Moved codesign tasks to Azure Pipelines, enabled linux codesign (#216)

pipelines/ESRPClient/NuGet.config

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<configuration>
-    <packageSources>
-        <add key="ESRP" value="https://microsoft.pkgs.visualstudio.com/_packaging/ESRP/nuget/v3/index.json" />
-    </packageSources>
-</configuration>

pipelines/ESRPClient/packages.config

@@ -1,4 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<packages>
-  <package id="Microsoft.EsrpClient" version="1.2.25" />
-</packages>

pipelines/build-linux.yml

@@ -0,0 +1,2 @@
+steps:
+- script: 'npm run package:linux'

pipelines/build-windows.yml

@@ -8,11 +8,39 @@ steps:
 - script: 'npm run pack:win'
   displayName: 'Pre-package for electron'
 
-- template: '.\sign-prep-template.yml'
-- powershell: |
-        $ErrorActionPreference = "Stop"
-        $(Build.SourcesDirectory)/pipelines/sign-exe.ps1 -ESRPClientId $(ESRPClientId) -ClientPath "$(Build.SourcesDirectory)\pipelines\ESRPClient\packages\Microsoft.EsrpClient.1.2.25\tools\" -Path "$(Build.SourcesDirectory)/dist/win-unpacked/"
-  displayName: Request code sign of exe
+- task: EsrpCodeSigning@1
+  inputs:
+    ConnectedServiceName: 'Azure IoT Explorer CodeSign'
+    FolderPath: '$(Build.SourcesDirectory)/dist/win-unpacked'
+    Pattern: '*.exe'
+    signConfigType: 'inlineSignParams'
+    inlineOperation: |
+      [
+        {
+          "KeyCode": "CP-230012",
+          "OperationCode": "SigntoolSign",
+          "Parameters": {
+              "OpusName": "Microsoft",
+              "OpusInfo": "http://www.microsoft.com",
+              "FileDigest": "/fd \"SHA256\"",
+              "PageHash": "/NPH",
+              "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+          },
+          "ToolName": "sign",
+          "ToolVersion": "1.0"
+        },
+        {
+          "KeyCode": "CP-230012",
+          "OperationCode": "SigntoolVerify",
+          "Parameters": {},
+          "ToolName": "sign",
+          "ToolVersion": "1.0"
+        }
+      ]
+    SessionTimeout: '60'
+    MaxConcurrency: '50'
+    MaxRetryAttempts: '5'
+    VerboseLogin: true
 
 - script: 'npm run dist:win'
   displayName: 'Build MSI'

pipelines/import-esrp-auth-cert.ps1

@@ -1,19 +0,0 @@
-Param(
-  [string]$AuthCertFilePath,
-  [string]$AuthCertKey,
-  [string]$CertFilePath,
-  [string]$CertKey
-)
-
-# Import auth certificate
-$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertFilePath -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertKey -AsPlainText -Force)
-$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject
-
-Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")
-
-# Import signing certificate
-$Certificate = Import-PfxCertificate -FilePath $CertFilePath -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $CertKey -AsPlainText -Force)
-$ESRPCertificateSubjectName = $Certificate.Subject
-
-Write-Output ("##vso[task.setvariable variable=ESRPCertificateSubjectName;]$ESRPCertificateSubjectName")
-

pipelines/release-pipeline.yml

@@ -1,10 +1,6 @@
 trigger: none
 
-variables:
-- group: ESRP
-
 jobs:
-
   - job: build_and_test
     pool:
       vmImage: 'ubuntu-16.04'
@@ -57,26 +53,124 @@ jobs:
     - publish: $(Build.SourcesDirectory)/dist/
       displayName: 'Staging artifact for signing'
 
