From 45be25ea94eb57bed6c6e4310b7220d3ea54288e Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 7 Nov 2024 21:23:40 +0000 Subject: [PATCH 1/7] Switch to new sign tool --- windows-release/sign-files.yml | 42 ++++++++++----------------- windows-release/stage-layout-msix.yml | 15 +++++----- windows-release/stage-pack-msix.yml | 2 ++ windows-release/stage-pack-nuget.yml | 2 ++ 4 files changed, 28 insertions(+), 33 deletions(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 06885c74..ff0c3ab9 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -1,6 +1,7 @@ parameters: Include: '*' Exclude: '' + Filter: '' WorkingDir: '$(Build.BinariesDirectory)' ExtractDir: '' SigningCertificate: '' @@ -9,32 +10,13 @@ parameters: steps: - ${{ if parameters.SigningCertificate }}: - powershell: | - cd (mkdir -Force _signing) - iwr https://aka.ms/nugetclidl -o nuget.exe - .\nuget.exe install Microsoft.Windows.SDK.BuildTools -x -o . - .\nuget.exe install Microsoft.Trusted.Signing.Client -x -o . - $md = @{ - Endpoint='$(TrustedSigningUri)'; - CodeSigningAccountName='$(TrustedSigningAccount)'; - CertificateProfileName='$(TrustedSigningCertificateName)'; - CorrelationId='$(SigningDescription)'; - ExcludeEnvironmentCredential=$false; - ExcludeManagedIdentityCredential=$true; - ExcludeSharedTokenCacheCredential=$true; - ExcludeVisualStudioCredential=$true; - ExcludeVisualStudioCodeCredential=$true; - ExcludeAzureCliCredential=$true; - ExcludeAzurePowershellCredential=$true; - ExcludeInteractiveBrowserCredential=$true; - }; - # ConvertTo-Json $md | Out-File -Encoding UTF8 .\metadata.json - # but without including the BOM... - [System.IO.File]::WriteAllText("$(Get-Location)\metadata.json", (ConvertTo-Json $md), [System.Text.UTF8Encoding]::new($false)) + dotnet tool install --global --prerelease sign + $signtool = (gcm sign).Source + $signargs = 'code trusted-signing -v Information ' + ` + '-fd sha256 -t http://timestamp.acs.microsoft.com -td sha256 ' + ` + '-tse "$(TrustedSigningUri)" -tsa "$(TrustedSigningAccount)" -tscp "$(TrustedSigningCertificateName)" ' + ` + '-d "$(SigningDescription)" ' - $signtool = dir .\Microsoft.Windows.SDK.BuildTools\*\*\x64\signtool.exe | select -First 1 - $dlib = dir .\Microsoft.Trusted.Signing.Client\*\x64\Azure.CodeSigning.Dlib.dll | select -First 1 - $signargs = "sign /v /fd sha256 /tr http://timestamp.acs.microsoft.com /td sha256 " + ` - "/dlib ""$dlib"" /dmdf ""$(gi metadata.json)""" Write-Host "##vso[task.setvariable variable=__TrustedSigningCmd]$signtool" Write-Host "##vso[task.setvariable variable=__TrustedSigningArgs]$signargs" if ($env:EXPORT_COMMAND) { @@ -53,7 +35,13 @@ steps: } else { $files = (dir ${{ parameters.Include }} -File) } - & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $files + if ($env:FILTER) { + ($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8 + & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $files + del __filelist.txt + } else { + & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $files + } displayName: 'Sign binaries' retryCountOnTaskFailure: 3 workingDirectory: ${{ parameters.WorkingDir }} @@ -63,6 +51,8 @@ steps: AZURE_TENANT_ID: $(TrustedSigningTenantId) AZURE_CLIENT_ID: $(TrustedSigningClientId) AZURE_CLIENT_SECRET: $(TrustedSigningSecret) + ${{ if parameters.Filter }}: + FILTER: ${{ parameters.Filter }} - ${{ if parameters.ExtractDir }}: diff --git a/windows-release/stage-layout-msix.yml b/windows-release/stage-layout-msix.yml index 1afc1f5a..8dfe3d2a 100644 --- a/windows-release/stage-layout-msix.yml +++ b/windows-release/stage-layout-msix.yml @@ -69,13 +69,14 @@ jobs: env: TCL_LIBRARY: $(TclLibrary) - - powershell: | - $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) - Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" - Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)" - Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)" - displayName: 'Override signing parameters' - condition: and(succeeded(), variables['SigningCertificate']) + # HACK: Disabled to test because new signing tool shouldn't need this + #- powershell: | + # $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) + # Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" + # Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)" + # Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)" + # displayName: 'Override signing parameters' + # condition: and(succeeded(), variables['SigningCertificate']) - powershell: | Remove-Item "$(Build.ArtifactStagingDirectory)\appx" -Recurse -Force -EA 0 diff --git a/windows-release/stage-pack-msix.yml b/windows-release/stage-pack-msix.yml index edb47c11..13679098 100644 --- a/windows-release/stage-pack-msix.yml +++ b/windows-release/stage-pack-msix.yml @@ -131,6 +131,8 @@ jobs: - template: sign-files.yml parameters: Include: '*.msix' + # Additional filter to avoid recursively signing package contents + Filter: '*.msix' WorkingDir: $(Build.BinariesDirectory)\unsigned_msix SigningCertificate: ${{ parameters.SigningCertificate }} diff --git a/windows-release/stage-pack-nuget.yml b/windows-release/stage-pack-nuget.yml index dee1eece..55ef229a 100644 --- a/windows-release/stage-pack-nuget.yml +++ b/windows-release/stage-pack-nuget.yml @@ -69,6 +69,8 @@ jobs: - template: sign-files.yml parameters: Include: '*.nupkg' + # Additional filter to avoid recursively signing package contents + Filter: '*.nupkg' WorkingDir: $(Build.ArtifactStagingDirectory) SigningCertificate: ${{ parameters.SigningCertificate }} From 4cef4d826d32e2947e7c0887856619d7d21669be Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 7 Nov 2024 21:52:18 +0000 Subject: [PATCH 2/7] Sign files one at a time --- windows-release/sign-files.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index ff0c3ab9..6a94f669 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -37,10 +37,10 @@ steps: } if ($env:FILTER) { ($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8 - & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $files + $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $_ } del __filelist.txt } else { - & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $files + $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $_ } } displayName: 'Sign binaries' retryCountOnTaskFailure: 3 From 01cfb1aa8b9d32e4331927bb0f3f0712cf05007c Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 7 Nov 2024 22:26:47 +0000 Subject: [PATCH 3/7] Enable Nuget signing and restore side-loaded appx transform --- windows-release/azure-pipelines.yml | 5 ++--- windows-release/stage-layout-msix.yml | 16 ++++++++-------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml index d716d3df..99871c8a 100644 --- a/windows-release/azure-pipelines.yml +++ b/windows-release/azure-pipelines.yml @@ -165,9 +165,8 @@ stages: jobs: - template: stage-pack-nuget.yml parameters: - # Nuget signing is disabled because Azure Trusted Signing does not support it - #${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: - # SigningCertificate: ${{ parameters.SigningCertificate }} + ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: + SigningCertificate: ${{ parameters.SigningCertificate }} DoFreethreaded: ${{ parameters.DoFreethreaded }} - stage: Test diff --git a/windows-release/stage-layout-msix.yml b/windows-release/stage-layout-msix.yml index 8dfe3d2a..e45053fa 100644 --- a/windows-release/stage-layout-msix.yml +++ b/windows-release/stage-layout-msix.yml @@ -69,14 +69,14 @@ jobs: env: TCL_LIBRARY: $(TclLibrary) - # HACK: Disabled to test because new signing tool shouldn't need this - #- powershell: | - # $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) - # Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" - # Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)" - # Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)" - # displayName: 'Override signing parameters' - # condition: and(succeeded(), variables['SigningCertificate']) + # The dotnet sign tool shouldn't need this, but we do because of the sccd file + - powershell: | + $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) + Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" + Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)" + Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)" + displayName: 'Override signing parameters' + condition: and(succeeded(), variables['SigningCertificate']) - powershell: | Remove-Item "$(Build.ArtifactStagingDirectory)\appx" -Recurse -Force -EA 0 From f8dfce6026cb247b10a6644f66d1cdf56dc2b29c Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 7 Nov 2024 22:55:37 +0000 Subject: [PATCH 4/7] Fail properly --- windows-release/sign-files.