From 466a7b7daa90b386381d3d88fad797a0acf44a9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Moreno?= Date: Tue, 13 Oct 2020 15:56:16 +0200 Subject: [PATCH] ESRP Cert (#108366) * update ESRP * update to new ESRP cert * make gulp fail when inno setup fails * fix esrp * debug * update esrp client version * :facepalm: * argh * update esrpclient * argh --- .../win32/ESRPClient/packages.config | 2 +- .../win32/import-esrp-auth-cert.ps1 | 27 ++++++++++--------- .../win32/product-build-win32-arm64.yml | 8 +++--- .../win32/product-build-win32.yml | 8 +++--- build/azure-pipelines/win32/sign.ps1 | 3 ++- build/gulpfile.vscode.win32.js | 8 +++++- 6 files changed, 35 insertions(+), 21 deletions(-) diff --git a/build/azure-pipelines/win32/ESRPClient/packages.config b/build/azure-pipelines/win32/ESRPClient/packages.config index c10bed14121..ef586de9762 100644 --- a/build/azure-pipelines/win32/ESRPClient/packages.config +++ b/build/azure-pipelines/win32/ESRPClient/packages.config @@ -1,4 +1,4 @@ - + diff --git a/build/azure-pipelines/win32/import-esrp-auth-cert.ps1 b/build/azure-pipelines/win32/import-esrp-auth-cert.ps1 index c345c780231..ce5831f908c 100644 --- a/build/azure-pipelines/win32/import-esrp-auth-cert.ps1 +++ b/build/azure-pipelines/win32/import-esrp-auth-cert.ps1 @@ -1,14 +1,17 @@ -Param( - [string]$AuthCertificateBase64, - [string]$AuthCertificateKey -) +param ($CertBase64) +$ErrorActionPreference = "Stop" -# Import auth certificate -$AuthCertificateFileName = [System.IO.Path]::GetTempFileName() -$AuthCertificateBytes = [Convert]::FromBase64String($AuthCertificateBase64) -[IO.File]::WriteAllBytes($AuthCertificateFileName, $AuthCertificateBytes) -$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertificateFileName -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertificateKey -AsPlainText -Force) -rm $AuthCertificateFileName -$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject +$CertBytes = [System.Convert]::FromBase64String($CertBase64) +$CertCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection +$CertCollection.Import($CertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable) -Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName") \ No newline at end of file +$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine") +$CertStore.Open("ReadWrite") +$CertStore.AddRange($CertCollection) +$CertStore.Close() + +echo $CertCollection[0].HasPrivateKey +echo $CertCollection[0].PrivateKey + +$ESRPAuthCertificateSubjectName = $CertCollection[0].Subject +Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName") diff --git a/build/azure-pipelines/win32/product-build-win32-arm64.yml b/build/azure-pipelines/win32/product-build-win32-arm64.yml index ecb50ad678e..2e53167e613 100644 --- a/build/azure-pipelines/win32/product-build-win32-arm64.yml +++ b/build/azure-pipelines/win32/product-build-win32-arm64.yml @@ -171,9 +171,11 @@ steps: inputs: ESRP: 'ESRP CodeSign' -- powershell: | - $ErrorActionPreference = "Stop" - .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(esrp-auth-certificate) -AuthCertificateKey $(esrp-auth-certificate-key) +- task: PowerShell@2 + inputs: + targetType: filePath + filePath: .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 + arguments: "$(ESRP-SSL-AADAuth)" displayName: Import ESRP Auth Certificate - powershell: | diff --git a/build/azure-pipelines/win32/product-build-win32.yml b/build/azure-pipelines/win32/product-build-win32.yml index be80731a7ab..43bd2479a4e 100644 --- a/build/azure-pipelines/win32/product-build-win32.yml +++ b/build/azure-pipelines/win32/product-build-win32.yml @@ -233,9 +233,11 @@ steps: inputs: ESRP: 'ESRP CodeSign' -- powershell: | - $ErrorActionPreference = "Stop" - .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(esrp-auth-certificate) -AuthCertificateKey $(esrp-auth-certificate-key) +- task: PowerShell@2 + inputs: + targetType: filePath + filePath: .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 + arguments: "$(ESRP-SSL-AADAuth)" displayName: Import ESRP Auth Certificate - powershell: | diff --git a/build/azure-pipelines/win32/sign.ps1 b/build/azure-pipelines/win32/sign.ps1 index 840cbe4071f..b73db31207f 100644 --- a/build/azure-pipelines/win32/sign.ps1 +++ b/build/azure-pipelines/win32/sign.ps1 @@ -12,6 +12,7 @@ $Auth = Create-TmpJson @{ SubjectName = $env:ESRPAuthCertificateSubjectName StoreLocation = "LocalMachine" StoreName = "My" + SendX5c = "true" } RequestSigningCert = @{ SubjectName = $env:ESRPCertificateSubjectName @@ -67,4 +68,4 @@ $Input = Create-TmpJson @{ $Output = [System.IO.Path]::GetTempFileName() $ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent -& "$ScriptPath\ESRPClient\packages\Microsoft.ESRPClient.1.2.25\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output +& "$ScriptPath\ESRPClient\packages\Microsoft.ESRPClient.*\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output diff --git a/build/gulpfile.vscode.win32.js b/build/gulpfile.vscode.win32.js index 2abc39976b4..2027dc350cf 100644 --- a/build/gulpfile.vscode.win32.js +++ b/build/gulpfile.vscode.win32.js @@ -54,7 +54,13 @@ function packageInnoSetup(iss, options, cb) { cp.spawn(innoSetupPath, args, { stdio: ['ignore', 'inherit', 'inherit'] }) .on('error', cb) - .on('exit', () => cb(null)); + .on('exit', code => { + if (code === 0) { + cb(null); + } else { + cb(new Error(`InnoSetup returned exit code: ${code}`)); + } + }); } function buildWin32Setup(arch, target) {