+  - job: packageLinux
+    dependsOn: 'build_and_test'
+
+    pool:
+        vmImage: 'ubuntu-16.04'
+
+    steps:
+      - task: NodeTool@0
+        inputs:
+          versionSpec: '12.x'
+          
+      - template: '.\build-linux.yml'
+
+      - task: CopyFiles@2
+        displayName: 'ArtifactIgnore'
+        inputs:
+          SourceFolder: '$(Build.SourcesDirectory)/'
+          Contents: '.artifactignore'
+          TargetFolder: '$(Build.SourcesDirectory)/dist/'
+
+      - publish: $(Build.SourcesDirectory)/dist/
+        displayName: 'Staging artifact for signing'
+
   - job: sign
     dependsOn:
     - packageWindows
     - packageMac
+    - packageLinux
     pool:
-      vmImage: 'vs2017-win2016'
+      vmImage: 'ubuntu-16.04'
     steps:
-    - template: .\sign-prep-template.yml
-
     - task: DownloadPipelineArtifact@2
       displayName: 'Stage artifacts for signing'
       inputs:
         buildType: 'current'
         targetPath: '$(Pipeline.Workspace)/staging'
 
-    - powershell: |
-        $ErrorActionPreference = "Stop"
-        $(Build.SourcesDirectory)/pipelines/sign.ps1 -ESRPClientId $(ESRPClientId) -ClientPath "$(Build.SourcesDirectory)\pipelines\ESRPClient\packages\Microsoft.EsrpClient.1.2.25\tools\" -Path "$(Pipeline.Workspace)/staging"
-      displayName: Request code sign
-    
+    - task: EsrpCodeSigning@1
+      displayName: 'signWindows'
+      inputs:
+        ConnectedServiceName: 'Azure IoT Explorer CodeSign'
+        FolderPath: '$(Pipeline.Workspace)/staging'
+        Pattern: '*.msi'
+        signConfigType: 'inlineSignParams'
+        inlineOperation: |
+          [
+            {
+              "KeyCode": "CP-230012",
+              "OperationCode": "SigntoolSign",
+              "Parameters": {
+                "OpusName": "Microsoft",
+                "OpusInfo": "http://www.microsoft.com",
+                "FileDigest": "/fd \"SHA256\"",
+                "PageHash": "/NPH",
+                "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+              },
+              "ToolName": "sign",
+              "ToolVersion": "1.0"
+            },
+            {
+              "KeyCode": "CP-230012",
+              "OperationCode": "SigntoolVerify",
+              "Parameters": {
+                "VerifyAll": "/all"
+              },
+              "ToolName": "sign",
+              "ToolVersion": "1.0"
+            }
+          ]
+        SessionTimeout: '60'
+        MaxConcurrency: '50'
+        MaxRetryAttempts: '5'
+        VerboseLogin: true
+
+    - task: EsrpCodeSigning@1
+      displayName: 'signMac'
+      inputs:
+        ConnectedServiceName: 'Azure IoT Explorer CodeSign'
+        FolderPath: '$(Pipeline.Workspace)/staging'
+        Pattern: '*.dmg'
+        signConfigType: 'inlineSignParams'
+        inlineOperation: |
+         [
+            {
+              "KeyCode" : "CP-401337-Apple",
+              "OperationCode" : "MacAppDeveloperSign",
+              "Parameters" : {},
+              "ToolName" : "sign",
+              "ToolVersion" : "1.0"
+            }
+          ]
+        SessionTimeout: '60'
+        MaxConcurrency: '50'
+        MaxRetryAttempts: '5'
+        VerboseLogin: true
+
+    - task: EsrpCodeSigning@1
+      displayName: 'signLinux'
+      inputs:
+        ConnectedServiceName: 'Azure IoT Explorer CodeSign'
+        FolderPath: '$(Pipeline.Workspace)/staging'
+        Pattern: '*.deb'
+        signConfigType: 'inlineSignParams'
+        inlineOperation: |
+          [
+            {
+              "KeyCode" : "CP-450778-Pgp",
+              "OperationCode" : "LinuxSign",
+              "Parameters" : {},
+              "ToolName" : "sign",
+              "ToolVersion" : "1.0"
+            }
+          ]
+        SessionTimeout: '60'
+        MaxConcurrency: '50'
+        MaxRetryAttempts: '5'
+        VerboseLogin: true
+
     - task: CopyFiles@2
       displayName: 'Flatten signed artifact files for publish'
       inputs:
@@ -89,16 +183,16 @@ jobs:
       displayName: 'Publish signed artifacts'
       inputs:
         targetPath: '$(Pipeline.Workspace)/release/'
-    
-    - task: GitHubRelease@0
+
+    - task: GitHubRelease@1
       inputs:
-        gitHubConnection: 'Github'
+        gitHubConnection: 'Azure IoT Explorer Github Service Connection'
         repositoryName: '$(Build.Repository.Name)'
         action: 'create'
         target: '$(Build.SourceVersion)'
-        tagSource: 'auto'
-        assets: '$(Pipeline.Workspace)/release/*'
-        assetUploadMode: 'replace'
-        addChangeLog: true
-        compareWith: 'lastRelease'
+        tagSource: 'gitTag'
         isDraft: true
+        addChangeLog: true
+        assetUploadMode: 'replace'
+        changeLogCompareToRelease: 'lastFullRelease'
+        changeLogType: 'commitBased'