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 6a94f669..e9e0d868 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -37,11 +37,13 @@ steps: } if ($env:FILTER) { ($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8 - $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $_ } + $ec = $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $_; $LASTEXITCODE } del __filelist.txt } else { - $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $_ } + $ec = $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $_; $LASTEXITCODE } } + # Ensure we correctly fail the task if any signature failed + $ec | ?{ $_ -ne 0 } | %{ exit $_ } displayName: 'Sign binaries' retryCountOnTaskFailure: 3 workingDirectory: ${{ parameters.WorkingDir }} From 8de1c876801b059fa6ea42d92afda18b837ef05e Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 7 Nov 2024 23:39:05 +0000 Subject: [PATCH 5/7] Fix loss of output --- windows-release/sign-files.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index e9e0d868..64ddc046 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -37,13 +37,14 @@ steps: } if ($env:FILTER) { ($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8 - $ec = $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $_; $LASTEXITCODE } - del __filelist.txt } else { - $ec = $files | %{ & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $_; $LASTEXITCODE } + "*" | Out-File __filelist.txt -Encoding utf8 } - # Ensure we correctly fail the task if any signature failed - $ec | ?{ $_ -ne 0 } | %{ exit $_ } + foreach ($f in $files) { + & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $_ + if (-not $?) { exit $LASTEXITCODE } + } + del __filelist.txt displayName: 'Sign binaries' retryCountOnTaskFailure: 3 workingDirectory: ${{ parameters.WorkingDir }} From d1d59036d755abe2615b76e783274b240aa8c8ca Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Fri, 8 Nov 2024 10:14:13 +0000 Subject: [PATCH 6/7] Wrong filename variable --- windows-release/sign-files.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 64ddc046..229f451e 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -41,7 +41,7 @@ steps: "*" | Out-File __filelist.txt -Encoding utf8 } foreach ($f in $files) { - & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $_ + & $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $f if (-not $?) { exit $LASTEXITCODE } } del __filelist.txt From ec96205759db7062a57e5820751b4fb38dcc4345 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Fri, 8 Nov 2024 15:50:17 +0000 Subject: [PATCH 7/7] Skip errors for Nuget test signing --- windows-release/sign-files.yml | 6 +++++- windows-release/stage-pack-nuget.yml | 3 +++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/windows-release/sign-files.yml b/windows-release/sign-files.yml index 229f451e..67bf2c66 100644 --- a/windows-release/sign-files.yml +++ b/windows-release/sign-files.yml @@ -6,6 +6,7 @@ parameters: ExtractDir: '' SigningCertificate: '' ExportCommand: '' + ContinueOnError: false steps: - ${{ if parameters.SigningCertificate }}: @@ -46,7 +47,10 @@ steps: } del __filelist.txt displayName: 'Sign binaries' - retryCountOnTaskFailure: 3 + ${{ if eq(parameters.ContinueOnError, 'false') }}: + retryCountOnTaskFailure: 3 + ${{ else }}: + continueOnError: true workingDirectory: ${{ parameters.WorkingDir }} env: TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd) diff --git a/windows-release/stage-pack-nuget.yml b/windows-release/stage-pack-nuget.yml index 55ef229a..6f521a36 100644 --- a/windows-release/stage-pack-nuget.yml +++ b/windows-release/stage-pack-nuget.yml @@ -73,6 +73,9 @@ jobs: Filter: '*.nupkg' WorkingDir: $(Build.ArtifactStagingDirectory) SigningCertificate: ${{ parameters.SigningCertificate }} + # Nuget signing is not supported by our test certificate, so ignore errors + ${{ if eq(parameters.SigningCertificate, 'TestSign') }}: + ContinueOnError: true - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: nuget'