Skip to content

ESRP federated credential update (move to AME) #3261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 10 commits into from
Apr 9, 2025
Merged

ESRP federated credential update (move to AME) #3261

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ef56a7c
Update ESRP creds to AME
cheenamalhotra Apr 8, 2025
31785b5
Update ESRP creds to AME
cheenamalhotra Apr 8, 2025
3e43f1b
Merge branches 'dev/cheena/esrp-update' and 'dev/cheena/esrp-update' …
cheenamalhotra Apr 8, 2025
cc85575
Update ESRP Client Id
cheenamalhotra Apr 8, 2025
e8168ba
UseMSIAuthentication
cheenamalhotra Apr 8, 2025
23adb00
Finalize changes
cheenamalhotra Apr 8, 2025
f2d26cf
Fixes
cheenamalhotra Apr 8, 2025
05b5b55
Fixes
cheenamalhotra Apr 9, 2025
c9bdb0f
Checking
cheenamalhotra Apr 9, 2025
a7c846e
Duh!
cheenamalhotra Apr 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions eng/pipelines/akv-official-pipeline.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,12 +133,12 @@ extends:
nugetPackageVersion: '${{ variables.nugetPackageVersion }}'
mdsPackageVersion: '${{ variables.mdsPackageVersion }}'
publishSymbols: '${{ parameters.publishSymbols }}'
signingAppRegistrationClientId: '$(SigningAppRegistrationClientId)'
signingAppRegistrationTenantId: '$(SigningAppRegistrationTenantId)'
signingAkvName: '$(SigningAkvName)'
signingAuthCertName: '$(SigningAuthCertName)'
signingConnectedServiceName: '$(SigningConnectedServiceName)'
signingSignCertName: '$(SigningSignCertName)'
ESRPConnectedServiceName: '$(ESRPConnectedServiceName)'
AppRegistrationClientId: '$(AppRegistrationClientId)'
AppRegistrationTenantId: '$(AppRegistrationTenantId)'
EsrpClientId: '$(EsrpClientId)'
AuthAkvName: '$(AuthAkvName)'
AuthSignCertName: '$(AuthSignCertName)'
symbolsAzureSubscription: '$(SymbolsAzureSubscription)'
symbolsPublishProjectName: '$(SymbolsPublishProjectName)'
symbolsPublishServer: '$(SymbolsPublishServer)'
Expand Down
46 changes: 32 additions & 14 deletions eng/pipelines/common/templates/steps/esrp-code-signing-step.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ parameters:
type: string
default: $(artifactDirectory)

- name: ESRPConnectedServiceName
type: string
default: $(ESRPConnectedServiceName)

- name: appRegistrationClientId
type: string
default: $(appRegistrationClientId)
Expand All @@ -25,29 +29,42 @@ parameters:
type: string
default: $(appRegistrationTenantId)

- name: AuthAKVName
type: string
default: $(AuthAKVName)

- name: AuthSignCertName
type: string
default: $(AuthSignCertName)

- name: EsrpClientId
type: string
default: $(EsrpClientId)

steps:
- ${{ if eq(parameters.artifactType, 'dll') }}:
- task: EsrpMalwareScanning@5
displayName: 'ESRP MalwareScanning'
inputs:
ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
AuthAKVName: SqlClientDrivers
AuthCertName: 'ESRP-Release-Auth'
EsrpClientId: '${{parameters.EsrpClientId }}'
UseMSIAuthentication: true
FolderPath: '${{parameters.sourceRoot }}'
Pattern: '*.dll'
CleanupTempStorage: 1
VerboseLogin: 1
- task: EsrpCodeSigning@5
displayName: 'ESRP CodeSigning'
inputs:
ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
AuthAKVName: SqlClientDrivers
AuthCertName: 'ESRP-Release-Auth'
AuthSignCertName: 'ESRP-Release-Sign2'
EsrpClientId: '${{parameters.EsrpClientId }}'
UseMSIAuthentication: true
AuthAKVName: '${{parameters.AuthAKVName }}'
AuthSignCertName: '${{parameters.AuthSignCertName }}'
FolderPath: '${{parameters.sourceRoot }}'
Pattern: '*.dll'
signConfigType: inlineSignParams
Expand Down Expand Up @@ -94,11 +111,11 @@ steps:
- task: EsrpMalwareScanning@5
displayName: 'ESRP MalwareScanning Nuget Package'
inputs:
ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
AuthAKVName: SqlClientDrivers
AuthCertName: 'ESRP-Release-Auth'
EsrpClientId: '${{parameters.EsrpClientId }}'
UseMSIAuthentication: true
FolderPath: '${{parameters.artifactDirectory }}'
Pattern: '*.*nupkg'
CleanupTempStorage: 1
Expand All @@ -107,12 +124,13 @@ steps:
displayName: 'ESRP CodeSigning Nuget Package'
inputs:
inputs:
ConnectedServiceName: 'ESRP Workload Identity federation service-ADO.Net'
ConnectedServiceName: '${{parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{parameters.appRegistrationTenantId }}'
AuthAKVName: SqlClientDrivers
AuthCertName: 'ESRP-Release-Auth'
AuthSignCertName: 'ESRP-Release-Sign2'
EsrpClientId: '${{parameters.EsrpClientId }}'
UseMSIAuthentication: true
AuthAKVName: '${{parameters.AuthAKVName }}'
AuthSignCertName: '${{parameters.AuthSignCertName }}'
FolderPath: '${{parameters.artifactDirectory }}'
Pattern: '*.*nupkg'
signConfigType: inlineSignParams
Expand Down
36 changes: 18 additions & 18 deletions eng/pipelines/jobs/build-akv-official-job.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,22 +26,22 @@ parameters:
- name: publishSymbols
type: boolean

