Support CBL signing (#3719)

2023-06-22 10:38:34 -07:00 · 2023-06-22 10:38:34 -07:00 · b484c06f08
--- a/.azure/OneBranch.Publish.yml
+++ b/.azure/OneBranch.Publish.yml
@ -15,6 +15,12 @@ variables:
  DisableDockerDetector: true

 parameters:
+- name: opensslrpmcblrepos
+  type: object
+  default:
+  - cbl-mariner-1.0-prod-Microsoft-x86_64-rpms-yum
+  - cbl-mariner-2.0-prod-Microsoft-x86_64-yum
+  - cbl-mariner-2.0-prod-Microsoft-aarch64-yum
 - name: opensslrpmrepos
  type: object
  default:
@ -29,9 +35,6 @@ parameters:
  - microsoft-rhel7.3-prod-yum
  - microsoft-rhel8.0-prod-yum
  - microsoft-rhel8.1-prod-yum
-  - cbl-mariner-1.0-prod-Microsoft-x86_64-rpms-yum
-  - cbl-mariner-2.0-prod-Microsoft-x86_64-yum
-  - cbl-mariner-2.0-prod-Microsoft-aarch64-yum
 - name: openssldebrepos
  type: object
  default:
@ -90,7 +93,7 @@ stages:
        inputs:
          secureFile: 'auth.pem'
      - ${{ each repo in parameters.openssldebrepos }}:
-        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl -r ${{ repo }} -n "*.deb"
+        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/gen -r ${{ repo }} -n "*.deb"
          condition: eq(${{ parameters.debug }}, false)
          displayName: ${{ repo }}
          continueOnError: true
@ -120,7 +123,37 @@ stages:
        inputs:
          secureFile: 'auth.pem'
      - ${{ each repo in parameters.opensslrpmrepos }}:
-        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl -r ${{ repo }} -n "*.rpm"
+        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/gen -r ${{ repo }} -n "*.rpm"
+          condition: eq(${{ parameters.debug }}, false)
+          displayName: ${{ repo }}
+          continueOnError: true
+  - job: UploadPackage_openssl_rpms_cbl
+    displayName: Upload openSSL based RPM packages to CBL repos
+    timeoutInMinutes: 120
+    workspace:
+      clean: all
+    pool:
+      vmImage: 'ubuntu-latest'
+    variables:
+    - group: MsQuicAADApp
+    steps:
+      - task: DownloadPipelineArtifact@2
+        inputs:
+          source: specific
+          project: $(resources.pipeline.onebranch.projectID)
+          pipeline: $(resources.pipeline.onebranch.pipelineID)
+          preferTriggeringPipeline: true
+          runVersion: specific
+          runId: $(resources.pipeline.onebranch.runID)
+          artifact: drop_package_linux_distribution_openssl
+          path: $(Build.SourcesDirectory)/artifacts/signed/openssl
+      - task: DownloadSecureFile@1
+        name:  pmcv4cert
+        displayName: 'Download cert for PMC v4'
+        inputs:
+          secureFile: 'auth.pem'
+      - ${{ each repo in parameters.opensslrpmcblrepos }}:
+        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/cbl -r ${{ repo }} -n "*.rpm"
          condition: eq(${{ parameters.debug }}, false)
          displayName: ${{ repo }}
          continueOnError: true
@ -150,7 +183,7 @@ stages:
        inputs:
          secureFile: 'auth.pem'
      - ${{ each repo in parameters.openssl3debrepos }}:
-        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3 -r ${{ repo }} -n "*.deb"
+        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3/gen -r ${{ repo }} -n "*.deb"
          condition: eq(${{ parameters.debug }}, false)
          displayName: ${{ repo }}
          continueOnError: true
@ -180,7 +213,7 @@ stages:
        inputs:
          secureFile: 'auth.pem'
      - ${{ each repo in parameters.openssl3rpmrepos }}:
-        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3 -r ${{ repo }} -n "*.rpm"
+        - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3/gen -r ${{ repo }} -n "*.rpm"
          condition: eq(${{ parameters.debug }}, false)
          displayName: ${{ repo }}
          continueOnError: true
--- a/.azure/obtemplates/build-linux-packages.yml
+++ b/.azure/obtemplates/build-linux-packages.yml
@ -43,11 +43,23 @@ jobs:
    inputs:
      pwsh: false
      filePath: scripts/package-distribution.ps1
+  - script: | # prepare 2 sets of packages for signing with different keys (gen = general purpose, cbl = cbl-mariner)
+      mkdir $(Build.SourcesDirectory)/artifacts/dist/gen
+      find $(Build.SourcesDirectory)/artifacts/dist -type f -exec mv -t $(Build.SourcesDirectory)/artifacts/dist/gen/ {} +
+      cp -r $(Build.SourcesDirectory)/artifacts/dist/gen/ $(Build.SourcesDirectory)/artifacts/dist/cbl/
  - ${{ if not(eq(parameters.sign, false)) }}:
    - task: onebranch.pipeline.signing@1
-      displayName: Sign
+      displayName: Sign General Purpose Packages
      inputs:
        command: 'sign'
        signing_profile: 'CP-450779-pgpdetached'
        files_to_sign: '**/*.rpm;**/*.deb'
-        search_root: '$(ob_outputDirectory)'
+        search_root: $(Build.SourcesDirectory)/artifacts/dist/gen
+  - ${{ if not(eq(parameters.sign, false)) }}:
+    - task: onebranch.pipeline.signing@1
+      displayName: Sign CBL Packages
+      inputs:
+        command: 'sign'
+        signing_profile: 'CP-459159-pgpdetached'
+        files_to_sign: '**/*.rpm;**/*.deb'
+        search_root: $(Build.SourcesDirectory)/artifacts/dist/cbl