules"

@ -48,11 +46,11 @@ jobs:
      }
    displayName: 'Add nuget.config for AzDevOps feed for PSGallery modules '

-  - powershell: |
+  - pwsh: |
      $env:AZDEVOPSFEEDPAT = '$(AzDevOpsFeedPAT)'
-      $(Build.SourcesDirectory)/tools/releaseBuild/macOS/PowerShellPackageVsts.ps1 -ReleaseTag $(ReleaseTagVar) -Destination $(System.ArtifactsDirectory) -ExtraPackage "tar" -location $(PowerShellRoot) -Build
+      $(Build.SourcesDirectory)/tools/releaseBuild/macOS/PowerShellPackageVsts.ps1 -ReleaseTag $(ReleaseTagVar) -Destination $(System.ArtifactsDirectory) -Symbols -location $(PowerShellRoot) -Build -ArtifactName macosBinResults
      $env:AZDEVOPSFEEDPAT = $null
-    displayName: 'Build and Package'
+    displayName: 'Build'

  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
    displayName: 'Component Detection'
--- a/tools/releaseBuild/azureDevOps/templates/upload-final-results.yml
+++ b/tools/releaseBuild/azureDevOps/templates/upload-final-results.yml
@ -2,13 +2,14 @@ parameters:
  artifactPath:
  artifactFilter: '*'
  condition: succeeded()
+  artifactName: finalResults

 steps:
  - powershell: |
        Get-ChildItem -Path '${{ parameters.artifactPath }}' -File -filter '${{ parameters.artifactFilter }}' -ErrorAction SilentlyContinue |
            Select-Object -ExpandProperty FullName |
                ForEach-Object {
-                    Write-Host "##vso[artifact.upload containerfolder=finalResults;artifactname=finalResults]$_"
+                    Write-Host "##vso[artifact.upload containerfolder=${{ parameters.artifactName }};artifactname=${{ parameters.artifactName }}]$_"
                }
-    displayName: Upload Final Artifacts ${{ parameters.artifactFilter }} from ${{ parameters.artifactPath }}
+    displayName: Upload ${{ parameters.artifactName }} Artifacts ${{ parameters.artifactFilter }} from ${{ parameters.artifactPath }}
    condition: ${{ parameters.condition }}
--- a/tools/releaseBuild/macOS/PowerShellPackageVsts.ps1
+++ b/tools/releaseBuild/macOS/PowerShellPackageVsts.ps1
@ -10,14 +10,20 @@ param (
    [string] $location = $env:BUILD_REPOSITORY_LOCALPATH,

    # Destination location of the package on docker host
+    [Parameter(Mandatory, ParameterSetName = 'packageSigned')]
+    [Parameter(Mandatory, ParameterSetName = 'IncludeSymbols')]
    [Parameter(Mandatory, ParameterSetName = 'Build')]
    [string] $destination = '/mnt',

+    [Parameter(Mandatory, ParameterSetName = 'packageSigned')]
+    [Parameter(Mandatory, ParameterSetName = 'IncludeSymbols')]
    [Parameter(Mandatory, ParameterSetName = 'Build')]
    [ValidatePattern("^v\d+\.\d+\.\d+(-\w+(\.\d+)?)?$")]
    [ValidateNotNullOrEmpty()]
    [string]$ReleaseTag,

+    [Parameter(ParameterSetName = 'packageSigned')]
+    [Parameter(ParameterSetName = 'IncludeSymbols')]
    [Parameter(ParameterSetName = 'Build')]
    [ValidateSet("zip", "tar")]
    [string[]]$ExtraPackage,
@ -25,13 +31,23 @@ param (
    [Parameter(Mandatory, ParameterSetName = 'Bootstrap')]
    [switch] $BootStrap,

+    [Parameter(Mandatory, ParameterSetName = 'IncludeSymbols')]
    [Parameter(Mandatory, ParameterSetName = 'Build')]
-    [switch] $Build
+    [switch] $Build,
+
+    [Parameter(Mandatory, ParameterSetName = 'IncludeSymbols')]
+    [switch] $Symbols,
+
+    [Parameter(Mandatory, ParameterSetName = 'packageSigned')]
+    [ValidatePattern("-signed.zip$")]
+    [string]$BuildZip,
+
+    [string]$ArtifactName = 'result'
 )

 $repoRoot = $location

-if ($Build.IsPresent) {
+if ($Build.IsPresent -or $PSCmdlet.ParameterSetName -eq 'packageSigned') {
    $releaseTagParam = @{ }
    if ($ReleaseTag) {
        $releaseTagParam = @{ 'ReleaseTag' = $ReleaseTag }
@ -59,8 +75,11 @@ try {
        Start-PSBootstrap -Package
    }

-    if ($Build.IsPresent) {
-        Start-PSBuild -Configuration 'Release' -Crossgen -PSModuleRestore @releaseTagParam
+    if ($PSCmdlet.ParameterSetName -eq 'packageSigned') {
+        Write-Verbose "Expanding signed build $BuildZip ..." -Verbose
+        Expand-PSSignedBuild -BuildZip $BuildZip
+
+        Remove-Item -Path $BuildZip

        Start-PSPackage @releaseTagParam
        switch ($ExtraPackage) {
@ -74,18 +93,41 @@ try {
            }
        }
    }
+
+    if ($Build.IsPresent) {
+        if ($Symbols.IsPresent) {
+            Start-PSBuild -Configuration 'Release' -Crossgen -NoPSModuleRestore @releaseTagParam
+            $pspackageParams = @{}
+            $pspackageParams['Type']='zip'
+            $pspackageParams['IncludeSymbols']=$Symbols.IsPresent
+            Write-Verbose "Starting powershell packaging(zip)..." -Verbose
+            Start-PSPackage @pspackageParams @releaseTagParam
+        } else {
+            Start-PSBuild -Configuration 'Release' -Crossgen -PSModuleRestore @releaseTagParam
+            Start-PSPackage @releaseTagParam
+            switch ($ExtraPackage) {
+                "tar" { Start-PSPackage -Type tar @releaseTagParam }
+            }
+
+            if ($LTS) {
+                Start-PSPackage @releaseTagParam -LTS
+                switch ($ExtraPackage) {
+                    "tar" { Start-PSPackage -Type tar @releaseTagParam -LTS }
+                }
+            }
+        }
+    }
 } finally {
    Pop-Location
 }

-if ($Build.IsPresent) {
-    $macPackages = Get-ChildItem "$repoRoot/powershell*" -Include *.pkg, *.tar.gz
+if ($Build.IsPresent -or $PSCmdlet.ParameterSetName -eq 'packageSigned') {
+    $macPackages = Get-ChildItem "$repoRoot/powershell*" -Include *.pkg, *.tar.gz, *.zip
    foreach ($macPackage in $macPackages) {
        $filePath = $macPackage.FullName
-        $name = Split-Path -Leaf -Path $filePath
        $extension = (Split-Path -Extension -Path $filePath).Replace('.', '')
        Write-Verbose "Copying $filePath to $destination" -Verbose
-        Write-Host "##vso[artifact.upload containerfolder=results;artifactname=results]$filePath"
+        Write-Host "##vso[artifact.upload containerfolder=$ArtifactName;artifactname=$ArtifactName]$filePath"
        Write-Host "##vso[task.setvariable variable=Package-$extension]$filePath"
        Copy-Item -Path $filePath -Destination $destination -Force
    }