From fd5366f1b0557498ea02d5651288e10c53ef2d5d Mon Sep 17 00:00:00 2001
From: Eric Erhardt <eric.erhardt@microsoft.com>
Date: Thu, 30 May 2019 11:51:05 -0500
Subject: [PATCH] Use arcade's signing tool to sign all artifacts. (#124)

* Use arcade's signing tool to sign all artifacts.

Fix #119

* Change Package Worker to be inside of MSBuild, so we can get the Version property correctly.

* Collapse packaging the worker into the same build step as signing.
---
 azure-pipelines.yml       | 61 +++++++++------------------------------
 eng/PackageWorker.proj    | 19 ++++++++++++
 eng/Publishing.props      | 13 +++++++++
 eng/Sign.proj             | 46 -----------------------------
 eng/Signing.props         | 15 ++++++++++
 eng/Tools.proj            | 12 --------
 script/package-worker.ps1 |  4 +--
 7 files changed, 62 insertions(+), 108 deletions(-)
 create mode 100644 eng/PackageWorker.proj
 create mode 100644 eng/Publishing.props
 delete mode 100644 eng/Sign.proj
 create mode 100644 eng/Signing.props
 delete mode 100644 eng/Tools.proj

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
index 13919671..9f7f2503 100644
--- a/azure-pipelines.yml
+++ b/azure-pipelines.yml
@@ -147,6 +147,10 @@ jobs:
       name: NetCoreInternal-Int-Pool
       queue: buildpool.windows.10.amd64.vs2017
 
+    variables:
+      ${{ if and(ne(variables['System.TeamProject'], 'public'), notin(variables['Build.Reason'], 'PullRequest')) }}:
+        _OfficialBuildIdArgs: /p:OfficialBuildId=$(BUILD.BUILDNUMBER)
+
     steps:
     - task: DownloadBuildArtifacts@0
       displayName: Download Build Artifacts
@@ -164,57 +168,20 @@ jobs:
         TeamName: $(_TeamName)
       condition: and(succeeded(), in(variables['_SignType'], 'real', 'test'), eq(variables['Agent.Os'], 'Windows_NT'))
     
-    - task: MSBuild@1
-      displayName: 'Restore Sign Tools'
-      inputs:
-        solution: eng/Tools.proj
-        msbuildArguments: /t:Restore
-        msbuildVersion: 15.0
-  
-    - task: MSBuild@1
-      displayName: 'Sign worker binaries'
-      inputs:
-        solution: eng/Sign.proj
-        msbuildArguments: /t:SignBinaries
-                          /p:SignWorkerBinaries=true
-                          /p:SignAssetsDir=$(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries\Microsoft.Spark.Worker\
-                          /p:SignType=$(_SignType)
-        msbuildVersion: 15.0
-
-    - task: MSBuild@1
-      displayName: 'Sign nuget/snupkg packages'
-      inputs:
-        solution: eng/Sign.proj
-        msbuildArguments: /t:SignBinaries 
-                          /p:SignAssetsDir=$(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries\
-                          /p:SignNugetPackages=true
-                          /p:SignType=$(_SignType)
-        msbuildVersion: 15.0
-    
-    - task: CopyFiles@2
-      displayName: Copy nupkg to publish
-      inputs:
-        sourceFolder: $(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries
-        contents: |
-          **/*.nupkg
-          **/*.snupkg
-        targetFolder: $(Build.ArtifactStagingDirectory)/Packages
-        flattenFolders: true
-
     - task: PowerShell@2
-      displayName: Package Microsoft.Spark.Worker
+      displayName: Sign artifacts and Package Microsoft.Spark.Worker
       inputs:
-        targetType: filePath
-        filePath: script\package-worker.ps1
-        arguments: $(Build.ArtifactStagingDirectory)\Packages $(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries\Microsoft.Spark.Worker $(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries
-        workingDirectory: $(Build.ArtifactStagingDirectory)
+        filePath: eng\common\build.ps1
+        arguments: -restore -sign -publish
+                   -c $(buildConfiguration)
+                   -ci
+                   $(_OfficialBuildIdArgs)
+                   /p:DotNetSignType=$(_SignType)
+                   /p:SparkPackagesDir=$(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries\BuildArtifacts\artifacts\packages
+                   /p:SparkWorkerPublishDir=$(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries\Microsoft.Spark.Worker
+                   /p:SparkWorkerPackageOutputDir=$(Build.ArtifactStagingDirectory)\Microsoft.Spark.Binaries
 