pipelines/sign-exe.ps1

@@ -1,81 +0,0 @@
-Param(
-  [string]$Path,
-  [string]$Ext,
-  [string]$ClientPath,
-  [string]$ESRPClientId
-)
-
-function Create-TmpJson($Obj) {
-	$FileName = [System.IO.Path]::GetTempFileName()
-	ConvertTo-Json -Depth 100 $Obj | Out-File -Encoding UTF8 $FileName
-	return $FileName
-}
-# List files in directory
-Get-ChildItem $Path
-
-$windows = Get-ChildItem $Path | where {$_.extension -eq '.exe'} | Select-Object -first 1 | % {$_.FullName}
-Write-Host "Windows: $windows"
-
-$Auth = Create-TmpJson @{
-	Version = "1.0.0"
-	AuthenticationType = "AAD_CERT"
-	ClientId = $ESRPClientId
-	AuthCert = @{
-		SubjectName = $env:ESRPAuthCertificateSubjectName
-		StoreLocation = "LocalMachine"
-		StoreName = "My"
-	}
-	RequestSigningCert = @{
-		SubjectName = $env:ESRPCertificateSubjectName
-		StoreLocation = "LocalMachine"
-		StoreName = "My"
-	}
-}
-
-$Policy = Create-TmpJson @{
-	Version = "1.0.0"
-}
-
-$signingInput = Create-TmpJson @{
-	Version = "1.0.0"
-	SignBatches = @(
-		@{
-			SourceLocationType = "UNC"
-			SignRequestFiles = @(
-				@{
-					CustomerCorrelationId = $env:ESRPClientId
-					SourceLocation = "$windows"
-				}
-			)
-			SigningInfo = @{
-				Operations = @(
-					@{
-						KeyCode = "CP-230012"
-						OperationCode = "SigntoolSign"
-						Parameters = @{
-							OpusName = "Microsoft"
-							OpusInfo =  "http://www.microsoft.com"
-							FileDigest = "/fd `"SHA256`""
-							PageHash = "/NPH"
-							TimeStamp = "/tr `"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer`" /td sha256"
-						}
-						ToolName = "sign"
-						ToolVersion = "1.0"
-					},
-					@{
-						KeyCode = "CP-230012"
-						OperationCode = "SigntoolVerify"
-						Parameters = @{
-							VerifyAll = "/all"
-						}
-						ToolName = "sign"
-						ToolVersion = "1.0"
-					}
-				)
-			}
-		}
-	)
-}
-$Output = [System.IO.Path]::GetTempFileName()
-& "$ClientPath\ESRPClient.exe" Sign -a $Auth -p $Policy -i $signingInput -o $Output
-

