Refactoring CI to use ESRP signing (#875)

Azure · Nov 1, 2023 · a6c80c7 · a6c80c7
1 parent af3ab4f
commit a6c80c7
Show file tree

Hide file tree

Showing 2 changed files with 111 additions and 51 deletions.
diff --git a/Build.ps1 b/Build.ps1
@@ -3,9 +3,8 @@
   [string]$buildNumber,
   [string]$packageSuffix = "0",
   [bool]$isLocal = $false,
-  [bool]$signPackages = $false,
   [string]$outputDirectory = (Join-Path -Path $PSScriptRoot -ChildPath "buildoutput"),
-  [bool]$skipAssemblySigning = $false
+  [bool]$pack = $false
 )
 
 if ($null -eq $buildNumber) {
@@ -19,23 +18,25 @@ if ($isLocal){
 
 dotnet --version
 
-dotnet build -v m
-
 if (-not $?) { exit 1 }
 
 foreach ($project in $projects)
-{
-  $cmd = "pack", "src\$project\$project.csproj", "-o", $outputDirectory, "--no-build"
-
-  if ($packageSuffix -ne "0")
+{ 
+  # This assumes we've already built the package
+  if ($pack)
   {
-    $cmd += "--version-suffix", "-$packageSuffix"
-  }
-
-  & { dotnet $cmd }
-}
+    $cmd = "pack", "src\$project\$project.csproj", "-o", $outputDirectory, "--no-build"
 
-if ($signPackages) {
-  & { .\tools\RunSigningJob.ps1 -artifactDirectory $outputDirectory -buildNumber $buildNumber -skipAssemblySigning $skipAssemblySigning }
-  if (-not $?) { exit 1 }
+    if ($packageSuffix -ne "0")
+    {
+      $cmd += "--version-suffix", "-$packageSuffix"
+    }
+  } 
+  else 
+  {
+    $cmd = "build", "src\$project\$project.csproj", "-v", "m"
+  }  
+
+  Write-Host dotnet $cmd
+  & { dotnet $cmd }
 }
diff --git a/build/pipelines/templates/ci.yml b/build/pipelines/templates/ci.yml
@@ -49,42 +49,23 @@ jobs:
   - task: 1ESHostedPoolValidation@1
 
   - pwsh: |
-      $packageSuffix = 0
-      if (-not $$(hasTag)) {
-        $packageSuffix = $(buildNumber)
-        Write-Host "No git tag found. Setting package suffix to '$packageSuffix'"
-      }
-
       if ($$(hasTag)) {
         $config = "Release"
         Write-Host "Git tag found. Setting Configuration to '$config'"
         $env:Configuration = $config
         Write-Host "##vso[task.setvariable variable=Configuration]$config" # let downstream tasks read this variable
-      }
+      }      
 
-      $projectsArray = "$(targetProjects)" -split ";"
-
-      Write-Host "Building projects:"
-      Write-Host $projectsArray -separator "`n"
-
-      .\Build.ps1 -projects $projectsArray -buildNumber "$(buildNumber)" -packageSuffix "$packageSuffix" -outputDirectory "$(buildOutputDirectory)" -signPackages $$(signPackages) -skipAssemblySigning $${{ parameters.skip_assembly_signing }}
-    displayName: "Build source"
-    env:
-      CommitHash: $(Build.SourceVersion)
-      FILES_ACCOUNT_NAME: $(FilesAccountName)
-      FILES_ACCOUNT_KEY: $(FilesAccountKey)
-    ## This task also optionally signs the packages
-
-  - pwsh: |
       $testsArray = "$(targetTests)" -split ";"
 
       Write-Host "Running tests:"
       Write-Host $testsArray -separator "`n"
 