- name: signingAppRegistrationClientId
- name: ESRPConnectedServiceName
type: string

- name: signingAppRegistrationTenantId
- name: AppRegistrationClientId
type: string

- name: signingAkvName
- name: AppRegistrationTenantId
type: string

- name: signingAuthCertName
- name: EsrpClientId
type: string

- name: signingConnectedServiceName
- name: AuthAkvName
type: string

- name: signingSignCertName
- name: AuthSignCertName
type: string

- name: symbolsAzureSubscription
Expand Down Expand Up @@ -108,13 +108,13 @@ jobs:

- template: ../steps/compound-esrp-code-signing-step.yml@self
parameters:
akvName: '${{ parameters.signingAkvName }}'
appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
ESRPConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
appRegistrationClientId: '${{ parameters.AppRegistrationClientId }}'
appRegistrationTenantId: '${{ parameters.AppRegistrationTenantId }}'
EsrpClientId: '${{ parameters.EsrpClientId }}'
AuthAkvName: '${{ parameters.AuthAkvName }}'
AuthSignCertName: '${{ parameters.AuthSignCertName }}'
artifactType: 'dll'
authCertName: '${{ parameters.signingAuthCertName }}'
connectedServiceName: '${{ parameters.signingConnectedServiceName }}'
signingCertName: '${{ parameters.signingSignCertName }}'

- template: ../steps/compound-nuget-pack-step.yml@self
parameters:
Expand All @@ -127,13 +127,13 @@ jobs:

- template: ../steps/compound-esrp-code-signing-step.yml@self
parameters:
akvName: '${{ parameters.signingAkvName }}'
appRegistrationClientId: '${{ parameters.signingAppRegistrationClientId }}'
appRegistrationTenantId: '${{ parameters.signingAppRegistrationTenantId }}'
ESRPConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
appRegistrationClientId: '${{ parameters.AppRegistrationClientId }}'
appRegistrationTenantId: '${{ parameters.AppRegistrationTenantId }}'
EsrpClientId: '${{ parameters.EsrpClientId }}'
AuthAkvName: '${{ parameters.AuthAkvName }}'
AuthSignCertName: '${{ parameters.AuthSignCertName }}'
artifactType: 'pkg'
authCertName: '${{ parameters.signingAuthCertName }}'
connectedServiceName: '${{ parameters.signingConnectedServiceName }}'
signingCertName: '${{ parameters.signingSignCertName }}'

- ${{ if parameters.publishSymbols }}:
- template: ../steps/compound-publish-symbols-step.yml@self
Expand Down
12 changes: 8 additions & 4 deletions eng/pipelines/libraries/common-variables.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,14 @@
#################################################################################

variables:
- group: ESRP Federated Creds (AME)
# ESRPConnectedServiceName
# ESRPClientId
# AppRegistrationClientId
# AppRegistrationTenantId
# AuthAKVName
# AuthSignCertName