pipelines/sign-prep-template.yml

@@ -1,24 +0,0 @@
-steps:
-- task: NuGetCommand@2
-  displayName: Install ESRPClient
-  inputs:
-    restoreSolution: '$(Build.SourcesDirectory)/pipelines/ESRPClient/packages.config'
-    feedsToUse: config
-    nugetConfigPath: '$(Build.SourcesDirectory)/pipelines/ESRPClient/NuGet.config'
-    externalFeedCredentials: 'Nuget'
-    restoreDirectory: packages
-
-- task: DownloadSecureFile@1
-  name: AuthCert
-  inputs:
-    secureFile: 'AuthCert.pfx'
-
-- task: DownloadSecureFile@1
-  name: ESRPCert
-  inputs:
-    secureFile: 'ESRPCert.pfx'
-
-- powershell: |
-    $ErrorActionPreference = "Stop"
-    $(Build.SourcesDirectory)/pipelines/import-esrp-auth-cert.ps1 -AuthCertFilePath $(AuthCert.secureFilePath) -AuthCertKey '$(ESRPAuthKey)' -CertFilePath $(ESRPCert.secureFilePath) -CertKey '$(ESRPKey)'
-  displayName: Import Certificates

pipelines/sign.ps1

@@ -1,104 +0,0 @@
-Param(
-  [string]$Path,
-  [string]$Ext,
-  [string]$ClientPath,
-  [string]$ESRPClientId
-)
-
-function Create-TmpJson($Obj) {
-	$FileName = [System.IO.Path]::GetTempFileName()
-	ConvertTo-Json -Depth 100 $Obj | Out-File -Encoding UTF8 $FileName
-	return $FileName
-}
-# List files in directory
-Get-ChildItem $Path -Recurse -Depth 2
-
-$windows = Get-ChildItem $Path -Recurse -Depth 2 | where {$_.extension -eq '.msi'} | Select-Object -first 1 | % {$_.FullName}
-$mac = Get-ChildItem $Path -Recurse -Depth 2 | where {$_.extension -eq '.dmg'} | Select-Object -first 1 | % {$_.FullName}
-
-Write-Host "Windows: $windows"
-Write-Host "Mac: $mac"
-
-$Auth = Create-TmpJson @{
-	Version = "1.0.0"
-	AuthenticationType = "AAD_CERT"
-	ClientId = $ESRPClientId
-	AuthCert = @{
-		SubjectName = $env:ESRPAuthCertificateSubjectName
-		StoreLocation = "LocalMachine"
-		StoreName = "My"
-	}
-	RequestSigningCert = @{
-		SubjectName = $env:ESRPCertificateSubjectName
-		StoreLocation = "LocalMachine"
-		StoreName = "My"
-	}
-}
-
-$Policy = Create-TmpJson @{
-	Version = "1.0.0"
-}
-
-$signingInput = Create-TmpJson @{
-	Version = "1.0.0"
-	SignBatches = @(
-		@{
-			SourceLocationType = "UNC"
-			SignRequestFiles = @(
-				@{
-					CustomerCorrelationId = $env:ESRPClientId
-					SourceLocation = "$windows"
-				}
-			)
-			SigningInfo = @{
-				Operations = @(
-					@{
-						KeyCode = "CP-230012"
-						OperationCode = "SigntoolSign"
-						Parameters = @{
-							OpusName = "Microsoft"
-							OpusInfo =  "http://www.microsoft.com"
-							FileDigest = "/fd `"SHA256`""
-							PageHash = "/NPH"
-							TimeStamp = "/tr `"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer`" /td sha256"
-						}
-						ToolName = "sign"
-						ToolVersion = "1.0"
-					},
-					@{
-						KeyCode = "CP-230012"
-						OperationCode = "SigntoolVerify"
-						Parameters = @{
-							VerifyAll = "/all"
-						}
-						ToolName = "sign"
-						ToolVersion = "1.0"
-					}
-				)
-			}
-		},
-		@{
-			SourceLocationType = "UNC"
-			SignRequestFiles = @(
-				@{
-					CustomerCorrelationId = $env:ESRPClientId
-					SourceLocation = "$mac"
-				}
-			)
-			SigningInfo = @{
-				Operations = @(
-					@{
-						KeyCode = "CP-401337-Apple"
-						OperationCode = "MacAppDeveloperSign"
-						Parameters = @{}
-						ToolName = "sign"
-						ToolVersion = "1.0"
-					}
-				)
-			}
-		}
-	)
-}
-$Output = [System.IO.Path]::GetTempFileName()
-& "$ClientPath\ESRPClient.exe" Sign -a $Auth -p $Policy -i $signingInput -o $Output
-