ci: update ESRP code signing config (#499)

* ci: update ESRP code signing config * ci: use latest MacOS images macOS-11 is deprecated. see https://learn.microsoft.com/en-us/azure/devops/pipelines/agents/hosted?view=azure-devops&tabs=yaml#software
microsoftgraph · Aug 21, 2024 · cfde9d0 · cfde9d0
1 parent 168689c
commit cfde9d0
Showing 1 changed file with 23 additions and 8 deletions.
diff --git a/.azure-pipelines/release-cli.yaml b/.azure-pipelines/release-cli.yaml
@@ -181,14 +181,14 @@ parameters:
  # MacOS images aren't available in 1ES templates
  # https://eng.ms/docs/cloud-ai-platform/devdiv/one-engineering-system-1es/1es-docs/1es-pipeline-templates/onboarding/macos-support
  - name: Azure Pipelines
- image: macOS-11
+ image: macOS-latest
  os: macOS
  rid: osx-x64
  label: macOSx64
  jobName: MacOS-x64
 
  - name: Azure Pipelines
- image: macOS-12
+ image: macOS-latest
  os: macOS
  rid: osx-arm64
  label: macOSArm64
@@ -581,11 +581,16 @@ extends:
  inputs:
  version: 6.x
 
- - task: EsrpCodeSigning@2
+ - task: EsrpCodeSigning@5
  displayName: 'ESRP CodeSigning (Sign Build output)'
  inputs:
  # Pipeline validation can't expand service name from matrix variables
- ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)"
+ ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
+ AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
+ AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
+ AuthAKVName: 'akv-prod-eastus'
+ AuthCertName: 'ReferenceLibraryPrivateCert'
+ AuthSignCertName: 'ReferencePackagePublisherCertificate'
  FolderPath: $(SIGN_PATH)
  signConfigType: inlineSignParams
  UseMinimatch: true
@@ -595,11 +600,16 @@ extends:
  condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'True'))
 
  - ${{ if and(eq(variables.notarize, 'true'), startsWith(pool.rid, 'osx')) }}:
- - task: EsrpCodeSigning@2
+ - task: EsrpCodeSigning@5
  displayName: 'ESRP CodeSigning (Notarize)'
  inputs:
  # Pipeline validation can't expand service name from matrix variables
- ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)"
+ ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
+ AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
+ AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
+ AuthAKVName: 'akv-prod-eastus'
+ AuthCertName: 'ReferenceLibraryPrivateCert'
+ AuthSignCertName: 'ReferencePackagePublisherCertificate'
  FolderPath: $(SIGN_PATH)
  signConfigType: inlineSignParams
  UseMinimatch: true
@@ -615,11 +625,16 @@ extends:
  displayName: DotNet pack (nuget)
  condition: and(succeeded(), eq(variables['SHOULD_SIGN'], 'True'))
 
- - task: EsrpCodeSigning@2
+ - task: EsrpCodeSigning@5
  displayName: 'ESRP CodeSigning (Sign Nuget)'
  inputs:
  # Pipeline validation can't expand service name from matrix variables
- ConnectedServiceName: "microsoftgraph ESRP CodeSign DLL and NuGet (AKV)"
+ ConnectedServiceName: 'Federated DevX ESRP Managed Identity Connection'
+ AppRegistrationClientId: '65035b7f-7357-4f29-bf25-c5ee5c3949f8'
+ AppRegistrationTenantId: 'cdc5aeea-15c5-4db6-b079-fcadd2505dc2'
+ AuthAKVName: 'akv-prod-eastus'
+ AuthCertName: 'ReferenceLibraryPrivateCert'
+ AuthSignCertName: 'ReferencePackagePublisherCertificate'
  FolderPath: $(SIGN_PATH)
  signConfigType: inlineSignParams
  UseMinimatch: true