diff --git a/eng/pipelines/akv-official-pipeline.yml b/eng/pipelines/akv-official-pipeline.yml index 97714a1677..00d39db556 100644 --- a/eng/pipelines/akv-official-pipeline.yml +++ b/eng/pipelines/akv-official-pipeline.yml @@ -133,12 +133,12 @@ extends: nugetPackageVersion: '${{ variables.nugetPackageVersion }}' mdsPackageVersion: '${{ variables.mdsPackageVersion }}' publishSymbols: '${{ parameters.publishSymbols }}' - signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)' - signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)' - signingAkvName: '$(SigningAkvName)' - signingAuthCertName: '$(SigningAuthCertName)' - signingConnectedServiceName: '$(SigningConnectedServiceName)' - signingSignCertName: '$(SigningSignCertName)' + ESRPConnectedServiceName: '$(ESRPConnectedServiceName)' + AppRegistrationClientId: '$(AppRegistrationClientId)' + AppRegistrationTenantId: '$(AppRegistrationTenantId)' + EsrpClientId: '$(EsrpClientId)' + AuthAkvName: '$(AuthAkvName)' + AuthSignCertName: '$(AuthSignCertName)' symbolsAzureSubscription: '$(SymbolsAzureSubscription)' symbolsPublishProjectName: '$(SymbolsPublishProjectName)' symbolsPublishServer: '$(SymbolsPublishServer)' diff --git a/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml b/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml index a2851ed463..e9d62ad074 100644 --- a/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml +++ b/eng/pipelines/common/templates/steps/esrp-code-signing-step.yml @@ -17,6 +17,10 @@ parameters: type: string default: $(artifactDirectory) + - name: ESRPConnectedServiceName + type: string + default: $(ESRPConnectedServiceName) + - name: appRegistrationClientId type: string default: $(appRegistrationClientId) @@ -25,16 +29,28 @@ parameters: type: string default: $(appRegistrationTenantId) + - name: AuthAKVName + type: string + default: $(AuthAKVName) + + - name: AuthSignCertName + type: string + default: $(AuthSignCertName) + + - name: EsrpClientId + type: string + default: $(EsrpClientId) + steps: - ${{ if eq(parameters.artifactType, 'dll') }}: - task: EsrpMalwareScanning@5 displayName: 'ESRP MalwareScanning' inputs: - ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net' + ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}' - AuthAKVName: SqlClientDrivers - AuthCertName: 'ESRP-Release-Auth' + EsrpClientId: '${{parameters.EsrpClientId }}' + UseMSIAuthentication: true FolderPath: '${{parameters.sourceRoot }}' Pattern: '*.dll' CleanupTempStorage: 1 @@ -42,12 +58,13 @@ steps: - task: EsrpCodeSigning@5 displayName: 'ESRP CodeSigning' inputs: - ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net' + ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}' - AuthAKVName: SqlClientDrivers - AuthCertName: 'ESRP-Release-Auth' - AuthSignCertName: 'ESRP-Release-Sign2' + EsrpClientId: '${{parameters.EsrpClientId }}' + UseMSIAuthentication: true + AuthAKVName: '${{parameters.AuthAKVName }}' + AuthSignCertName: '${{parameters.AuthSignCertName }}' FolderPath: '${{parameters.sourceRoot }}' Pattern: '*.dll' signConfigType: inlineSignParams @@ -94,11 +111,11 @@ steps: - task: EsrpMalwareScanning@5 displayName: 'ESRP MalwareScanning Nuget Package' inputs: - ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net' + ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}' - AuthAKVName: SqlClientDrivers - AuthCertName: 'ESRP-Release-Auth' + EsrpClientId: '${{parameters.EsrpClientId }}' + UseMSIAuthentication: true FolderPath: '${{parameters.artifactDirectory }}' Pattern: '*.*nupkg' CleanupTempStorage: 1 @@ -107,12 +124,13 @@ steps: displayName: 'ESRP CodeSigning Nuget Package' inputs: inputs: - ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net' + ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}' - AuthAKVName: SqlClientDrivers - AuthCertName: 'ESRP-Release-Auth' - AuthSignCertName: 'ESRP-Release-Sign2' + EsrpClientId: '${{parameters.EsrpClientId }}' + UseMSIAuthentication: true + AuthAKVName: '${{parameters.AuthAKVName }}' + AuthSignCertName: '${{parameters.AuthSignCertName }}' FolderPath: '${{parameters.artifactDirectory }}' Pattern: '*.