Move to ESRPv5, which supports certificate authentication (#32775)

Co-authored-by: Jaime Bernardo <jaime@janeasystems.com>
This commit is contained in:
Dustin L. Howett 2024-05-08 11:32:25 -05:00 committed by GitHub
parent 9699feea40
commit a46319f19a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 34 additions and 18 deletions

View File

@ -29,6 +29,7 @@ AFFINETRANSFORM
AFX
AGGREGATABLE
AHybrid
AKV
ALarger
ALLAPPS
ALLINPUT

View File

@ -304,6 +304,7 @@
"MessagePack.dll",
"Nerdbank.Streams.dll",
"WinUI3Apps\\SharpCompress.dll",
"WinUI3Apps\\ZstdSharp.dll",
"ColorCode.Core.dll",
"ColorCode.UWP.dll",
"UnitsNet.dll",

View File

@ -11,6 +11,9 @@ parameters:
- name: installerPrefix
type: string
default: "PowerToysSetup"
- name: signingParameters
type: object
default: {}
steps:
- task: VSBuild@1
@ -24,10 +27,10 @@ steps:
clean: true
maximumCpuCount: true
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign PowerToysSetupCustomActions DLL
inputs:
ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: 'installer/PowerToysSetupCustomActions/$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}'
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
@ -74,10 +77,10 @@ steps:
scriptName: .pipelines/versionAndSignCheck.ps1
arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign MSI
inputs:
ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: 'installer/PowerToysSetup/$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}'
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'
@ -101,10 +104,10 @@ steps:
inputs:
script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ib installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\engine.exe'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: "ESRP CodeSigning (Engine)"
inputs:
ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: "installer"
Pattern: engine.exe
signConfigType: inlineSignParams
@ -137,10 +140,10 @@ steps:
inputs:
script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ab installer\engine.exe installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign Bootstrapper
inputs:
ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection"
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: 'installer/PowerToysSetup/$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}'
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json'

View File

@ -23,6 +23,15 @@ parameters:
- name: versionNumber
type: string
default: '0.0.1'
- name: signingParameters
type: object
default:
ConnectedServiceName: $(SigningServiceName)
AppRegistrationClientId: $(SigningAppId)
AppRegistrationTenantId: $(SigningTenantId)
AuthAKVName: $(SigningAKVName)
AuthCertName: $(SigningAuthCertName)
AuthSignCertName: $(SigningSignCertName)
extends:
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
@ -164,10 +173,10 @@ extends:
maximumCpuCount: true
### BEGIN SECTION - build and sign nuget packages for abstracted UI utils
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign Utilities libraries
inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: 'src/modules'
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_abstracted_utils_dll.json'
@ -207,10 +216,10 @@ extends:
flattenFolders: True
targetFolder: $(Build.ArtifactStagingDirectory)/nupkg
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Submit *.nupkg to ESRP for code signing
inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: $(Build.ArtifactStagingDirectory)/nupkg
Pattern: '*.nupkg'
UseMinimatch: true
@ -412,28 +421,28 @@ extends:
# reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
# https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign Core PT
inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign DSC Powershell files
inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: 'src/dsc/Microsoft.PowerToys.Configure'
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_DSC.json'
ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
displayName: Sign x86 directshow VCM
inputs:
ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
${{ insert }}: ${{ parameters.signingParameters }}
FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.
signType: batchSigning
batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json'
@ -477,6 +486,7 @@ extends:
- template: .pipelines/installer-steps.yml@self
parameters:
signingParameters: ${{ parameters.signingParameters }}
versionNumber: ${{ parameters.versionNumber }}
perUserArg: "false"
buildSubDir: "MachineSetup"
@ -491,6 +501,7 @@ extends:
- template: .pipelines/installer-steps.yml@self
parameters:
signingParameters: ${{ parameters.signingParameters }}
versionNumber: ${{ parameters.versionNumber }}
perUserArg: "true"
buildSubDir: "UserSetup"