parameters: - name: BuildConfiguration default: release - name: BuildPlatform default: any cpu - name: Architecture default: x64 - name: parentJob default: '' jobs: - job: sign_windows_${{ parameters.Architecture }} displayName: Package Windows - ${{ parameters.Architecture }} condition: succeeded() dependsOn: ${{ parameters.parentJob }} pool: vmImage: windows-latest variables: - name: BuildConfiguration value: ${{ parameters.BuildConfiguration }} - name: BuildPlatform value: ${{ parameters.BuildPlatform }} - name: Architecture value: ${{ parameters.Architecture }} - name: DOTNET_SKIP_FIRST_TIME_EXPERIENCE value: 1 - group: ESRP steps: - checkout: self clean: true - checkout: ComplianceRepo clean: true - template: shouldSign.yml - template: SetVersionVariables.yml parameters: ReleaseTagVar: $(ReleaseTagVar) - powershell: | $pkgFilter = if ( '$(Architecture)' -eq 'arm' ) { "arm32" } else { '$(Architecture)' } $vstsCommandString = "vso[task.setvariable variable=PkgFilter]$pkgFilter" Write-Host ("sending " + $vstsCommandString) Write-Host "##$vstsCommandString" displayName: Set packageName variable - task: DownloadBuildArtifacts@0 inputs: artifactName: 'results' itemPattern: '**/*$(PkgFilter).zip' downloadPath: '$(System.ArtifactsDirectory)\Symbols' - template: cloneToOfficialPath.yml - powershell: | # cleanup previous install if((Test-Path "${env:ProgramFiles(x86)}\WiX Toolset xcopy")) { Remove-Item "${env:ProgramFiles(x86)}\WiX Toolset xcopy" -Recurse -Force } $toolsDir = New-Item -ItemType Directory -Path '$(Build.ArtifactStagingDirectory)\tools' $wixUri = 'https://github.com/wixtoolset/wix3/releases/download/wix311rtm/wix311-binaries.zip' Invoke-RestMethod -Uri $wixUri -OutFile '$(Build.ArtifactStagingDirectory)\tools\wix.zip' Import-Module '$(PowerShellRoot)/tools/releaseBuild/Images/microsoft_powershell_windowsservercore/wix.psm1' Install-WixZip -zipPath '$(Build.ArtifactStagingDirectory)\tools\wix.zip' $msixUrl = '$(makeappUrl)' Invoke-RestMethod -Uri $msixUrl -OutFile '\makeappx.zip' Expand-Archive '\makeappx.zip' -destination '\' -Force displayName: Install packaging tools - powershell: | $zipPath = Get-Item '$(System.ArtifactsDirectory)\Symbols\results\*$(PkgFilter).zip' Write-Verbose -Verbose "Zip Path: $zipPath" $expandedFolder = $zipPath.BaseName Write-Host "sending.. vso[task.setvariable variable=SymbolsFolder]$expandedFolder" Write-Host "##vso[task.setvariable variable=SymbolsFolder]$expandedFolder" Expand-Archive -Path $zipPath -Destination "$(System.ArtifactsDirectory)\$expandedFolder" -Force displayName: Expand symbols zip - pwsh: | $fullSymbolsFolder = "$(System.ArtifactsDirectory)\$($env:SYMBOLSFOLDER)" $filesToSignDirectory = "$(System.ArtifactsDirectory)\toBeSigned" $null = New-Item -ItemType Directory -Path $filesToSignDirectory -Force $signedFilesDirectory = "$(System.ArtifactsDirectory)\signed" $null = New-Item -ItemType Directory -Path $signedFilesDirectory -Force $itemsToCopyWithRecurse = @( "$($fullSymbolsFolder)\*.ps1" "$($fullSymbolsFolder)\Microsoft.PowerShell*.dll" ) $itemsToCopy = @{ "$($fullSymbolsFolder)\*.ps1" = "" "$($fullSymbolsFolder)\Microsoft.Management.Infrastructure.CimCmdlets.dll" = "" "$($fullSymbolsFolder)\Microsoft.WSMan.*.dll" = "" "$($fullSymbolsFolder)\Modules\CimCmdlets\CimCmdlets.psd1" = "Modules\CimCmdlets" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Diagnostics.format.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Event.format.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\GetEvent.types.ps1xml" = "Modules\Microsoft.PowerShell.Diagnostics" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1" = "Modules\Microsoft.PowerShell.Diagnostics" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1" = "Modules\Microsoft.PowerShell.Host" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1" = "Modules\Microsoft.PowerShell.Management" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1" = "Modules\Microsoft.PowerShell.Security" "$($fullSymbolsFolder)\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1" = "Modules\Microsoft.PowerShell.Utility" "$($fullSymbolsFolder)\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1" = "Modules\Microsoft.WSMan.Management" "$($fullSymbolsFolder)\Modules\Microsoft.WSMan.Management\WSMan.format.ps1xml" = "Modules\Microsoft.WSMan.Management" "$($fullSymbolsFolder)\Modules\PSDiagnostics\PSDiagnostics.ps?1" = "Modules\PSDiagnostics" "$($fullSymbolsFolder)\pwsh.dll" = "" "$($fullSymbolsFolder)\System.Management.Automation.dll" = "" } $itemsToExclude = @{ # This package is retrieved from https://www.github.com/powershell/MarkdownRender "$($fullSymbolsFolder)\Microsoft.PowerShell.MarkdownRender.dll" } if ("$env:Architecture" -notlike 'fxdependent*') { $itemsToCopy += @{"$($fullSymbolsFolder)\pwsh.exe" = ""} } Write-Verbose -verbose "recusively copying $($itemsToCopyWithRecurse | out-string) to $filesToSignDirectory" Copy-Item -Path $itemsToCopyWithRecurse -Destination $filesToSignDirectory -Recurse -verbose -exclude $itemsToExclude foreach($pattern in $itemsToCopy.Keys) { $destinationFolder = Join-Path $filesToSignDirectory -ChildPath $itemsToCopy.