Skip to content

Switch to new signing tool for Windows releases #190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zooba merged 7 commits into from
Nov 11, 2024
Merged

Switch to new signing tool for Windows releases #190

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
45be25e
Switch to new sign tool
zooba Nov 7, 2024
4cef4d8
Sign files one at a time
zooba Nov 7, 2024
01cfb1a
Enable Nuget signing and restore side-loaded appx transform
zooba Nov 7, 2024
f8dfce6
Fail properly
zooba Nov 7, 2024
8de1c87
Fix loss of output
zooba Nov 7, 2024
d1d5903
Wrong filename variable
zooba Nov 8, 2024
ec96205
Skip errors for Nuget test signing
zooba Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions windows-release/azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,9 +165,8 @@ stages:
jobs:
- template: stage-pack-nuget.yml
parameters:
# Nuget signing is disabled because Azure Trusted Signing does not support it
#${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
# SigningCertificate: ${{ parameters.SigningCertificate }}
${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}:
SigningCertificate: ${{ parameters.SigningCertificate }}
DoFreethreaded: ${{ parameters.DoFreethreaded }}

- stage: Test
Expand Down
51 changes: 24 additions & 27 deletions windows-release/sign-files.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,40 +1,23 @@
parameters:
Include: '*'
Exclude: ''
Filter: ''
WorkingDir: '$(Build.BinariesDirectory)'
ExtractDir: ''
SigningCertificate: ''
ExportCommand: ''
ContinueOnError: false

steps:
- ${{ if parameters.SigningCertificate }}:
- powershell: |
cd (mkdir -Force _signing)
iwr https://aka.ms/nugetclidl -o nuget.exe
.\nuget.exe install Microsoft.Windows.SDK.BuildTools -x -o .
.\nuget.exe install Microsoft.Trusted.Signing.Client -x -o .
$md = @{
Endpoint='$(TrustedSigningUri)';
CodeSigningAccountName='$(TrustedSigningAccount)';
CertificateProfileName='$(TrustedSigningCertificateName)';
CorrelationId='$(SigningDescription)';
ExcludeEnvironmentCredential=$false;
ExcludeManagedIdentityCredential=$true;
ExcludeSharedTokenCacheCredential=$true;
ExcludeVisualStudioCredential=$true;
ExcludeVisualStudioCodeCredential=$true;
ExcludeAzureCliCredential=$true;
ExcludeAzurePowershellCredential=$true;
ExcludeInteractiveBrowserCredential=$true;
};
# ConvertTo-Json $md | Out-File -Encoding UTF8 .\metadata.json
# but without including the BOM...
[System.IO.File]::WriteAllText("$(Get-Location)\metadata.json", (ConvertTo-Json $md), [System.Text.UTF8Encoding]::new($false))
dotnet tool install --global --prerelease sign
$signtool = (gcm sign).Source
$signargs = 'code trusted-signing -v Information ' + `
'-fd sha256 -t http://timestamp.acs.microsoft.com -td sha256 ' + `
'-tse "$(TrustedSigningUri)" -tsa "$(TrustedSigningAccount)" -tscp "$(TrustedSigningCertificateName)" ' + `
'-d "$(SigningDescription)" '

$signtool = dir .\Microsoft.Windows.SDK.BuildTools\*\*\x64\signtool.exe | select -First 1
$dlib = dir .\Microsoft.Trusted.Signing.Client\*\x64\Azure.CodeSigning.Dlib.dll | select -First 1
$signargs = "sign /v /fd sha256 /tr http://timestamp.acs.microsoft.com /td sha256 " + `
"/dlib ""$dlib"" /dmdf ""$(gi metadata.json)"""
Write-Host "##vso[task.setvariable variable=__TrustedSigningCmd]$signtool"
Write-Host "##vso[task.setvariable variable=__TrustedSigningArgs]$signargs"
if ($env:EXPORT_COMMAND) {
Expand All @@ -53,16 +36,30 @@ steps:
} else {
$files = (dir ${{ parameters.Include }} -File)
}
& $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) $files
if ($env:FILTER) {
($env:FILTER -split ';') -join "`n" | Out-File __filelist.txt -Encoding utf8
} else {
"*" | Out-File __filelist.txt -Encoding utf8
}
foreach ($f in $files) {
& $env:TRUSTED_SIGNING_CMD @(-split $env:TRUSTED_SIGNING_ARGS) -fl __filelist.txt $f
if (-not $?) { exit $LASTEXITCODE }
}
del __filelist.txt
displayName: 'Sign binaries'
retryCountOnTaskFailure: 3
${{ if eq(parameters.ContinueOnError, 'false') }}:
retryCountOnTaskFailure: 3
${{ else }}:
continueOnError: true
workingDirectory: ${{ parameters.WorkingDir }}
env:
TRUSTED_SIGNING_CMD: $(__TrustedSigningCmd)
TRUSTED_SIGNING_ARGS: $(__TrustedSigningArgs)
AZURE_TENANT_ID: $(TrustedSigningTenantId)
AZURE_CLIENT_ID: $(TrustedSigningClientId)
AZURE_CLIENT_SECRET: $(TrustedSigningSecret)
${{ if parameters.Filter }}:
FILTER: ${{ parameters.Filter }}


- ${{ if parameters.ExtractDir }}:
Expand Down
1 change: 1 addition & 0 deletions windows-release/stage-layout-msix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ jobs:
env:
TCL_LIBRARY: $(TclLibrary)
# The dotnet sign tool shouldn't need this, but we do because of the sccd file
- powershell: |
$info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON)
Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'"
Expand Down
2 changes: 2 additions & 0 deletions windows-release/stage-pack-msix.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,8 @@ jobs:
- template: sign-files.yml
parameters:
Include: '*.msix'
# Additional filter to avoid recursively signing package contents
Filter: '*.msix'
WorkingDir: $(Build.BinariesDirectory)\unsigned_msix
SigningCertificate: ${{ parameters.SigningCertificate }}

Expand Down
5 changes: 5 additions & 0 deletions windows-release/stage-pack-nuget.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,13 @@ jobs:
- template: sign-files.yml
parameters:
Include: '*.nupkg'
# Additional filter to avoid recursively signing package contents
Filter: '*.nupkg'
WorkingDir: $(Build.ArtifactStagingDirectory)
SigningCertificate: ${{ parameters.SigningCertificate }}
# Nuget signing is not supported by our test certificate, so ignore errors
${{ if eq(parameters.SigningCertificate, 'TestSign') }}:
ContinueOnError: true

- task: PublishBuildArtifacts@1
displayName: 'Publish Artifact: nuget'
Expand Down