Update the build to sign any unsigned files as 3rd party Dlls (#12581)

2020-05-05 12:35:03 -07:00 · 2020-05-05 12:35:03 -07:00 · ab65ac918c
parent cefbf3d6a9
commit ab65ac918c
4 changed files with 85 additions and 13 deletions
--- a/tools/packaging/packaging.psd1
+++ b/tools/packaging/packaging.psd1
@ -6,7 +6,7 @@ Copyright="Copyright (c) Microsoft Corporation."
 ModuleVersion="1.0.0"
 PowerShellVersion="5.0"
 CmdletsToExport=@()
-FunctionsToExport=@('Start-PSPackage','New-PSSignedBuildZip', 'New-MSIPatch', 'Expand-PSSignedBuild', 'Publish-NugetToMyGet', 'New-DotnetSdkContainerFxdPackage', 'New-GlobalToolNupkg', 'New-ILNugetPackage')
+FunctionsToExport=@('Start-PSPackage','New-PSSignedBuildZip', 'New-PSBuildZip', 'New-MSIPatch', 'Expand-PSSignedBuild', 'Publish-NugetToMyGet', 'New-DotnetSdkContainerFxdPackage', 'New-GlobalToolNupkg', 'New-ILNugetPackage', 'Update-PSSignedBuildFolder')
 RootModule="packaging.psm1"
 RequiredModules = @("build")
 }
--- a/tools/packaging/packaging.psm1
+++ b/tools/packaging/packaging.psm1
@ -598,14 +598,7 @@ function New-PSSignedBuildZip
        [string]$VstsVariableName
    )

-    # Replace unsigned binaries with signed
-    $signedFilesFilter = Join-Path -Path $signedFilesPath -ChildPath '*'
-    Get-ChildItem -path $signedFilesFilter -Recurse -File | Select-Object -ExpandProperty FullName | Foreach-Object -Process {
-        $relativePath = $_.ToLowerInvariant().Replace($signedFilesPath.ToLowerInvariant(),'')
-        $destination = Join-Path -Path $buildPath -ChildPath $relativePath
-        Write-Log "replacing $destination with $_"
-        Copy-Item -Path $_ -Destination $destination -force
-    }
+    Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath

    # Remove '$signedFilesPath' now that signed binaries are copied
    if (Test-Path $signedFilesPath)
@ -613,6 +606,20 @@ function New-PSSignedBuildZip
        Remove-Item -Recurse -Force -Path $signedFilesPath
    }

+    New-PSBuildZip -BuildPath $BuildPath -DestinationFolder $DestinationFolder -VstsVariableName $VstsVariableName
+}
+
+function New-PSBuildZip
+{
+    param(
+        [Parameter(Mandatory)]
+        [string]$BuildPath,
+        [Parameter(Mandatory)]
+        [string]$DestinationFolder,
+        [parameter(HelpMessage='VSTS variable to set for path to zip')]
+        [string]$VstsVariableName
+    )
+
    $name = split-path -Path $BuildPath -Leaf
    $zipLocationPath = Join-Path -Path $DestinationFolder -ChildPath "$name-signed.zip"
    Compress-Archive -Path $BuildPath\* -DestinationPath $zipLocationPath
@ -628,6 +635,27 @@ function New-PSSignedBuildZip
    }
 }