- name: Configuration
value: Release
- name: CommitHead
Expand All @@ -17,7 +25,3 @@ variables:
value: $(REPOROOT)/symbols
- name: artifactDirectory
value: '$(REPOROOT)/packages'
- name: appRegistrationClientId
value: 'a0d18a38-fde1-4ba7-92e1-15be16cb6a8e'
- name: appRegistrationTenantId
value: '72f988bf-86f1-41af-91ab-2d7cd011db47'
45 changes: 23 additions & 22 deletions eng/pipelines/steps/compound-esrp-code-signing-step.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,7 @@
#################################################################################

parameters:
- # Name of the Azure Key Vault to retrieve certificates from.
# note: This has nothing to do with the AKV provider package.
name: akvName
- name: ESRPConnectedServiceName
type: string

- name: appRegistrationClientId
Expand All @@ -16,45 +14,47 @@ parameters:
- name: appRegistrationTenantId
type: string

- name: artifactType
- name: EsrpClientId
type: string
values:
- dll
- pkg

- name: authCertName
- # Name of the Azure Key Vault to retrieve ESRP Code Signing certificate from.
name: AuthAkvName
type: string

- name: connectedServiceName
- name: authSignCertName
type: string

- name: signingCertName
- name: artifactType
type: string
values:
- dll
- pkg

steps:
- ${{ if eq(parameters.artifactType, 'dll') }}:
- task: EsrpMalwareScanning@5
displayName: 'ESRP Malware Scanning Code'
inputs:
ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
EsrpClientId: '${{ parameters.EsrpClientId }}'
UseMSIAuthentication: true
CleanupTempStorage: 1
ConnectedServiceName: '${{ parameters.connectedServiceName }}'
AuthAKVName: '${{ parameters.akvName }}'
AuthCertName: '${{ parameters.authCertName }}'
FolderPath: '$(BUILD_OUTPUT)'
Pattern: '*.dll'
VerboseLogin: 1

- task: EsrpCodeSigning@5
displayName: 'ESRP Signing Code'
inputs:
ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
EsrpClientId: '${{ parameters.EsrpClientId }}'
UseMSIAuthentication: true
AuthAKVName: '${{ parameters.akvName }}'
AuthCertName: '${{ parameters.authCertName }}'
AuthSignCertName: '${{ parameters.signingCertName }}'
ConnectedServiceName: '${{ parameters.connectedServiceName }}'
AuthSignCertName: '${{ parameters.AuthSignCertName }}'
FolderPath: '$(BUILD_OUTPUT)'
Pattern: '*.dll'
signConfigType: 'inlineSignParams'
Expand Down Expand Up @@ -102,25 +102,26 @@ steps:
- task: EsrpMalwareScanning@5
displayName: 'ESRP Malware Scanning NuGet Package'
inputs:
ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
EsrpClientId: '${{ parameters.EsrpClientId }}'
UseMSIAuthentication: true
CleanupTempStorage: 1
ConnectedServiceName: '${{ parameters.connectedServiceName }}'
AuthAKVName: '${{ parameters.akvName }}'
AuthCertName: '${{ parameters.authCertName }}'
FolderPath: '$(ARTIFACT_PATH)'
Pattern: '*.*nupkg'
VerboseLogin: 1

- task: EsrpCodeSigning@5
displayName: 'ESRP Signing NuGet Package'
inputs:
ConnectedServiceName: '${{ parameters.ESRPConnectedServiceName }}'
AppRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
AppRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
EsrpClientId: '${{ parameters.EsrpClientId }}'
UseMSIAuthentication: true
AuthAKVName: '${{ parameters.akvName }}'
AuthCertName: '${{ parameters.authCertName }}'
AuthSignCertName: '${{ parameters.signingCertName }}'
ConnectedServiceName: '${{ parameters.connectedServiceName }}'
AuthSignCertName: '${{ parameters.AuthSignCertName }}'
FolderPath: '$(ARTIFACT_PATH)'
Pattern: '*.*nupkg'
signConfigType: 'inlineSignParams'
Expand Down
7 changes: 1 addition & 6 deletions eng/pipelines/variables/akv-official-variables.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,13 +7,8 @@
# @TODO: These seem to only really apply to official builds. Name should probably be adjusted to match.

variables:
# @TODO: Rename to something more appropriate for symbols
- group: 'akv-variables-v2'
# SigningAppRegistrationClientId
# SigningAppRegistrationTenantId
# SigningAkvName
# SigningAuthCertName
# SigningConnectedServiceName
# SigningSignCertName
# SymbolsAzureSubscription
# SymbolsPublishProjectName
# SymbolsPublishServer
Expand Down
Loading