Move to ESRPv5, which supports certificate authentication (#32775)

Co-authored-by: Jaime Bernardo <jaime@janeasystems.com>
2025-12-15 11:17:53 +01:00 · 2024-05-08 11:32:25 -05:00
parent 9699feea40
commit a46319f19a
4 changed files with 34 additions and 18 deletions
--- a/.pipelines/release.yml
+++ b/.pipelines/release.yml
@@ -23,6 +23,15 @@ parameters:
  - name: versionNumber
    type: string
    default: '0.0.1'
+  - name: signingParameters
+    type: object
+    default:
+      ConnectedServiceName: $(SigningServiceName)
+      AppRegistrationClientId: $(SigningAppId)
+      AppRegistrationTenantId: $(SigningTenantId)
+      AuthAKVName: $(SigningAKVName)
+      AuthCertName: $(SigningAuthCertName)
+      AuthSignCertName: $(SigningSignCertName)

 extends:
  template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
@@ -164,10 +173,10 @@ extends:
            maximumCpuCount: true

        ### BEGIN SECTION - build and sign nuget packages for abstracted UI utils
-        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
          displayName: Sign Utilities libraries
          inputs:
-            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+            ${{ insert }}: ${{ parameters.signingParameters }}
            FolderPath: 'src/modules'
            signType: batchSigning
            batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_abstracted_utils_dll.json'
@@ -207,10 +216,10 @@ extends:
            flattenFolders: True
            targetFolder: $(Build.ArtifactStagingDirectory)/nupkg

-        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
          displayName: Submit *.nupkg to ESRP for code signing
          inputs:
-            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+            ${{ insert }}: ${{ parameters.signingParameters }}
            FolderPath: $(Build.ArtifactStagingDirectory)/nupkg
            Pattern: '*.nupkg'
            UseMinimatch: true
@@ -412,28 +421,28 @@ extends:
      # reference https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/ESRPSigning.json&version=GBarm64-netcore&_a=contents for winappdriver
      # https://dev.azure.com/microsoft/Dart/_git/AppDriver?path=/CIPolicy.xml&version=GBarm64-netcore&_a=contents

-        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
          displayName: Sign Core PT
          inputs:
-            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+            ${{ insert }}: ${{ parameters.signingParameters }}
            FolderPath: '$(BuildPlatform)/$(BuildConfiguration)' # Video conf uses x86 and x64.
            signType: batchSigning
            batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_core.json'
            ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'

-        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
          displayName: Sign DSC Powershell files
          inputs:
-            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+            ${{ insert }}: ${{ parameters.signingParameters }}
            FolderPath: 'src/dsc/Microsoft.PowerToys.Configure'
            signType: batchSigning
            batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_DSC.json'
            ciPolicyFile: '$(build.sourcesdirectory)\.pipelines\CIPolicy.xml'

-        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3
+        - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
          displayName: Sign x86 directshow VCM
          inputs:
-            ConnectedServiceName: 'Terminal/Console/WinAppDriver Team Code Signing Connection'
+            ${{ insert }}: ${{ parameters.signingParameters }}
            FolderPath: 'x86/$(BuildConfiguration)' # Video conf uses x86 and x64.
            signType: batchSigning
            batchSignPolicyFile: '$(build.sourcesdirectory)\.pipelines\ESRPSigning_vcm.json'
@@ -477,6 +486,7 @@ extends:
            
        - template: .pipelines/installer-steps.yml@self
          parameters:
+            signingParameters: ${{ parameters.signingParameters }}
            versionNumber: ${{ parameters.versionNumber }}
            perUserArg: "false"
            buildSubDir: "MachineSetup"
@@ -491,6 +501,7 @@ extends:

        - template: .pipelines/installer-steps.yml@self
          parameters:
+            signingParameters: ${{ parameters.signingParameters }}
            versionNumber: ${{ parameters.versionNumber }}
            perUserArg: "true"
            buildSubDir: "UserSetup"