+
+function Update-PSSignedBuildFolder
+{
+    param(
+        [Parameter(Mandatory)]
+        [string]$BuildPath,
+        [Parameter(Mandatory)]
+        [string]$SignedFilesPath
+    )
+
+    # Replace unsigned binaries with signed
+    $signedFilesFilter = Join-Path -Path $SignedFilesPath -ChildPath '*'
+    Get-ChildItem -path $signedFilesFilter -Recurse -File | Select-Object -ExpandProperty FullName | Foreach-Object -Process {
+        $relativePath = $_.ToLowerInvariant().Replace($SignedFilesPath.ToLowerInvariant(),'')
+        $destination = Join-Path -Path $BuildPath -ChildPath $relativePath
+        Write-Log "replacing $destination with $_"
+        Copy-Item -Path $_ -Destination $destination -force
+    }
+}
+
+
 function Expand-PSSignedBuild
 {
    param(
--- a/tools/releaseBuild/azureDevOps/templates/windows-packaging.yml
+++ b/tools/releaseBuild/azureDevOps/templates/windows-packaging.yml
@ -134,14 +134,52 @@ jobs:
  - powershell: |
      Import-Module $(PowerShellRoot)/build.psm1 -Force
      Import-Module $(PowerShellRoot)/tools/packaging -Force
-
      $signedFilesPath = '$(System.ArtifactsDirectory)\signed\'
+      $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
+
+      Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath
+      $dlls = Get-ChildItem $BuildPath\*.dll -Recurse
+      $signatures = $dlls | Get-AuthenticodeSignature
+      $missingSignatures = $signatures | Where-Object { $_.status -eq 'notsigned'}| select-object -ExpandProperty Path
+      tools/releaseBuild/generatePackgeSigning.ps1 -ThirdPartyFiles $missingSignatures -path "$(System.ArtifactsDirectory)\thirtdparty.xml"
+    displayName: Create ThirdParty Signing Xml
+    condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+  - task: PkgESCodeSign@10
+    displayName: 'CodeSign ThirdParty $(Architecture)'
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+    inputs:
+      signConfigXml: '$(System.ArtifactsDirectory)\thirtdparty.xml'
+      inPathRoot: '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
+      outPathRoot: '$(System.ArtifactsDirectory)\signedThirdParty'
+    condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+  - powershell: |
+      Get-ChildItem '$(System.ArtifactsDirectory)\signedThirdParty\*'
+    displayName: Captrue ThirdParty Signed files
+    condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+  - powershell: |
+      Import-Module $(PowerShellRoot)/build.psm1 -Force
+      Import-Module $(PowerShellRoot)/tools/packaging -Force
+      $signedFilesPath = '$(System.ArtifactsDirectory)\signedThirdParty\'
+      $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'
+
+      Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath
+    displayName: Merge ThirdParty signed files with Build
+    condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true'))
+
+  - powershell: |
+      Import-Module $(PowerShellRoot)/build.psm1 -Force
+      Import-Module $(PowerShellRoot)/tools/packaging -Force
+
      $destFolder = '$(System.ArtifactsDirectory)\signedZip'
      $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)'

      New-Item -ItemType Directory -Path $destFolder -Force

-      $BuildPackagePath = New-PSSignedBuildZip -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath -DestinationFolder $destFolder
+      $BuildPackagePath = New-PSBuildZip -BuildPath $BuildPath -DestinationFolder $destFolder

      Write-Verbose -Verbose "New-PSSignedBuildZip returned `$BuildPackagePath as: $BuildPackagePath"
      Write-Host "##vso[artifact.upload containerfolder=results;artifactname=results]$BuildPackagePath"
--- a/tools/releaseBuild/generatePackgeSigning.ps1
+++ b/tools/releaseBuild/generatePackgeSigning.ps1
@ -7,14 +7,16 @@ param(
    [string[]] $AuthenticodeFiles,
    [string[]] $NuPkgFiles,
    [string[]] $MacDeveloperFiles,
-    [string[]] $LinuxFiles
+    [string[]] $LinuxFiles,
+    [string[]] $ThirdPartyFiles
 )

 if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and
    (!$AuthenticodeFiles -or $AuthenticodeFiles.Count -eq 0) -and
    (!$NuPkgFiles -or $NuPkgFiles.Count -eq 0) -and
    (!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0) -and
-    (!$LinuxFiles -or $LinuxFiles.Count -eq 0))
+    (!$LinuxFiles -or $LinuxFiles.Count -eq 0) -and
+    (!$ThirdPartyFiles -or $ThirdPartyFiles.Count -eq 0))
 {
    throw "At least one file must be specified"
 }
@ -89,6 +91,10 @@ foreach ($file in $LinuxFiles) {
    New-FileElement -File $file -SignType 'LinuxPack' -XmlDoc $signingXml -Job $job
 }

+foreach ($file in $ThirdPartyFiles) {
+    New-FileElement -File $file -SignType 'ThirdParty' -XmlDoc $signingXml -Job $job
+}
+
 $signingXml.Save($path)
 $updateScriptPath = Join-Path -Path $PSScriptRoot -ChildPath 'updateSigning.ps1'
 & $updateScriptPath -SigningXmlPath $path