$pattern $null = New-Item -ItemType Directory -Path $destinationFolder -Force Write-Verbose -verbose "copying $pattern to $destinationFolder" Copy-Item -Path $pattern -Destination $destinationFolder -Recurse -verbose } displayName: 'Prepare files to be signed' - template: EsrpSign.yml@ComplianceRepo parameters: buildOutputPath: $(System.ArtifactsDirectory)\toBeSigned signOutputPath: $(System.ArtifactsDirectory)\signed certificateId: "CP-230012" pattern: | **\*.dll **\*.psd1 **\*.psm1 **\*.ps1xml **\*.ps1 **\*.exe useMinimatch: true - pwsh: | Import-Module $(PowerShellRoot)/build.psm1 -Force Import-Module $(PowerShellRoot)/tools/packaging -Force $signedFilesPath = '$(System.ArtifactsDirectory)\signed\' $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)' Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath $dlls = Get-ChildItem $BuildPath\*.dll -Recurse $signatures = $dlls | Get-AuthenticodeSignature $missingSignatures = $signatures | Where-Object { $_.status -eq 'notsigned'}| select-object -ExpandProperty Path Write-Verbose -verbose "to be signed:`r`n $($missingSignatures | Out-String)" $filesToSignDirectory = "$(System.ArtifactsDirectory)\thirdPartyToBeSigned" $null = New-Item -ItemType Directory -Path $filesToSignDirectory -Force $signedFilesDirectory = "$(System.ArtifactsDirectory)\thirdPartySigned" $null = New-Item -ItemType Directory -Path $signedFilesDirectory -Force $missingSignatures | ForEach-Object { Copy-Item -Path $_ -Destination $filesToSignDirectory } displayName: Create ThirdParty Signing Folder condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) - template: EsrpSign.yml@ComplianceRepo parameters: buildOutputPath: $(System.ArtifactsDirectory)\thirdPartyToBeSigned signOutputPath: $(System.ArtifactsDirectory)\thirdPartySigned certificateId: "CP-231522" pattern: | **\*.dll useMinimatch: true - powershell: | Get-ChildItem '$(System.ArtifactsDirectory)\thirdPartySigned\*' displayName: Captrue ThirdParty Signed files condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) - powershell: | Import-Module $(PowerShellRoot)/build.psm1 -Force Import-Module $(PowerShellRoot)/tools/packaging -Force $signedFilesPath = '$(System.ArtifactsDirectory)\thirdPartySigned' $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)' Update-PSSignedBuildFolder -BuildPath $BuildPath -SignedFilesPath $SignedFilesPath displayName: Merge ThirdParty signed files with Build condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')) - powershell: | Import-Module $(PowerShellRoot)/build.psm1 -Force Import-Module $(PowerShellRoot)/tools/packaging -Force $destFolder = '$(System.ArtifactsDirectory)\signedZip' $BuildPath = '$(System.ArtifactsDirectory)\$(SymbolsFolder)' New-Item -ItemType Directory -Path $destFolder -Force $BuildPackagePath = New-PSBuildZip -BuildPath $BuildPath -DestinationFolder $destFolder Write-Verbose -Verbose "New-PSSignedBuildZip returned `$BuildPackagePath as: $BuildPackagePath" Write-Host "##vso[artifact.upload containerfolder=results;artifactname=results]$BuildPackagePath" $vstsCommandString = "vso[task.setvariable variable=BuildPackagePath]$BuildPackagePath" Write-Host ("sending " + $vstsCommandString) Write-Host "##$vstsCommandString" displayName: Compress signed files - powershell: | $runtime = switch ($env:Architecture) { "x64" { "win7-x64" } "x86" { "win7-x86" } "arm" { "win-arm"} "arm64" { "win-arm64" } "fxdependent" { "fxdependent" } "fxdependentWinDesktop" { "fxdependent-win-desktop" } } $signedPkg = "$(BuildPackagePath)" Write-Verbose -Verbose -Message "signedPkg = $signedPkg" $(PowerShellRoot)/tools/releaseBuild/Images/microsoft_powershell_windowsservercore/PowerShellPackage.ps1 -BuildZip $signedPkg -location '$(PowerShellRoot)' -destination '$(System.ArtifactsDirectory)\pkgSigned' -Runtime $runtime -ReleaseTag '$(ReleaseTagVar)' displayName: 'Build Windows Universal - $(Architecture) Package' - powershell: | Get-ChildItem '$(System.ArtifactsDirectory)\pkgSigned' | ForEach-Object { $packagePath = $_.FullName Write-Host "Uploading $packagePath" Write-Host "##vso[artifact.upload containerfolder=signed;artifactname=signed]$packagePath" } displayName: Upload packages - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: 'Component Detection' inputs: sourceScanPath: '$(Build.SourcesDirectory)' snapshotForceEnabled: true - powershell: | if ((Test-Path "\PowerShell")) { Remove-Item -Path "\PowerShell" -Force -Recurse -Verbose } else { Write-Verbose -Verbose -Message "No cleanup required." } if((Test-Path "${env:ProgramFiles(x86)}\WiX Toolset xcopy")) { Write-Verbose -Verbose "Cleaning up Wix tools" Remove-Item "${env:ProgramFiles(x86)}\WiX Toolset xcopy" -Recurse -Force } displayName: Clean up local Clone condition: always()