From 0f945f1f82f0dc29d48179343dc11df866a43790 Mon Sep 17 00:00:00 2001 From: Karl Burtram Date: Fri, 19 Jul 2024 18:16:41 -0700 Subject: [PATCH] Revert "Removing signing references from PR pipeline (#2363)" This reverts commit 056dddb534d668fecc95bd5aab0b90dda82ba054. --- azure-pipelines/build-and-release.yml | 28 ++++- azure-pipelines/build.yml | 161 ++++++++++++++++++++++++++ 2 files changed, 188 insertions(+), 1 deletion(-) diff --git a/azure-pipelines/build-and-release.yml b/azure-pipelines/build-and-release.yml index 4df31288e8..1afc2763d4 100644 --- a/azure-pipelines/build-and-release.yml +++ b/azure-pipelines/build-and-release.yml @@ -32,4 +32,30 @@ stages: - ImageOverride -equals ADS-Windows_Image steps: - template: build.yml - timeoutInMinutes: 90 \ No newline at end of file + timeoutInMinutes: 150 # temporary while investigating timeout occurring in STS Product Build pipeline; should return to 90 after + + # In order to run on arm64 macOS the executables must be at least self-signed, but dotnet publish step only does it when publishing on macOS. + # More information: https://github.com/dotnet/runtime/issues/49091 + - job: CodeSign_osx_arm64_executables + pool: + vmImage: 'macos-latest' + dependsOn: + - Build + steps: + - template: osx-arm64-signing.yml + +- stage: Release + variables: + - name: skipComponentGovernanceDetection + value: true + dependsOn: + - Build + condition: and(succeeded(), eq(variables['RELEASE'], 'true')) + pool: + name: 'ads-build-1es-hosted-pool' + demands: + - ImageOverride -equals ADS-Linux_Image + jobs: + - job: Release + steps: + - template: release.yml diff --git a/azure-pipelines/build.yml b/azure-pipelines/build.yml index 702b200443..bc896bb48e 100644 --- a/azure-pipelines/build.yml +++ b/azure-pipelines/build.yml @@ -161,6 +161,139 @@ steps: verbose: false customCommand: 'install -g gulp-cli' +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP CodeSigning - SNK only' + inputs: + ConnectedServiceName: 'Code Signing' + FolderPath: '$(Build.SourcesDirectory)/artifacts/publish/Microsoft.SqlTools.ServiceLayer/default/net472/' + Pattern: 'Microsoft.SqlTools.ManagedBatchParser.dll' + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "KeyCode" : "CP-235847-SN", + "operationSetCode" : "StrongNameSign", + "Parameters" : [], + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-235847-SN", + "operationSetCode" : "StrongNameVerify", + "Parameters" : [], + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: 600 + MaxConcurrency: 5 + +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP CodeSigning - sha256 only' + inputs: + ConnectedServiceName: 'Code Signing' + FolderPath: '$(Build.SourcesDirectory)/artifacts/publish' + Pattern: 'Microsoft.SqlTools.ManagedBatchParser.dll,MicrosoftSqlToolsCredentials.exe,MicrosoftSqlToolsServiceLayer.exe,SqlSerializationService.exe,SqlToolsResourceProviderService.exe,Microsoft.SqlTools.Hosting.dll,Microsoft.SqlTools.ResourceProvider.Core.dll,Microsoft.SqlTools.ResourceProvider.DefaultImpl.dll,MicrosoftSqlToolsCredentials.dll,MicrosoftSqlToolsServiceLayer.dll,Newtonsoft.Json.dll,SqlSerializationService.dll,SqlToolsResourceProviderService.dll,System.Data.SqlClient.dll,System.Net.Sockets.dll,MicrosoftSqlToolsMigration.exe,MicrosoftSqlToolsMigration.dll,Microsoft.SqlTools.SqlCore.dll,Microsoft.SqlTools.Authentication.dll,MicrosoftKustoServiceLayer.dll,MicrosoftKustoServiceLayer.exe,MicrosoftKustoServiceLayer.resources.dll,MicrosoftSqlTools*.resources.dll,Microsoft.SqlTools*.resources.dll' + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "SQL Tools Service" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "https://github.com/microsoft/sqltoolsservice" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ + { + "parameterName": "VerifyAll", + "parameterValue": "/all" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] + SessionTimeout: 600 + MaxConcurrency: 5 + +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP SqlCore CodeSigning - sha256 only' + inputs: + ConnectedServiceName: 'Code Signing' + FolderPath: '$(Build.SourcesDirectory)/src/Microsoft.SqlTools.SqlCore/bin/$(buildConfiguration)' + Pattern: 'Microsoft.SqlTools.*.dll' + signConfigType: inlineSignParams + inlineOperation: | + [ + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "SQL Tools Service" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "https://github.com/microsoft/sqltoolsservice" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ + { + "parameterName": "VerifyAll", + "parameterValue": "/all" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] + SessionTimeout: 600 + MaxConcurrency: 5 + - task: DotNetCoreCLI@2 displayName: 'dotnet pack sqlcore' inputs: @@ -182,6 +315,34 @@ steps: filename: build.cmd arguments: "-target=dotnetpackservicetools -mono" +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: 'ESRP Code Signing - Nuget Package' + inputs: + ConnectedServiceName: 'Code Signing' + FolderPath: '$(Build.SourcesDirectory)/artifacts/nugetPackages' + Pattern: '*.nupkg' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "keyCode": "CP-401405", + "operationSetCode": "NuGetSign", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" + }, + { + "keyCode": "CP-401405", + "operationSetCode": "NuGetVerify", + "parameters": [ ], + "toolName": "sign", + "toolVersion": "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - ${{ each project in parameters.projects }}: - ${{ each platform in parameters.platforms }}: - task: ArchiveFiles@1