Build pipeline improvement: add Microbuild "Verify Signed Binaries" tasks (#27)

* exclude .git in Sources artifact

* Verify Signing tasks

* fix sign verification

* add whitelist for authenticode cert verification

* fix SignVerifyWhitelist

* use absolute path for WhiteListPathForCerts

* minor fix

* rename the exclusion file

.pipelines/templates/build.yml

@@ -36,7 +36,9 @@ jobs:
       displayName: 'Copy Sources'
       inputs:
         SourceFolder: '$(Build.SourcesDirectory)'
-        Contents: '**'
+        Contents: |
+         **
+         !.git\**\*
         TargetFolder: '$(Build.ArtifactStagingDirectory)\Sources'
 
   - task: ms-vseng.MicroBuildTasks.30666190-6959-11e5-9f96-f56098202fef.MicroBuildSigningPlugin@1
@@ -130,6 +132,20 @@ jobs:
         Contents: '**\*.msi'
         TargetFolder: '$(Build.ArtifactStagingDirectory)\Installers\x64'
 
+  - ${{ if eq(parameters.signType, 'real') }}:
+    - task: ms-vseng.MicroBuildShipTasks.7c429315-71ba-4cb3-94bb-f829c95f7915.MicroBuildCodesignVerify@2
+      displayName: 'Verify Signed Binaries'
+      inputs:
+        TargetFolders: '$(Build.ArtifactStagingDirectory)\Binaries'
+        WhiteListPathForCerts: '$(Build.SourcesDirectory)\.pipelines\templates\no_authenticode.txt'
+
+  - ${{ if and(eq(parameters.signType, 'real'), eq(parameters.publishArtifactInstallers, 'true')) }}:
+    - task: ms-vseng.MicroBuildShipTasks.7c429315-71ba-4cb3-94bb-f829c95f7915.MicroBuildCodesignVerify@2
+      displayName: 'Verify Signed Installers'
+      inputs:
+        TargetFolders: '$(Build.ArtifactStagingDirectory)\Installers'
+        WhiteListPathForCerts: '$(Build.SourcesDirectory)\.pipelines\templates\no_authenticode.txt'
+
   - ${{ if eq(parameters.indexSourcesAndPublishSymbols, 'true') }}:
     - task: PublishSymbols@2
       displayName: 'Enable Source Server'

.pipelines/templates/no_authenticode.txt

@@ -0,0 +1,2 @@
+**\*.cab.cab
+**\*wixuiwixca.dll