From a46319f19a63ae7fde203f4e6047b60a1548f765 Mon Sep 17 00:00:00 2001 From: "Dustin L. Howett" Date: Wed, 8 May 2024 11:32:25 -0500 Subject: [PATCH] Move to ESRPv5, which supports certificate authentication (#32775) Co-authored-by: Jaime Bernardo --- .github/actions/spell-check/expect.txt | 1 + .pipelines/ESRPSigning_core.json | 1 + .pipelines/installer-steps.yml | 19 +++++++++------- .pipelines/release.yml | 31 +++++++++++++++++--------- 4 files changed, 34 insertions(+), 18 deletions(-) diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt index bec6e04569..482d219ddb 100644 --- a/.github/actions/spell-check/expect.txt +++ b/.github/actions/spell-check/expect.txt @@ -29,6 +29,7 @@ AFFINETRANSFORM AFX AGGREGATABLE AHybrid +AKV ALarger ALLAPPS ALLINPUT diff --git a/.pipelines/ESRPSigning_core.json b/.pipelines/ESRPSigning_core.json index c20e38e029..8feaeb6c61 100644 --- a/.pipelines/ESRPSigning_core.json +++ b/.pipelines/ESRPSigning_core.json @@ -304,6 +304,7 @@ "MessagePack.dll", "Nerdbank.Streams.dll", "WinUI3Apps\\SharpCompress.dll", + "WinUI3Apps\\ZstdSharp.dll", "ColorCode.Core.dll", "ColorCode.UWP.dll", "UnitsNet.dll", diff --git a/.pipelines/installer-steps.yml b/.pipelines/installer-steps.yml index 0e82e0b323..e3f2fa76f7 100644 --- a/.pipelines/installer-steps.yml +++ b/.pipelines/installer-steps.yml @@ -11,6 +11,9 @@ parameters: - name: installerPrefix type: string default: "PowerToysSetup" + - name: signingParameters + type: object + default: {} steps: - task: VSBuild@1 @@ -24,10 +27,10 @@ steps: clean: true maximumCpuCount: true - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign PowerToysSetupCustomActions DLL inputs: - ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection" + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: 'installer/PowerToysSetupCustomActions/$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}' signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json' @@ -74,10 +77,10 @@ steps: scriptName: .pipelines/versionAndSignCheck.ps1 arguments: -targetDir '$(build.sourcesdirectory)\extractedMsi\Binary' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign MSI inputs: - ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection" + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: 'installer/PowerToysSetup/$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}' signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json' @@ -101,10 +104,10 @@ steps: inputs: script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ib installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\engine.exe' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: "ESRP CodeSigning (Engine)" inputs: - ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection" + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: "installer" Pattern: engine.exe signConfigType: inlineSignParams @@ -137,10 +140,10 @@ steps: inputs: script: '"C:\Program Files (x86)\WiX Toolset v3.14\bin\insignia.exe" -ab installer\engine.exe installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe -o installer\PowerToysSetup\$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}\${{parameters.installerPrefix}}-${{ parameters.versionNumber }}-$(BuildPlatform).exe' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign Bootstrapper inputs: - ConnectedServiceName: "Terminal/Console/WinAppDriver Team Code Signing Connection" + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: 'installer/PowerToysSetup/$(BuildPlatform)\$(BuildConfiguration)\${{parameters.buildSubDir}}' signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_installer.json' diff --git a/.pipelines/release.yml b/.pipelines/release.yml index 97150bb945..8b48f2660d 100644 --- a/.pipelines/release.yml +++ b/.pipelines/release.yml @@ -23,6 +23,15 @@ parameters: - name: versionNumber type: string default: '0.0.1' + - name: signingParameters + type: object + default: + ConnectedServiceName: $(SigningServiceName) + AppRegistrationClientId: $(SigningAppId) + AppRegistrationTenantId: $(SigningTenantId) + AuthAKVName: $(SigningAKVName) + AuthCertName: $(SigningAuthCertName) + AuthSignCertName: $(SigningSignCertName) extends: template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates @@ -164,10 +173,10 @@ extends: maximumCpuCount: true ### BEGIN SECTION - build and sign nuget packages for abstracted UI utils - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign Utilities libraries inputs: - ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: 'src/modules' signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_abstracted_utils_dll.json' @@ -207,10 +216,10 @@ extends: flattenFolders: True targetFolder: $(Build.ArtifactStagingDirectory)/nupkg - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Submit *.nupkg to ESRP for code signing inputs: - ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: $(Build.ArtifactStagingDirectory)/nupkg Pattern: '*.nupkg' UseMinimatch: true @@ -412,28 +421,28 @@ extends: # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign Core PT inputs: - ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64. signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json' ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign DSC Powershell files inputs: - ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: 'src/dsc/Microsoft.PowerToys.Configure' signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_DSC.json' ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml' - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5 displayName: Sign x86 directshow VCM inputs: - ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection' + ${{ insert }}: ${{ parameters.signingParameters }} FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64. signType: batchSigning batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json' @@ -477,6 +486,7 @@ extends: - template: .pipelines/installer-steps.yml@self parameters: + signingParameters: ${{ parameters.signingParameters }} versionNumber: ${{ parameters.versionNumber }} perUserArg: "false" buildSubDir: "MachineSetup" @@ -491,6 +501,7 @@ extends: - template: .pipelines/installer-steps.yml@self parameters: + signingParameters: ${{ parameters.signingParameters }} versionNumber: ${{ parameters.versionNumber }} perUserArg: "true" buildSubDir: "UserSetup"