parameters: buildArchitecture: 'x64' jobs: - job: MacFileSigningJob_${{ parameters.buildArchitecture }} displayName: macOS File signing ${{ parameters.buildArchitecture }} dependsOn: build_macOS_${{ parameters.buildArchitecture }} condition: succeeded() pool: name: Package ES Standard Build variables: - group: ESRP - name: runCodesignValidationInjection value: false - name: NugetSecurityAnalysisWarningLevel value: none steps: - checkout: self clean: true - checkout: ComplianceRepo clean: true - template: SetVersionVariables.yml parameters: ReleaseTagVar: $(ReleaseTagVar) - template: shouldSign.yml - task: DownloadBuildArtifacts@0 inputs: artifactName: 'macosBinResults' itemPattern: '**/*.zip' downloadPath: '$(System.ArtifactsDirectory)\Symbols' - pwsh: | Get-ChildItem "$(System.ArtifactsDirectory)\*" -Recurse displayName: 'Capture Downloaded Artifacts' # Diagnostics is not critical it passes every time it runs continueOnError: true - pwsh: | $zipPath = Get-Item '$(System.ArtifactsDirectory)\Symbols\macosBinResults\*symbol*${{ parameters.buildArchitecture }}*.zip' Write-Verbose -Verbose "Zip Path: $zipPath" $expandedFolder = $zipPath.BaseName Write-Host "sending.. vso[task.setvariable variable=SymbolsFolder]$expandedFolder" Write-Host "##vso[task.setvariable variable=SymbolsFolder]$expandedFolder" Expand-Archive -Path $zipPath -Destination "$(System.ArtifactsDirectory)\$expandedFolder" -Force displayName: Expand symbols zip - pwsh: | Get-ChildItem "$(System.ArtifactsDirectory)\*" -Recurse displayName: 'Capture artifacts dir Binaries' - pwsh: | Get-ChildItem "$(System.ArtifactsDirectory)\$(SymbolsFolder)" -Recurse -Include pwsh, *.dylib displayName: 'Capture Expanded Binaries' # Diagnostics is not critical it passes every time it runs continueOnError: true - pwsh: | $null = new-item -type directory -path "$(Build.StagingDirectory)\macos" $zipFile = "$(Build.StagingDirectory)\macos\powershell-files-$(Version)-osx-${{ parameters.buildArchitecture }}.zip" Get-ChildItem "$(System.ArtifactsDirectory)\$(SymbolsFolder)" -Recurse -Include pwsh, *.dylib | Compress-Archive -Destination $zipFile Write-Host $zipFile displayName: 'Compress macOS binary files' - template: EsrpSign.yml@ComplianceRepo parameters: buildOutputPath: $(Build.StagingDirectory)\macos signOutputPath: $(Build.StagingDirectory)\signedMacOSPackages certificateId: "CP-401337-Apple" pattern: | **\*.zip useMinimatch: true shouldSign: $(SHOULD_SIGN) displayName: Sign macOS Binaries - pwsh: | $destination = "$(System.ArtifactsDirectory)\azureMacOs_${{ parameters.buildArchitecture }}" New-Item -Path $destination -Type Directory $zipPath = Get-ChildItem "$(Build.StagingDirectory)\signedMacOSPackages\powershell-*.zip" -Recurse | select-object -expandproperty fullname foreach ($z in $zipPath) { Expand-Archive -Path $z -DestinationPath $destination } displayName: 'Extract and copy macOS artifacts for upload' condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) - template: upload-final-results.yml parameters: artifactPath: $(System.ArtifactsDirectory)\azureMacOs_${{ parameters.buildArchitecture }} artifactFilter: "*" artifactName: signedMacOsBins_${{ parameters.buildArchitecture }} condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) - ${{ if eq(variables['SHOULD_SIGN'], 'true') }}: - template: EsrpScan.yml@ComplianceRepo parameters: scanPath: $(System.ArtifactsDirectory)\azureMacOs_${{ parameters.buildArchitecture }} pattern: | **\* - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: 'Component Detection' inputs: sourceScanPath: '$(Build.SourcesDirectory)' snapshotForceEnabled: true