     - task: PublishBuildArtifacts@1
       inputs:
         pathtoPublish: '$(Build.ArtifactStagingDirectory)/Microsoft.Spark.Binaries'
         artifactName:  Microsoft.Spark.Binaries
-
-    - task: PublishBuildArtifacts@1
-      inputs:
-        pathtoPublish: '$(Build.ArtifactStagingDirectory)/Packages'
-        artifactName:  Microsoft.Spark.Binaries
diff --git a/eng/PackageWorker.proj b/eng/PackageWorker.proj
new file mode 100644
index 00000000..711f1bec
--- /dev/null
+++ b/eng/PackageWorker.proj
@@ -0,0 +1,19 @@
+<Project DefaultTargets="PackageWorker">
+  <Import Project="..\src\csharp\Directory.Build.props" />
+
+  <Target Name="PackageWorker">
+
+    <Error Condition="'$(SparkWorkerPublishDir)' == ''"
+           Text="SparkWorkerPublishDir variable is not set." />
+    <Error Condition="'$(SparkWorkerPackageOutputDir)' == ''"
+           Text="SparkWorkerPackageOutputDir variable is not set." />
+
+    <Exec Command="powershell -NoProfile -NoLogo -ExecutionPolicy ByPass ^
+                   $(RepoRoot)\script\package-worker.ps1 ^
+                   $(Version) ^
+                   $(SparkWorkerPublishDir) ^
+                   $(SparkWorkerPackageOutputDir)" />
+  </Target>
+
+  <Import Project="..\src\csharp\Directory.Build.targets" />
+</Project>
diff --git a/eng/Publishing.props b/eng/Publishing.props
new file mode 100644
index 00000000..88015bb2
--- /dev/null
+++ b/eng/Publishing.props
@@ -0,0 +1,13 @@
+<Project>
+  <PropertyGroup>
+    <PublishDependsOnTargets>PackageWorker;$(PublishDependsOnTargets)</PublishDependsOnTargets>
+  </PropertyGroup>
+
+  <Target Name="PackageWorker">
+    <MSBuild Projects="$(MSBuildThisFileDirectory)\PackageWorker.proj"
+             Properties="Configuration=$(Configuration);
+                         OfficialBuildId=$(OfficialBuildId);
+                         SparkWorkerPublishDir=$(SparkWorkerPublishDir);
+                         SparkWorkerPackageOutputDir=$(SparkWorkerPackageOutputDir)" />
+  </Target>
+</Project>
diff --git a/eng/Sign.proj b/eng/Sign.proj
deleted file mode 100644
index 98e5b055..00000000
--- a/eng/Sign.proj
+++ /dev/null
@@ -1,46 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-  <!-- This will be overridden if we're building with MicroBuild. -->
-  <Target Name="SignFiles">
-    <Message Importance="High" Text="Attempting to sign %(FilesToSign.Identity) with authenticode='%(FilesToSign.Authenticode)'" />
-  </Target>
-
-  <Import Project="$(MSBuildThisFileDirectory)\obj\Tools.proj.nuget.g.props" Condition="Exists('$(MSBuildThisFileDirectory)\obj\Tools.proj.nuget.g.props')" />
-  <Import Project="$(MSBuildThisFileDirectory)\obj\Tools.proj.nuget.g.targets" Condition="Exists('$(MSBuildThisFileDirectory)\obj\Tools.proj.nuget.g.targets')" />
-
-  <Target Name="SetSigningProperties">
-    <PropertyGroup>
-      <!-- The OutDir and IntermediateOutputPath properties are required by MicroBuild. MicroBuild only
-           signs files that are under these paths. -->
-      <OutDir>$(SignAssetsDir)</OutDir>