+      # building tests will automatically build the main project as well
       .\run-tests.ps1 -tests $testsArray
-    displayName: "Run tests"
-    ## requires env:Configuration be set to report test results
+    displayName: "Build and test"    
     env:
+      CommitHash: $(Build.SourceVersion)
       AzureWebJobsStorage: $(Storage)
       AzureWebJobsDashboard: $(Storage)
       AzureWebJobsCosmosDBConnectionString: $(CosmosDB)
@@ -100,21 +81,99 @@ jobs:
       testRunTitle: 'XUnit Tests'
     condition: always()
 
-  - pwsh: |
-      if ($$(signPackages))
-      {
-        Write-Host "Package signing enabled for this build. Retrieving signed files."
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2
+    displayName: 'ESRP CodeSigning - Authenticode'
+    condition: eq(variables.signPackages, true)
+    inputs:
+      ConnectedServiceName: 'ESRP Service'
+      FolderPath: 'src'
+      Pattern: Microsoft.Azure.WebJobs.Extensions*.dll
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+              "KeyCode" : "CP-233863-SN",
+              "OperationCode" : "StrongNameSign",
+              "Parameters" : {},
+              "ToolName" : "sign",
+              "ToolVersion" : "1.0"
+          },
+          {
+              "KeyCode" : "CP-233863-SN",
+              "OperationCode" : "StrongNameVerify",
+              "Parameters" : {},
+              "ToolName" : "sign",
+              "ToolVersion" : "1.0"
+          },
+          {
+            "KeyCode": "CP-230012",
+            "OperationCode": "SigntoolSign",
+            "Parameters": {
+              "OpusName": "Microsoft",
+              "OpusInfo": "http://www.microsoft.com",
+              "FileDigest": "/fd \"SHA256\"",
+              "PageHash": "/NPH",
+              "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+            },
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          },
+          {
+            "KeyCode": "CP-230012",
+            "OperationCode": "SigntoolVerify",
+            "Parameters": {},
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          }
+        ]
 
-        .\tools\PollSigningResults.ps1 -buildNumber "$(buildNumber)" -artifactDirectory "$(buildOutputDirectory)" -skipAssemblySigning $${{ parameters.skip_assembly_signing }}
+  - pwsh: |
+      $packageSuffix = 0
+      if (-not $$(hasTag)) {
+        $packageSuffix = $(buildNumber)
+        Write-Host "No git tag found. Setting package suffix to '$packageSuffix'"
       }
-      else
-      {
-        Write-Host "Package signing conditions not met for this build."
+
+      if ($$(hasTag)) {
+        $config = "Release"
+        Write-Host "Git tag found. Setting Configuration to '$config'"
+        $env:Configuration = $config
+        Write-Host "##vso[task.setvariable variable=Configuration]$config" # let downstream tasks read this variable
       }
-    displayName: "Poll signing results"
-    env: 
-      FILES_ACCOUNT_NAME: $(FilesAccountName)
-      FILES_ACCOUNT_KEY: $(FilesAccountKey)
+
+      $projectsArray = "$(targetProjects)" -split ";"
+
+      Write-Host "Building projects:"
+      Write-Host $projectsArray -separator "`n"
+
+      .\Build.ps1 -projects $projectsArray -buildNumber "$(buildNumber)" -packageSuffix "$packageSuffix" -outputDirectory "$(buildOutputDirectory)" -pack $True
+    displayName: "Pack build"
+
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@2
+    displayName: 'ESRP CodeSigning: Nupkg'
+    condition: eq(variables.signPackages, true)
+    inputs:
+      ConnectedServiceName: 'ESRP Service'
+      FolderPath: 'buildoutput'
+      Pattern: 'Microsoft.Azure.WebJobs.Extensions*.nupkg'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+            {
+              "KeyCode": "CP-401405",
+              "OperationCode": "NuGetSign",
+              "Parameters": {},
+              "ToolName": "sign",
+              "ToolVersion": "1.0"
+            },
+            {
+              "KeyCode": "CP-401405",
+              "OperationCode": "NuGetVerify",
+              "Parameters": {},
+              "ToolName": "sign",
+              "ToolVersion": "1.0"
+            }
+        ]
 
   - task: ManifestGeneratorTask@0
     displayName: "SBOM Generation"