From e376aae7459793db0378161af41ae9e48f396a16 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 16 Oct 2025 16:53:33 +0100 Subject: [PATCH 1/2] Normalise signing variables in Windows release build --- windows-release/azure-pipelines.yml | 29 ++++++++---- windows-release/stage-layout-embed.yml | 1 + windows-release/stage-layout-full.yml | 9 ++-- windows-release/stage-layout-msix.yml | 54 +++++++++++----------- windows-release/stage-layout-nuget.yml | 9 ++-- windows-release/stage-layout-pymanager.yml | 11 +++-- windows-release/stage-layout-symbols.yml | 1 + windows-release/stage-pack-msix.yml | 21 ++++----- windows-release/stage-pack-pymanager.yml | 1 + windows-release/stage-test-embed.yml | 1 - windows-release/stage-test-nuget.yml | 1 - 11 files changed, 75 insertions(+), 63 deletions(-) diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml index 485a9e48..a9373408 100644 --- a/windows-release/azure-pipelines.yml +++ b/windows-release/azure-pipelines.yml @@ -132,6 +132,7 @@ variables: SourceTag: ${{ parameters.SourceTag }} ${{ if ne(parameters.SourceCommit, 'empty') }}: SourceCommit: ${{ parameters.SourceCommit }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} ${{ if eq(parameters.SigningCertificate, 'PythonSoftwareFoundation') }}: IsRealSigned: true ${{ else }}: @@ -140,8 +141,14 @@ variables: SigningDescription: ${{ parameters.SigningDescription }} PublishARM64: ${{ parameters.DoARM64 }} # QUEUE TIME VARIABLES -# PyDotOrgUsername: '' -# PyDotOrgServer: '' +# OverrideNugetVersion: '' +# PyManagerIndexFilename: '' +# SkipNugetPublish: '' +# SkipPipTests: '' +# SkipPythonOrgPublish: '' +# SkipSBOM: '' +# SkipTests: '' +# SkipTkTests: '' trigger: none pr: none @@ -193,29 +200,35 @@ stages: parameters: BuildToPackage: ${{ parameters.BuildToPackage }} DoFreethreaded: ${{ parameters.DoFreethreaded }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - template: stage-layout-symbols.yml parameters: BuildToPackage: ${{ parameters.BuildToPackage }} DoFreethreaded: ${{ parameters.DoFreethreaded }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoEmbed, 'true') }}: - template: stage-layout-embed.yml parameters: BuildToPackage: ${{ parameters.BuildToPackage }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoNuget, 'true') }}: - template: stage-layout-nuget.yml parameters: BuildToPackage: ${{ parameters.BuildToPackage }} DoFreethreaded: ${{ parameters.DoFreethreaded }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoMSIX, 'true') }}: - template: stage-layout-msix.yml parameters: BuildToPackage: ${{ parameters.BuildToPackage }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoPyManager, 'true') }}: - template: stage-layout-pymanager.yml parameters: BuildToPackage: ${{ parameters.BuildToPackage }} DoFreethreaded: ${{ parameters.DoFreethreaded }} DoEmbed: ${{ parameters.DoEmbed }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - stage: Pack dependsOn: Layout @@ -223,31 +236,31 @@ stages: jobs: #- ${{ if eq(parameters.DoEmbed, 'true') }}: # - template: stage-pack-embed.yml + # parameters: + # SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoMSI, 'true') }}: - template: stage-msi.yml parameters: BuildToPackage: ${{ parameters.BuildToPackage }} DoARM64: ${{ parameters.DoARM64}} DoFreethreaded: ${{ parameters.DoFreethreaded }} - ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: - SigningCertificate: ${{ parameters.SigningCertificate }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoMSIX, 'true') }}: - template: stage-pack-msix.yml parameters: - ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: - SigningCertificate: ${{ parameters.SigningCertificate }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - ${{ if eq(parameters.DoNuget, 'true') }}: - template: stage-pack-nuget.yml parameters: ${{ if eq(parameters.SignNuget, 'true') }}: - ${{ if and(parameters.SigningCertificate, ne(parameters.SigningCertificate, 'Unsigned')) }}: - SigningCertificate: ${{ parameters.SigningCertificate }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} DoFreethreaded: ${{ parameters.DoFreethreaded }} - ${{ if eq(parameters.DoPyManager, 'true') }}: - template: stage-pack-pymanager.yml parameters: DoFreethreaded: ${{ parameters.DoFreethreaded }} DoEmbed: ${{ parameters.DoEmbed }} + SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} - stage: Test dependsOn: Pack diff --git a/windows-release/stage-layout-embed.yml b/windows-release/stage-layout-embed.yml index 8910b533..4f077f86 100644 --- a/windows-release/stage-layout-embed.yml +++ b/windows-release/stage-layout-embed.yml @@ -1,5 +1,6 @@ parameters: BuildToPackage: current + SigningCertificate: '' jobs: - job: Make_Embed_Layout diff --git a/windows-release/stage-layout-full.yml