Switch to new signing tool for Windows releases (#190)

Allows us to reenable Nuget package signatures

Author: zooba

windows-release/azure-pipelines.yml

@@ -165,9 +165,8 @@ stages:
     jobs:
     - template: stage-pack-nuget.yml
       parameters:
-        # Nuget signing is disabled because Azure Trusted Signing does not support it
-        #${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
-        #  SigningCertificate: ${{ parameters.SigningCertificate }}
+        ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
+          SigningCertificate: ${{ parameters.SigningCertificate }}
         DoFreethreaded: ${{ parameters.DoFreethreaded }}
 
   - stage: Test

windows-release/sign-files.yml

@@ -1,40 +1,23 @@
 parameters:
   Include: '*'
   Exclude: ''
+  Filter: ''
   WorkingDir: '$(Build.BinariesDirectory)'
   ExtractDir: ''
   SigningCertificate: ''
   ExportCommand: ''
+  ContinueOnError: false
 
 steps:
 - ${{ if parameters.SigningCertificate }}:
   - powershell: |
-      cd (mkdir -Force _signing)
-      iwr https://aka.ms/nugetclidl -o nuget.exe
-      .\nuget.exe install Microsoft.Windows.SDK.BuildTools -x -o .
-      .\nuget.exe install Microsoft.Trusted.Signing.Client -x -o .
-      $md = @{
-        Endpoint='$(TrustedSigningUri)';
-        CodeSigningAccountName='$(TrustedSigningAccount)';
-        CertificateProfileName='$(TrustedSigningCertificateName)';
-        CorrelationId='$(SigningDescription)';
-        ExcludeEnvironmentCredential=$false;
-        ExcludeManagedIdentityCredential=$true;
-        ExcludeSharedTokenCacheCredential=$true;
-        ExcludeVisualStudioCredential=$true;
-        ExcludeVisualStudioCodeCredential=$true;
-        ExcludeAzureCliCredential=$true;
-        ExcludeAzurePowershellCredential=$true;
-        ExcludeInteractiveBrowserCredential=$true;
-      };
-      # ConvertTo-Json $md | Out-File -Encoding UTF8 .\metadata.json
-      # but without including the BOM...
-      [System.IO.File]::WriteAllText("$(Get-Location)\metadata.json", (ConvertTo-Json $md), [System.Text.UTF8Encoding]::new($false))
+      dotnet tool install --global --prerelease sign
+      $signtool = (gcm sign).Source
+      $signargs = 'code trusted-signing -v Information ' + `
+        '-fd sha256 -t http://timestamp.acs.microsoft.com -td sha256 ' + `
+        '-tse "$(TrustedSigningUri)" -tsa "$(TrustedSigningAccount)" -tscp "$(TrustedSigningCertificateName)" ' + `
+        '-d "$(SigningDescription)" '
 
-      $signtool = dir .\Microsoft.Windows.SDK.BuildTools\*\*\x64\signtool.exe | select -First 1
-      $dlib = dir .\Microsoft.Trusted.Signing.Client\*\x64\Azure.CodeSigning.Dlib.dll | select -First 1
-      $signargs = "sign /v /fd sha256 /tr http://timestamp.acs.microsoft.com /td sha256 " + `
-        "/dlib ""$dlib"" /dmdf ""$(gi metadata.json)"""
       Write-Host "##vso[task.setvariable variable=__TrustedSigningCmd]$signtool"
       Write-Host "##vso[task.setvariable variable=__TrustedSigningArgs]$signargs"
       if ($env:EXPORT_COMMAND) {
@@ -53,16 +36,30 @@ steps:
         } else {
           $files = (dir ${{ parameters.Include }} -File)
         }
-        & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $files
+        if ($env:FILTER) {
+          ($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8
+        } else {
+          "*" | Out-File __filelist.txt -Encoding utf8
+        }
+        foreach ($f in $files) {
+          & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $f
+          if (-not $?) { exit $LASTEXITCODE }
+        }
+        del __filelist.txt
       displayName: 'Sign binaries'
-      retryCountOnTaskFailure: 3
+      ${{ if eq(parameters.ContinueOnError, 'false') }}:
+        retryCountOnTaskFailure: 3
+      ${{ else }}:
+        continueOnError: true
       workingDirectory: ${{ parameters.WorkingDir }}
       env:
         TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd)
         TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs)
         AZURE_TENANT_ID: $(TrustedSigningTenantId)
         AZURE_CLIENT_ID: $(TrustedSigningClientId)
         AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
+        ${{ if parameters.Filter }}:
+          FILTER: ${{ parameters.Filter }}
 
 
 - ${{ if parameters.ExtractDir }}:

windows-release/stage-layout-msix.yml

@@ -69,6 +69,7 @@ jobs:
     env:
       TCL_LIBRARY: $(TclLibrary)
 
+  # The dotnet sign tool shouldn't need this, but we do because of the sccd file
   - powershell: |
       $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON)
       Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'"

windows-release/stage-pack-msix.yml

@@ -131,6 +131,8 @@ jobs:
     - template: sign-files.yml
       parameters:
         Include: '*.msix'
+        # Additional filter to avoid recursively signing package contents
+        Filter: '*.msix'
         WorkingDir: $(Build.BinariesDirectory)\unsigned_msix
         SigningCertificate: ${{ parameters.SigningCertificate }}
 

windows-release/stage-pack-nuget.yml

@@ -69,8 +69,13 @@ jobs:
   - template: sign-files.yml
     parameters:
       Include: '*.nupkg'
+      # Additional filter to avoid recursively signing package contents
+      Filter: '*.nupkg'
       WorkingDir: $(Build.ArtifactStagingDirectory)
       SigningCertificate: ${{ parameters.SigningCertificate }}
+      # Nuget signing is not supported by our test certificate, so ignore errors
+      ${{ if eq(parameters.SigningCertificate, 'TestSign') }}:
+        ContinueOnError: true
 
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: nuget'