Update to sign files (#3573)

* attempt to sign files * sign files * fix signing * add signing install * fix pool * because of webpack, only one file to sign * sign files before packaging and sign vsix
2024-02-07 12:25:24 -05:00 · 2024-02-07 12:25:24 -05:00 · fe85f78637
--- a/jobs/prerelease.yml
+++ b/jobs/prerelease.yml
@ -28,19 +28,17 @@ variables:
  value: unset
 - name: TeamName
  value: C++ Cross Platform and Cloud
+- name: SignType
+  value: real

 extends:
  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
  parameters:
    pool:
-      name: AzurePipelines-EO
-      image: AzurePipelinesWindows2022compliantGPT
-      os: windows
+      name: VSEngSS-MicroBuild2022-1ES
    sdl:
-      sourceAnalysisPool: 
-        name: AzurePipelines-EO
-        image: AzurePipelinesWindows2022compliantGPT
-        os: windows
+      sourceAnalysisPool:
+        name: VSEngSS-MicroBuild2022-1ES
    customBuildTags:
    - ES365AIMigrationTooling
    stages:
--- a/jobs/release.yml
+++ b/jobs/release.yml
@ -2,6 +2,16 @@
 # Pipeline for release
 # ==================================================================================

+parameters:
+- name: SignTypeOverride
+  displayName: Signing Type Override
+  type: string
+  default: default
+  values:
+    - default
+    - test
+    - real
+
 trigger: none

 resources:
@ -17,24 +27,25 @@ resources:
 name: $(Date:yyyyMMdd).$(Rev:r)

 variables:
- name: IsPreRelease
-  value: 0
-# ReleaseVersion is set in the versions tab so it can be edited.
- name: TeamName
-  value: C++ Cross Platform and Cloud
+  IsPreRelease: 0
+  # ReleaseVersion is set in the versions tab so it can be edited.
+  TeamName: C++ Cross Platform and Cloud
+  # If the user didn't override the signing type, then only real-sign on main.
+  ${{ if ne(parameters.SignTypeOverride, 'default') }}:
+    SignType: ${{ parameters.SignTypeOverride }}
+  ${{ if and(eq(parameters.SignTypeOverride, 'default'), eq(variables['Build.SourceBranchName'], 'main')) }}:
+    SignType: real
+  ${{ if and(eq(parameters.SignTypeOverride, 'default'), not(eq(variables['Build.SourceBranchName'], 'main'))) }}:
+    SignType: test

 extends:
  template: azure-pipelines/MicroBuild.1ES.Official.yml@MicroBuildTemplate
  parameters:
    pool:
-      name: AzurePipelines-EO
-      image: AzurePipelinesWindows2022compliantGPT
-      os: windows
+      name: VSEngSS-MicroBuild2022-1ES
    sdl:
-      sourceAnalysisPool: 
-        name: AzurePipelines-EO
-        image: AzurePipelinesWindows2022compliantGPT
-        os: windows
+      sourceAnalysisPool:
+        name: VSEngSS-MicroBuild2022-1ES
    customBuildTags:
    - ES365AIMigrationTooling
    stages:
--- a/jobs/shared/build.yml
+++ b/jobs/shared/build.yml
@ -7,6 +7,11 @@ parameters:
  default: $(ReleaseVersion)

 steps:
+- task: MicroBuildSigningPlugin@3
+  displayName: Install MicroBuild Signing
+  inputs:
+    signType: $(SignType)
+    zipSources: false
 - task: NodeTool@0
  displayName: Use Node 16.x
  inputs:
@ -83,12 +88,30 @@ steps:
  inputs:
    script: |
      if "${{parameters.IsPreRelease}}"=="1" (type nul > "insiders.flag") else (type nul > "release.flag")
+- template: /jobs/shared/install-nuget.yml@self
+- script: nuget restore $(Build.SourcesDirectory)\jobs\signing\SignFiles.proj -PackagesDirectory $(Build.SourcesDirectory)\jobs\signing\packages
+  displayName: Restore MicroBuild Core
+- task: CmdLine@2
+  displayName: Build files
+  inputs:
+    script: |
+      npm run vscode:prepublish
+- task: MSBuild@1
+  displayName: Sign files
+  inputs:
+    solution: $(Build.SourcesDirectory)\jobs\signing\SignFiles.proj
+    msbuildArguments: /p:SignType=$(SignType)
 - task: CmdLine@2
  displayName: vsce package
  inputs:
    script: |
      mkdir $(Build.ArtifactStagingDirectory)\vsix
      if "${{parameters.IsPreRelease}}"=="1" (vsce package --yarn -o $(Build.ArtifactStagingDirectory)\vsix\cmake-tools.vsix --pre-release) else (vsce package --yarn -o $(Build.ArtifactStagingDirectory)\vsix\cmake-tools.vsix)
+- task: MSBuild@1
+  displayName: Sign VSIX
+  inputs:
+    solution: $(Build.SourcesDirectory)\jobs\signing\SignVsix.proj
+    msbuildArguments: /p:SignType=$(SignType)
 - task: CmdLine@2
  displayName: Write the version to version.txt
  inputs:
--- a/jobs/shared/install-nuget.yml
+++ b/jobs/shared/install-nuget.yml
@ -0,0 +1,9 @@
+# Copyright (c) Microsoft Corporation.
+
+# This Yaml Document has been converted by ESAI Yaml Pipeline Conversion Tool.
+# Please make sure to check all the converted content, it is your team's responsibility to make sure that the pipeline is still valid and functions as expected.
+steps:
+  - task: NuGetToolInstaller@1
+    displayName: Install NuGet
+  - task: NuGetAuthenticate@1
+    displayName: Authenticate NuGet
--- a/jobs/signing/SignFiles.proj
+++ b/jobs/signing/SignFiles.proj
@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="SignFiles" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props" />
+
+  <PropertyGroup>
+    <BaseOutputDirectory>$(MSBuildThisFileDirectory)../..</BaseOutputDirectory>
+    <!-- These properties are required by MicroBuild, which only signs files that are under these paths -->
+    <IntermediateOutputPath>$(BaseOutputDirectory)</IntermediateOutputPath>
+    <OutDir>$(BaseOutputDirectory)</OutDir>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <!-- Because of Webpack bundling, this is the only shipping Javascript file.
+         There are no third-party files to sign because they've all been bundled. -->
+    <FilesToSign Include="$(OutDir)\dist\main.js">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets" />
+</Project>
--- a/jobs/signing/SignVsix.proj
+++ b/jobs/signing/SignVsix.proj
@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="SignFiles" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props" />
+
+  <PropertyGroup>
+    <BaseOutputDirectory>$(BUILD_STAGINGDIRECTORY)</BaseOutputDirectory>
+    <!-- These properties are required by MicroBuild, which only signs files that are under these paths -->
+    <IntermediateOutputPath>$(BaseOutputDirectory)</IntermediateOutputPath>
+    <OutDir>$(BaseOutputDirectory)</OutDir>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FilesToSign Include="$(OutDir)\**\*.vsix">
+      <Authenticode>VsixSHA2</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+
+  <Import Project="packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets" />
+</Project>
--- a/jobs/signing/packages.config
+++ b/jobs/signing/packages.config
@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.VisualStudioEng.MicroBuild.Core" version="0.4.1" developmentDependency="true" />
+</packages>