b/windows-release/stage-layout-full.yml index 81a5da49..75917add 100644 --- a/windows-release/stage-layout-full.yml +++ b/windows-release/stage-layout-full.yml @@ -1,6 +1,7 @@ parameters: BuildToPackage: current DoFreethreaded: false + SigningCertificate: '' jobs: - job: Make_Layouts @@ -131,10 +132,10 @@ jobs: displayName: 'Update TCL_LIBRARY' condition: and(succeeded(), variables['TclLibrary']) - - powershell: | - copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force - displayName: 'Copy signed files into sources' - condition: and(succeeded(), variables['SigningCertificate']) + - ${{ if parameters.SigningCertificate }}: + - powershell: | + copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' - template: ./layout-command.yml parameters: diff --git a/windows-release/stage-layout-msix.yml b/windows-release/stage-layout-msix.yml index 38321f4c..54dcf3d6 100644 --- a/windows-release/stage-layout-msix.yml +++ b/windows-release/stage-layout-msix.yml @@ -1,5 +1,6 @@ parameters: BuildToPackage: current + SigningCertificate: '' jobs: - job: Make_MSIX_Layout @@ -69,25 +70,24 @@ jobs: displayName: 'Update TCL_LIBRARY' condition: and(succeeded(), variables['TclLibrary']) - - task: DownloadPipelineArtifact@2 - displayName: 'Download artifact: cert' - condition: and(succeeded(), variables['SigningCertificate']) - inputs: - ${{ if eq(parameters.BuildToPackage, 'current') }}: - buildType: current - ${{ else }}: - buildType: specific - buildVersionToDownload: specific - project: $(resources.pipeline.build_to_package.projectId) - pipeline: $(resources.pipeline.build_to_package.pipelineId) - runId: $(resources.pipeline.build_to_package.runID) - artifact: cert - targetPath: $(Pipeline.Workspace)\cert - - - powershell: | - copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force - displayName: 'Copy signed files into sources' - condition: and(succeeded(), variables['SigningCertificate']) + - ${{ if parameters.SigningCertificate }}: + - task: DownloadPipelineArtifact@2 + displayName: 'Download artifact: cert' + inputs: + ${{ if eq(parameters.BuildToPackage, 'current') }}: + buildType: current + ${{ else }}: + buildType: specific + buildVersionToDownload: specific + project: $(resources.pipeline.build_to_package.projectId) + pipeline: $(resources.pipeline.build_to_package.pipelineId) + runId: $(resources.pipeline.build_to_package.runID) + artifact: cert + targetPath: $(Pipeline.Workspace)\cert + + - powershell: | + copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' - template: ./layout-command.yml parameters: @@ -100,14 +100,14 @@ jobs: env: TCL_LIBRARY: $(TclLibrary) - # The dotnet sign tool shouldn't need this, but we do because of the sccd file - - powershell: | - $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) - Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" - Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)" - Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)" - displayName: 'Override signing parameters' - condition: and(succeeded(), variables['SigningCertificate']) + - ${{ if parameters.SigningCertificate }}: + # The dotnet sign tool shouldn't need this, but we do because of the sccd file + - powershell: | + $info = (gc "$(Pipeline.Workspace)\cert\certinfo.json" | ConvertFrom-JSON) + Write-Host "Side-loadable APPX must be signed with '$($info.Subject)'" + Write-Host "##vso[task.setvariable variable=APPX_DATA_PUBLISHER]$($info.Subject)" + Write-Host "##vso[task.setvariable variable=APPX_DATA_SHA256]$($info.SHA256)" + displayName: 'Override signing parameters' - powershell: | Remove-Item "$(Build.ArtifactStagingDirectory)\appx" -Recurse -Force -EA 0 diff --git a/windows-release/stage-layout-nuget.yml b/windows-release/stage-layout-nuget.yml index 67a88a1a..0cabcb9b 100644 --- a/windows-release/stage-layout-nuget.yml +++ b/windows-release/stage-layout-nuget.yml @@ -1,6 +1,7 @@ parameters: BuildToPackage: current DoFreethreaded: false + SigningCertificate: '' jobs: - job: Make_Nuget_Layout @@ -64,10 +65,10 @@ jobs: artifact: bin_$(Name) targetPath: $(Pipeline.Workspace)\bin_$(Name) - - powershell: | - copy $(Pipeline.Workspace)\bin_$(Name)\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force - displayName: 'Copy signed files into sources' - condition: and(succeeded(), variables['SigningCertificate']) + - ${{ if parameters.SigningCertificate }}: + - powershell: | + copy $(Pipeline.Workspace)\bin_$(Name)\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' - template: ./layout-command.yml parameters: diff --git a/windows-release/stage-layout-pymanager.yml b/windows-release/stage-layout-pymanager.yml index 018e0271..0c039dfd 100644 --- a/windows-release/stage-layout-pymanager.yml +++ b/windows-release/stage-layout-pymanager.yml @@ -3,6 +3,7 @@ parameters: DoFreethreaded: false DoEmbed: false LayoutScriptBranch: main + SigningCertificate: '' jobs: - job: Make_PyManager_Layouts @@ -175,11 +176,11 @@ jobs: displayName: 'Update TCL_LIBRARY' condition: and(succeeded(), variables['TclLibrary']) - - powershell: | - copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force - displayName: 'Copy signed files into sources' - workingDirectory: $(Build.SourcesDirectory)\cpython - condition: and(succeeded(), variables['SigningCertificate']) + - ${{ if parameters.SigningCertificate }}: + - powershell: | + copy "$(Pipeline.Workspace)\bin_$(Name)\Activate.ps1" Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' + workingDirectory: $(Build.SourcesDirectory)\cpython - template: ./layout-command.yml parameters: diff --git a/windows-release/stage-layout-symbols.yml b/windows-release/stage-layout-symbols.yml index 1079b60c..a890b51d 100644 --- a/windows-release/stage-layout-symbols.yml +++ b/windows-release/stage-layout-symbols.yml @@ -15,6 +15,7 @@ parameters: - win32_td - amd64_td - arm64_td + SigningCertificate: '' jobs: diff --git a/windows-release/stage-pack-msix.yml b/windows-release/stage-pack-msix.yml index bcbd4747..53bfa800 100644 --- a/windows-release/stage-pack-msix.yml +++ b/windows-release/stage-pack-msix.yml @@ -25,7 +25,7 @@ jobs: Name: amd64 Artifact: appxstore Suffix: -store - Upload: true + CreateMsixUpload: true arm64: Name: arm64 Artifact: appx @@ -35,7 +35,7 @@ jobs: Name: arm64 Artifact: appxstore Suffix: -store - Upload: true + CreateMsixUpload: true steps: - template: ./checkout.yml @@ -70,26 +70,21 @@ jobs: - powershell: | 7z a -tzip "$(Build.ArtifactStagingDirectory)\msixupload\$(Filename).msixupload" * displayName: 'Build msixupload' - condition: and(succeeded(), eq(variables['Upload'], 'true')) + condition: and(succeeded(), eq(variables['CreateMsixUpload'], 'true')) workingDirectory: $(Build.ArtifactStagingDirectory)\msix - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: MSIX' - condition: and(succeeded(), or(ne(variables['ShouldSign'], 'true'), not(variables['SigningCertificate']))) inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)\msix' - ArtifactName: msix - - - task: PublishBuildArtifacts@1 - displayName: 'Publish Artifact: MSIX' - condition: and(succeeded(), eq(variables['ShouldSign'], 'true'), variables['SigningCertificate']) - inputs: - PathtoPublish: '$(Build.ArtifactStagingDirectory)\msix' - ArtifactName: unsigned_msix + ${{ if parameters.SigningCertificate }}: + ArtifactName: unsigned_msix + ${{ else }}: + ArtifactName: msix - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: MSIXUpload' - condition: and(succeeded(), eq(variables['Upload'], 'true')) + condition: and(succeeded(), eq(variables['CreateMsixUpload'], 'true')) inputs: PathtoPublish: '$(Build.ArtifactStagingDirectory)\msixupload' ArtifactName: msixupload diff --git a/windows-release/stage-pack-pymanager.yml b/windows-release/stage-pack-pymanager.yml index 5d0d18ef..30966514 100644 --- a/windows-release/stage-pack-pymanager.yml +++ b/windows-release/stage-pack-pymanager.yml @@ -1,6 +1,7 @@ parameters: DoFreethreaded: false DoEmbed: false + SigningCertificate: '' Artifacts: - name: win32 diff --git a/windows-release/stage-test-embed.yml b/windows-release/stage-test-embed.yml index 712f3518..293c5336 100644 --- a/windows-release/stage-test-embed.yml +++ b/windows-release/stage-test-embed.yml @@ -1,7 +1,6 @@ jobs: - job: Test_Embed displayName: Test Embed - condition: and(succeeded(), eq(variables['DoEmbed'], 'true')) pool: vmImage: windows-2022 diff --git a/windows-release/stage-test-nuget.yml b/windows-release/stage-test-nuget.yml index da09392c..670a2e32 100644 --- a/windows-release/stage-test-nuget.yml +++ b/windows-release/stage-test-nuget.yml @@ -1,7 +1,6 @@ jobs: - job: Test_Nuget displayName: Test Nuget - condition: and(succeeded(), eq(variables['DoNuget'], 'true')) pool: vmImage: windows-2022 From b536a4e3ca9651b32cf8408a685a5d6956b54b0d Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 16 Oct 2025 16:55:01 +0100 Subject: [PATCH 2/2] Remove variable --- windows-release/azure-pipelines.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows-release/azure-pipelines.yml b/windows-release/azure-pipelines.yml index a9373408..853f1d63 100644 --- a/windows-release/azure-pipelines.yml +++ b/windows-release/azure-pipelines.yml @@ -132,7 +132,6 @@ variables: SourceTag: ${{ parameters.SourceTag }} ${{ if ne(parameters.SourceCommit, 'empty') }}: SourceCommit: ${{ parameters.SourceCommit }} - SigningCertificate: ${{ iif(eq(parameters.SigningCertificate, 'Unsigned'), '', parameters.SigningCertificate) }} ${{ if eq(parameters.SigningCertificate, 'PythonSoftwareFoundation') }}: IsRealSigned: true ${{ else }}: