Migrate from SignClient to sign tool and specify SDK in global.json (…

…#43)

Fixes #42

Switch to the newer dotnet/sign CLI tool. As part of the switch I
refactored the YAML file slightly:

1. Add a minimum SDK version in global.json. This helps prevent "works
on my machine" issues by ensuring that CI is running a reasonable SDK
version. I'm open to suggestions on the rollforward strategy; currently
being as permissive as possible
2. Switch the YAML from using a deployment to a regular job; deployments
aren't used very commonly and behave a bit differently (i.e. don't
clone, automatically download all artifacts, etc.) so using a regular
job to be "less magical"
3. Rather than install the sign tool in the CI pipeline, I add it as a
dotnet tool; this makes it easier to discover / upgrade versions since
that tool is stored with the others

.config/dotnet-tools.json

@@ -6,7 +6,15 @@
       "version": "3.4.194",
       "commands": [
         "nbgv"
-      ]
+      ],
+      "rollForward": false
+    },
+    "sign": {
+      "version": "0.9.1-beta.24325.5",
+      "commands": [
+        "sign"
+      ],
+      "rollForward": false
     }
   }
 }

azure-pipelines.yml

@@ -21,58 +21,61 @@ stages:
     - task: UseDotNet@2
       inputs:
         packageType: sdk
-      displayName: 'Use .NET Core sdk'
+        useGlobalJson: true
+      displayName: 'Use .NET SDK'
 
     - script: dotnet tool restore
-      displayName: Install NBGV and other dotnet tools
+      displayName: Install dotnet tools
 
     - script: dotnet nbgv cloud
       displayName: Set Version
 
     - script: dotnet pack dirs.proj
       displayName: Create package(s)
 
-    - publish: $(Build.ArtifactStagingDirectory)\Packages
+    - publish: $(Build.ArtifactStagingDirectory)/Packages
       displayName: Publish build packages
       artifact: BuildPackages
 
-    - publish: config
-      displayName: Publish signing config
-      artifact: config
-
+# Keep signing variables in a separate stage
 - stage: CodeSign
   condition: and(succeeded('Build'), not(eq(variables['build.reason'], 'PullRequest')))
   jobs:
-  - deployment: CodeSign
+  - job: CodeSign
     displayName: Code Signing
     pool:
-      vmImage: windows-latest    
-    environment: Code Sign - CI
+      vmImage: windows-latest
     variables:
-    - group: SignClient-DNF
-    strategy:
-      runOnce:
-        deploy:
-          steps: 
-          - task: DotNetCoreCLI@2
-            inputs:
-              command: custom
-              custom: tool
-              arguments: install --tool-path . SignClient
-            displayName: Install SignTool tool
+    - group: SignTool-DNF
+
+    steps:
+    - download: current
+      artifact: BuildPackages
+
+    - task: UseDotNet@2
+      inputs:
+        packageType: sdk
+        useGlobalJson: true
+      displayName: 'Use .NET SDK'
+
+    - script: dotnet tool restore
+      displayName: Install dotnet tools
+
+    - pwsh: |
+        dotnet sign code azure-key-vault `
+        "**/*.nupkg" `
+        --base-directory "$(Pipeline.Workspace)/BuildPackages" `
+        --file-list "$(Build.SourcesDirectory)/config/filelist.txt" `
+        --publisher-name "DotNet.ReproducibleBuilds" `
+        --description "DotNet.ReproducibleBuilds" `
+        --description-url "https://github.com/dotnet/reproducible-builds" `
+        --azure-key-vault-tenant-id "$(SignTenantId)" `
+        --azure-key-vault-client-id "$(SignClientId)" `
+        --azure-key-vault-client-secret '$(SignClientSecret)' `
+        --azure-key-vault-certificate "$(SignKeyVaultCertificate)" `
+        --azure-key-vault-url "$(SignKeyVaultUrl)"
+      displayName: Sign packages
 
-          - pwsh: |
-              .\SignClient "Sign" `
-              --baseDirectory "$(Pipeline.Workspace)\BuildPackages" `
-              --input "**/*.nupkg" `
-              --config "$(Pipeline.Workspace)\config\SignClient.json" `
-              --user "$(SignClientUser)" `
-              --secret '$(SignClientSecret)' `
-              --name "DotNet.ReproducibleBuilds" `
-              --description "DotNet.ReproducibleBuilds" `
-              --descriptionUrl "https://github.com/dotnet/reproducible-builds"
-            displayName: Sign packages
-              
-          - publish: $(Pipeline.Workspace)/BuildPackages
-            displayName: Publish Signed Packages
-            artifact: SignedPackages
+    - publish: $(Pipeline.Workspace)/BuildPackages
+      displayName: Publish Signed Packages
+      artifact: SignedPackages

global.json

@@ -1,4 +1,8 @@
 {
+  "sdk": {
+    "version": "8.0.100",
+    "rollForward": "major"
+  },
   "msbuild-sdks": {
     "Microsoft.Build.NoTargets": "3.0.4",
     "Microsoft.Build.Traversal": "3.0.23"