-      <IntermediateOutputPath>$(SignAssetsDir)obj/</IntermediateOutputPath>
-
-    </PropertyGroup>
-
-    <Error Condition="!Exists('$(OutDir)')" Text="'OutDir' folder '$(OutDir)' does not exist."/>
-  </Target>
-
-  <Target Name="SignBinaries" Condition="'$(SignType)' == 'real'" DependsOnTargets="SetSigningProperties;GetFilesToSign">
-    <CallTarget Targets="SignFiles" />
-  </Target>
-
-  <Target Name="GetFilesToSign">
-
-    <ItemGroup Condition="'$(SignWorkerBinaries)' == 'true'">
-      <_filesToSign Include="$(OutDir)**/Microsoft.Spark.dll" />
-      <_filesToSign Include="$(OutDir)**/Microsoft.Spark.Worker.exe" />
-      <_filesToSign Include="$(OutDir)**/Microsoft.Spark.Worker.dll" />
-
-      <FilesToSign Include="@(_filesToSign)">
-        <Authenticode>Microsoft</Authenticode>
-      </FilesToSign>
-    </ItemGroup>
-
-    <ItemGroup Condition="'$(SignNugetPackages)' == 'true'">
-      <FilesToSign Include="$(OutDir)**/*.nupkg;$(OutDir)**/*.snupkg">
-        <Authenticode>NuGet</Authenticode>
-      </FilesToSign>
-    </ItemGroup>
-
-    <Error Condition="'@(FilesToSign)' == ''" Text="There are no files to sign. FilesToSign group is empty."/>
-  </Target>
-</Project>
diff --git a/eng/Signing.props b/eng/Signing.props
new file mode 100644
index 00000000..4650e800
--- /dev/null
+++ b/eng/Signing.props
@@ -0,0 +1,15 @@
+<Project>
+  <ItemGroup>
+    <ItemsToSign Include="$(SparkPackagesDir)/**/*.nupkg" />
+    <ItemsToSign Include="$(SparkPackagesDir)/**/*.snupkg" />
+    
+    <ItemsToSign Include="$(SparkWorkerPublishDir)/**/Microsoft.Spark.dll" />
+    <ItemsToSign Include="$(SparkWorkerPublishDir)/**/Microsoft.Spark.Worker.exe" />
+    <ItemsToSign Include="$(SparkWorkerPublishDir)/**/Microsoft.Spark.Worker.dll" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <!-- extend arcade's FileExtensionSignInfo with snupkg information -->
+    <FileExtensionSignInfo Include=".snupkg" CertificateName="NuGet" />
+  </ItemGroup>
+</Project>
diff --git a/eng/Tools.proj b/eng/Tools.proj
deleted file mode 100644
index ccd8286c..00000000
--- a/eng/Tools.proj
+++ /dev/null
@@ -1,12 +0,0 @@
-<Project Sdk="Microsoft.NET.Sdk">
-  <PropertyGroup>
-    <TargetFramework>net461</TargetFramework>
-    <RestoreSources>
-       https://dotnet.myget.org/F/dotnet-core/api/v3/index.json;
-       $(RestoreSources)
-    </RestoreSources>
-  </PropertyGroup>
-  <ItemGroup>
-    <PackageReference Include="MicroBuild.Core" Version="0.2.0" />
-  </ItemGroup>
-</Project>
\ No newline at end of file
diff --git a/script/package-worker.ps1 b/script/package-worker.ps1
index f70f9a46..addb5e1b 100644
--- a/script/package-worker.ps1
+++ b/script/package-worker.ps1
@@ -1,9 +1,7 @@
-$nuget_dir = $args[0]
+$version = $args[0]
 $worker_dir = $args[1]
 $output_dir = $args[2]
 
-$file = Get-ChildItem $nuget_dir -Filter Microsoft.Spark.*.nupkg | Select-Object -First 1
-$version = $file.Basename.Split(".", 3)[2]
 $worker_version_dir = "Microsoft.Spark.Worker-$version"
 
 $frameworks = Get-ChildItem -Directory $worker_dir