From 6a16543ad6ad93fecd182655c8d47299c4438b91 Mon Sep 17 00:00:00 2001 From: Eric Johnson Date: Tue, 4 Jun 2024 15:43:15 -0700 Subject: [PATCH] Update ESRP yaml tasks (#3118) --- build/azure-pipelines.yml | 235 +++++++++++++------------- build/templates/EsrpSigning-Steps.yml | 22 +++ 2 files changed, 138 insertions(+), 119 deletions(-) create mode 100644 build/templates/EsrpSigning-Steps.yml diff --git a/build/azure-pipelines.yml b/build/azure-pipelines.yml index 7e4a24542c..cc5da7dcdb 100644 --- a/build/azure-pipelines.yml +++ b/build/azure-pipelines.yml @@ -241,46 +241,45 @@ extends: $(Build.SourcesDirectory)\**\obj\**\*.r2r.ni.pdb - - task: EsrpCodeSigning@2 - inputs: - ConnectedServiceName: 'Xlang Code Signing' - FolderPath: '$(appxPackageDir)\${{ configuration }}' - Pattern: '*.msix' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "keycode": "CP-230012", - "operationSetCode": "SigntoolvNextSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' + - template: ./build/templates/EsrpSigning-Steps.yml@self + parameters: + displayName: Submit *.msix to ESRP for code signing + inputs: + FolderPath: '$(appxPackageDir)\${{ configuration }}' + Pattern: '*.msix' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: >- + [ + { + "keycode": "CP-230012", + "operationSetCode": "SigntoolvNextSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://www.microsoft.com" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] # Commented out until our implementation is fixed # - task: AzureKeyVault@1 @@ -394,47 +393,46 @@ extends: filePath: 'build/scripts/UnbundleStubPackage.ps1' arguments: -InputPath $(appxPackageDir)\Staging -OutputLocation $(appxPackageDir)\${{ configuration }}\AppxMetadata\Stub - - task: EsrpCodeSigning@2 - condition: and(eq(variables['BuildingBranch'], 'release'), eq('${{ configuration }}', 'Release')) - inputs: - ConnectedServiceName: 'Xlang Code Signing' - FolderPath: '$(appxPackageDir)\${{ configuration }}\AppxMetadata\Stub' - Pattern: '*.msix' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "keycode": "CP-230012", - "operationSetCode": "SigntoolvNextSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, + - ${{ if and(eq(variables['BuildingBranch'], 'release'), eq('${{ configuration }}', 'Release')) }}: + - template: ./build/templates/EsrpSigning-Steps.yml@self + parameters: + displayName: Submit *.msix to ESRP for code signing + inputs: + FolderPath: '$(appxPackageDir)\${{ configuration }}\AppxMetadata\Stub' + Pattern: '*.msix' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: | + [ { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + "keycode": "CP-230012", + "operationSetCode": "SigntoolvNextSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://www.microsoft.com" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' + ] - task: PowerShell@2 displayName: Build MsixBundle @@ -442,46 +440,45 @@ extends: filePath: 'Build.ps1' arguments: -Configuration "${{ configuration }}" -Version $(MSIXVersion) -BuildStep "msixbundle" -IsAzurePipelineBuild - - task: EsrpCodeSigning@2 - inputs: - ConnectedServiceName: 'Xlang Code Signing' - FolderPath: 'AppxBundles\${{ configuration }}' - Pattern: '*.msixbundle' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "keycode": "CP-230012", - "operationSetCode": "SigntoolvNextSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' + - template: ./build/templates/EsrpSigning-Steps.yml@self + parameters: + displayName: Submit *.msixbundle to ESRP for code signing + inputs: + FolderPath: 'AppxBundles\${{ configuration }}' + Pattern: '*.msixbundle' + UseMinimatch: true + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keycode": "CP-230012", + "operationSetCode": "SigntoolvNextSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://www.microsoft.com" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] templateContext: outputs: diff --git a/build/templates/EsrpSigning-Steps.yml b/build/templates/EsrpSigning-Steps.yml new file mode 100644 index 0000000000..63eb25b47c --- /dev/null +++ b/build/templates/EsrpSigning-Steps.yml @@ -0,0 +1,22 @@ +parameters: + - name: displayName + type: string + default: ESRP Code Signing + - name: inputs + type: object + default: {} + +steps: + - task: EsrpCodeSigning@5 + displayName: ${{ parameters.displayName }} + inputs: + ConnectedServiceName: $(EsrpConnectedServiceName) + AppRegistrationClientId: $(EsrpAppRegistrationClientId) + AppRegistrationTenantId: $(EsrpAppRegistrationTenantId) + AuthAKVName: $(EsrpAuthAKVName) + AuthCertName: $(EsrpAuthCertName) + AuthSignCertName: $(EsrpAuthSignCertName) + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + ${{ insert }}: ${{ parameters.inputs }}