diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml index d716d3df..99871c8a 100644 --- a/windows-release/azure-pipelines.yml +++ b/windows-release/azure-pipelines.yml @@ -165,9 +165,8 @@ stages: jobs: - template: stage-pack-nuget.yml parameters: - # Nuget signing is disabled because Azure Trusted Signing does not support it - #${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: - # SigningCertificate: ${{ parameters.SigningCertificate }} + ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: + SigningCertificate: ${{ parameters.SigningCertificate }} DoFreethreaded: ${{ parameters.DoFreethreaded }} - stage: Test diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 06885c74..67bf2c66 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -1,40 +1,23 @@ parameters: Include: '*' Exclude: '' + Filter: '' WorkingDir: '$(Build.BinariesDirectory)' ExtractDir: '' SigningCertificate: '' ExportCommand: '' + ContinueOnError: false steps: - ${{ if parameters.SigningCertificate }}: - powershell: | - cd (mkdir -Force _signing) - iwr https://aka.ms/nugetclidl -o nuget.exe - .\nuget.exe install Microsoft.Windows.SDK.BuildTools -x -o . - .\nuget.exe install Microsoft.Trusted.Signing.Client -x -o . - $md = @{ - Endpoint='$(TrustedSigningUri)'; - CodeSigningAccountName='$(TrustedSigningAccount)'; - CertificateProfileName='$(TrustedSigningCertificateName)'; - CorrelationId='$(SigningDescription)'; - ExcludeEnvironmentCredential=$false; - ExcludeManagedIdentityCredential=$true; - ExcludeSharedTokenCacheCredential=$true; - ExcludeVisualStudioCredential=$true; - ExcludeVisualStudioCodeCredential=$true; - ExcludeAzureCliCredential=$true; - ExcludeAzurePowershellCredential=$true; - ExcludeInteractiveBrowserCredential=$true; - }; - # ConvertTo-Json $md | Out-File -Encoding UTF8 .\metadata.json - # but without including the BOM... - [System.IO.File]::WriteAllText("$(Get-Location)\metadata.json", (ConvertTo-Json $md), [System.Text.UTF8Encoding]::new($false)) + dotnet tool install --global --prerelease sign + $signtool = (gcm sign).Source + $signargs = 'code trusted-signing -v Information ' + ` + '-fd sha256 -t http://timestamp.acs.microsoft.com -td sha256 ' + ` + '-tse "$(TrustedSigningUri)" -tsa "$(TrustedSigningAccount)" -tscp "$(TrustedSigningCertificateName)" ' + ` + '-d "$(SigningDescription)" ' - $signtool = dir .\Microsoft.Windows.SDK.BuildTools\*\*\x64\signtool.exe | select -First 1 - $dlib = dir .\Microsoft.Trusted.Signing.Client\*\x64\Azure.CodeSigning.Dlib.dll | select -First 1 - $signargs = "sign /v /fd sha256 /tr http://timestamp.acs.microsoft.com /td sha256 " + ` - "/dlib ""$dlib"" /dmdf ""$(gi metadata.json)""" Write-Host "##vso[task.setvariable variable=__TrustedSigningCmd]$signtool" Write-Host "##vso[task.setvariable variable=__TrustedSigningArgs]$signargs" if ($env:EXPORT_COMMAND) { @@ -53,9 +36,21 @@ steps: } else { $files = (dir ${{ parameters.Include }} -File) } - & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $files + if ($env:FILTER) { + ($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8 + } else { + "*" | Out-File __filelist.txt -Encoding utf8 + } + foreach ($f in $files) { + & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $f + if (-not $?) { exit $LASTEXITCODE } + } + del __filelist.txt displayName: 'Sign binaries' - retryCountOnTaskFailure: 3 + ${{ if eq(parameters.ContinueOnError, 'false') }}: + retryCountOnTaskFailure: 3 + ${{ else }}: + continueOnError: true workingDirectory: ${{ parameters.WorkingDir }} env: TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd) @@ -63,6 +58,8 @@ steps: AZURE_TENANT_ID: $(TrustedSigningTenantId) AZURE_CLIENT_ID: $(TrustedSigningClientId) AZURE_CLIENT_SECRET: $(TrustedSigningSecret) + ${{ if parameters.Filter }}: + FILTER: ${{ parameters.Filter }} - ${{ if parameters.ExtractDir }}: diff --git a/windows-release/stage-layout-msix.yml b/windows-release/stage-layout-msix.yml index 1afc1f5a..e45053fa 100644 --- a/windows-release/stage-layout-msix.yml +++ b/windows-release/stage-layout-msix.yml @@ -69,6 +69,7 @@ jobs: env: TCL_LIBRARY: $(TclLibrary) + # The dotnet sign tool shouldn't need this, but we do because of the sccd file - powershell: | $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" diff --git a/windows-release/stage-pack-msix.yml b/windows-release/stage-pack-msix.yml index edb47c11..13679098 100644 --- a/windows-release/stage-pack-msix.yml +++ b/windows-release/stage-pack-msix.yml @@ -131,6 +131,8 @@ jobs: - template: sign-files.yml parameters: Include: '*.msix' + # Additional filter to avoid recursively signing package contents + Filter: '*.msix' WorkingDir: $(Build.BinariesDirectory)\unsigned_msix SigningCertificate: ${{ parameters.SigningCertificate }} diff --git a/windows-release/stage-pack-nuget.yml b/windows-release/stage-pack-nuget.yml index dee1eece..6f521a36 100644 --- a/windows-release/stage-pack-nuget.yml +++ b/windows-release/stage-pack-nuget.yml @@ -69,8 +69,13 @@ jobs: - template: sign-files.yml parameters: Include: '*.nupkg' + # Additional filter to avoid recursively signing package contents + Filter: '*.nupkg' WorkingDir: $(Build.ArtifactStagingDirectory) SigningCertificate: ${{ parameters.SigningCertificate }} + # Nuget signing is not supported by our test certificate, so ignore errors + ${{ if eq(parameters.SigningCertificate, 'TestSign') }}: + ContinueOnError: true - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: nuget'