*nupkg' signConfigType: inlineSignParams diff --git a/eng/pipelines/jobs/build-akv-official-job.yml b/eng/pipelines/jobs/build-akv-official-job.yml index eae16cd1a5..43a9667c69 100644 --- a/eng/pipelines/jobs/build-akv-official-job.yml +++ b/eng/pipelines/jobs/build-akv-official-job.yml @@ -26,22 +26,22 @@ parameters: - name: publishSymbols type: boolean - - name: signingAppRegistrationClientId + - name: ESRPConnectedServiceName type: string - - name: signingAppRegistrationTenantId + - name: AppRegistrationClientId type: string - - name: signingAkvName + - name: AppRegistrationTenantId type: string - - name: signingAuthCertName + - name: EsrpClientId type: string - - name: signingConnectedServiceName + - name: AuthAkvName type: string - - name: signingSignCertName + - name: AuthSignCertName type: string - name: symbolsAzureSubscription @@ -108,13 +108,13 @@ jobs: - template: ../steps/compound-esrp-code-signing-step.yml@self parameters: - akvName: '${{ parameters.signingAkvName }}' - appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}' - appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}' + ESRPConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}' + appRegistrationClientId: '${{ parameters.AppRegistrationClientId }}' + appRegistrationTenantId: '${{ parameters.AppRegistrationTenantId }}' + EsrpClientId: '${{ parameters.EsrpClientId }}' + AuthAkvName: '${{ parameters.AuthAkvName }}' + AuthSignCertName: '${{ parameters.AuthSignCertName }}' artifactType: 'dll' - authCertName: '${{ parameters.signingAuthCertName }}' - connectedServiceName: '${{ parameters.signingConnectedServiceName }}' - signingCertName: '${{ parameters.signingSignCertName }}' - template: ../steps/compound-nuget-pack-step.yml@self parameters: @@ -127,13 +127,13 @@ jobs: - template: ../steps/compound-esrp-code-signing-step.yml@self parameters: - akvName: '${{ parameters.signingAkvName }}' - appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}' - appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}' + ESRPConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}' + appRegistrationClientId: '${{ parameters.AppRegistrationClientId }}' + appRegistrationTenantId: '${{ parameters.AppRegistrationTenantId }}' + EsrpClientId: '${{ parameters.EsrpClientId }}' + AuthAkvName: '${{ parameters.AuthAkvName }}' + AuthSignCertName: '${{ parameters.AuthSignCertName }}' artifactType: 'pkg' - authCertName: '${{ parameters.signingAuthCertName }}' - connectedServiceName: '${{ parameters.signingConnectedServiceName }}' - signingCertName: '${{ parameters.signingSignCertName }}' - ${{ if parameters.publishSymbols }}: - template: ../steps/compound-publish-symbols-step.yml@self diff --git a/eng/pipelines/libraries/common-variables.yml b/eng/pipelines/libraries/common-variables.yml index 7b2bc00cb1..718633691b 100644 --- a/eng/pipelines/libraries/common-variables.yml +++ b/eng/pipelines/libraries/common-variables.yml @@ -5,6 +5,14 @@ ################################################################################# variables: + - group: ESRP Federated Creds (AME) + # ESRPConnectedServiceName + # ESRPClientId + # AppRegistrationClientId + # AppRegistrationTenantId + # AuthAKVName + # AuthSignCertName + - name: Configuration value: Release - name: CommitHead @@ -17,7 +25,3 @@ variables: value: $(REPOROOT)/symbols - name: artifactDirectory value: '$(REPOROOT)/packages' - - name: appRegistrationClientId - value: 'a0d18a38-fde1-4ba7-92e1-15be16cb6a8e' - - name: appRegistrationTenantId - value: '72f988bf-86f1-41af-91ab-2d7cd011db47' diff --git a/eng/pipelines/steps/compound-esrp-code-signing-step.yml b/eng/pipelines/steps/compound-esrp-code-signing-step.yml index 33dc941b25..a8221a710e 100644 --- a/eng/pipelines/steps/compound-esrp-code-signing-step.yml +++ b/eng/pipelines/steps/compound-esrp-code-signing-step.yml @@ -5,9 +5,7 @@ ################################################################################# parameters: - - # Name of the Azure Key Vault to retrieve certificates from. - # note: This has nothing to do with the AKV provider package. - name: akvName + - name: ESRPConnectedServiceName type: string - name: appRegistrationClientId @@ -16,32 +14,33 @@ parameters: - name: appRegistrationTenantId type: string - - name: artifactType + - name: EsrpClientId type: string - values: - - dll - - pkg - - name: authCertName + - # Name of the Azure Key Vault to retrieve ESRP Code Signing certificate from. + name: AuthAkvName type: string - - name: connectedServiceName + - name: authSignCertName type: string - - name: signingCertName + - name: artifactType type: string + values: + - dll + - pkg steps: - ${{ if eq(parameters.artifactType, 'dll') }}: - task: EsrpMalwareScanning@5 displayName: 'ESRP Malware Scanning Code' inputs: + ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}' + EsrpClientId: '${{ parameters.EsrpClientId }}' + UseMSIAuthentication: true CleanupTempStorage: 1 - ConnectedServiceName: '${{ parameters.connectedServiceName }}' - AuthAKVName: '${{ parameters.akvName }}' - AuthCertName: '${{ parameters.authCertName }}' FolderPath: '$(BUILD_OUTPUT)' Pattern: '*.dll' VerboseLogin: 1 @@ -49,12 +48,13 @@ steps: - task: EsrpCodeSigning@5 displayName: 'ESRP Signing Code' inputs: + ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}' + EsrpClientId: '${{ parameters.EsrpClientId }}' + UseMSIAuthentication: true AuthAKVName: '${{ parameters.akvName }}' - AuthCertName: '${{ parameters.authCertName }}' - AuthSignCertName: '${{ parameters.signingCertName }}' - ConnectedServiceName: '${{ parameters.connectedServiceName }}' + AuthSignCertName: '${{ parameters.AuthSignCertName }}' FolderPath: '$(BUILD_OUTPUT)' Pattern: '*.dll' signConfigType: 'inlineSignParams' @@ -102,12 +102,12 @@ steps: - task: EsrpMalwareScanning@5 displayName: 'ESRP Malware Scanning NuGet Package' inputs: + ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}' + EsrpClientId: '${{ parameters.EsrpClientId }}' + UseMSIAuthentication: true CleanupTempStorage: 1 - ConnectedServiceName: '${{ parameters.connectedServiceName }}' - AuthAKVName: '${{ parameters.akvName }}' - AuthCertName: '${{ parameters.authCertName }}' FolderPath: '$(ARTIFACT_PATH)' Pattern: '*.*nupkg' VerboseLogin: 1 @@ -115,12 +115,13 @@ steps: - task: EsrpCodeSigning@5 displayName: 'ESRP Signing NuGet Package' inputs: + ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}' AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}' AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}' + EsrpClientId: '${{ parameters.EsrpClientId }}' + UseMSIAuthentication: true AuthAKVName: '${{ parameters.akvName }}' - AuthCertName: '${{ parameters.authCertName }}' - AuthSignCertName: '${{ parameters.signingCertName }}' - ConnectedServiceName: '${{ parameters.connectedServiceName }}' + AuthSignCertName: '${{ parameters.AuthSignCertName }}' FolderPath: '$(ARTIFACT_PATH)' Pattern: '*.*nupkg' signConfigType: 'inlineSignParams' diff --git a/eng/pipelines/variables/akv-official-variables.yml b/eng/pipelines/variables/akv-official-variables.yml index cea3e3f0b8..465270124f 100644 --- a/eng/pipelines/variables/akv-official-variables.yml +++ b/eng/pipelines/variables/akv-official-variables.yml @@ -7,13 +7,8 @@ # @TODO: These seem to only really apply to official builds. Name should probably be adjusted to match. variables: + # @TODO: Rename to something more appropriate for symbols - group: 'akv-variables-v2' - # SigningAppRegistrationClientId - # SigningAppRegistrationTenantId - # SigningAkvName - # SigningAuthCertName - # SigningConnectedServiceName - # SigningSignCertName # SymbolsAzureSubscription # SymbolsPublishProjectName # SymbolsPublishServer