Move Linux to Esrp signing (#14210)

2024-11-27 11:56:14 +08:00 · 2020-11-23 14:50:00 -08:00 · 2020-11-23 14:50:00 -08:00 · e02fce2d12
commit e02fce2d12
parent 4f3d0a650f
2 changed files with 47 additions and 34 deletions
--- a/tools/releaseBuild/azureDevOps/templates/insert-nuget-config-azfeed.yml
+++ b/tools/releaseBuild/azureDevOps/templates/insert-nuget-config-azfeed.yml
@ -1,9 +1,9 @@
 steps:
 - powershell: |
-      Import-Module $(Build.SourcesDirectory)/build.psm1 -Force
-      New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination $(Build.SourcesDirectory)/src/Modules
+      Import-Module $env:REPOROOT/build.psm1 -Force
+      New-NugetConfigFile -NugetFeedUrl $(AzDevOpsFeed) -UserName $(AzDevOpsFeedUserName) -ClearTextPAT $(AzDevOpsFeedPAT) -FeedName AzDevOpsFeed -Destination $env:REPOROOT/src/Modules

-      if(-not (Test-Path "$(Build.SourcesDirectory)/src/Modules/nuget.config"))
+      if(-not (Test-Path "$env:REPOROOT/src/Modules/nuget.config"))
      {
          throw "nuget.config is not created"
      }
--- a/tools/releaseBuild/azureDevOps/templates/linux.yml
+++ b/tools/releaseBuild/azureDevOps/templates/linux.yml
@ -7,11 +7,16 @@ jobs:
 - job: build_${{ parameters.buildName }}
  displayName: Build ${{ parameters.buildName }}
  condition: succeeded()
-  pool: Hosted Ubuntu 1604
+  pool:
+    vmImage: ubuntu-16.04
  dependsOn: ${{ parameters.parentJob }}
  variables:
-    build: ${{ parameters.buildName }}
-    runCodesignValidationInjection: false
+    - name: runCodesignValidationInjection
+      value: false
+    - name: build
+      value: ${{ parameters.buildName }}
+    - group: ESRP
+
  steps:
  - checkout: self
    clean: true
@ -37,13 +42,13 @@ jobs:


  - powershell: |
-      import-module ./build.psm1
+      import-module "$env:REPOROOT/build.psm1"
      Sync-PSTags -AddRemoteIfMissing
    displayName: SyncTags
    condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))

  - powershell: |
-      tools/releaseBuild/vstsbuild.ps1 -ReleaseTag $(ReleaseTagVar) -Name '$(build)'
+      & "$env:REPOROOT/tools/releaseBuild/vstsbuild.ps1" -ReleaseTag $(ReleaseTagVar) -Name '$(build)'

    displayName: 'Build and package'
    condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))
@ -52,10 +57,19 @@ jobs:
  displayName: ${{ parameters.uploadDisplayName }} ${{ parameters.buildName }}
  dependsOn: build_${{ parameters.buildName }}
  condition: succeeded()
-  pool: Package ES Standard Build
+  pool:
+    vmImage: windows-latest
  variables:
-    buildName: ${{ parameters.buildName }}
+    - name: buildName
+      value: ${{ parameters.buildName }}
+    - group: ESRP
+
  steps:
+  - checkout: self
+    clean: true
+
+  - checkout: ComplianceRepo
+    clean: true

  - template: shouldSign.yml

@ -86,32 +100,29 @@ jobs:
      downloadPath: '$(System.ArtifactsDirectory)\rpm'
    condition: and(eq(variables['buildName'], 'RPM'),succeeded())

-  - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
-    displayName: 'Run Defender Scan'
-
-  - powershell: |
-      $authenticodefiles = @()
-      Get-ChildItem -Path '$(System.ArtifactsDirectory)\rpm\*.rpm' -recurse | ForEach-Object { $authenticodefiles += $_.FullName}
-      tools/releaseBuild/generatePackgeSigning.ps1 -LinuxFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"
-    displayName: 'Generate RPM Signing Xml'
-    condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
-
-  - powershell: |
-      Get-Content "$(System.ArtifactsDirectory)\package.xml"
-    displayName: 'Capture RPM signing xml'
-    condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
-
-  - task: PkgESCodeSign@10
-    displayName: 'CodeSign RPM $(System.ArtifactsDirectory)\package.xml'
-    env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+  - task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
+    displayName: 'Malware Scanning'
    inputs:
-      signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
-      outPathRoot: '$(Build.StagingDirectory)\signedPackages'
-      binVersion: $(SigingVersion)
-      binVersionOverride: $(SigningVersionOverride)
-    condition: and(and(succeeded(), eq(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))
+      ConnectedServiceName: pwshEsrpScanning
+      FolderPath: $(System.ArtifactsDirectory)
+      Pattern: |
+        **\*.rpm
+        **\*.deb
+        **\*.tar.gz
+      UseMinimatch: true
+      SessionTimeout: 30

+  - ${{ if eq(variables['buildName'], 'RPM') }}:
+    - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+          buildOutputPath: $(System.ArtifactsDirectory)\rpm
+          signOutputPath: $(Build.StagingDirectory)\signedPackages
+          certificateId: "CP-450779-Pgp"
+          pattern: |
+            **\*.rpm
+          useMinimatch: true
+
+  # requires windows
  - task: AzureFileCopy@4
    displayName: 'Upload to Azure - DEB and tar.gz'
    inputs:
@ -125,6 +136,7 @@ jobs:
    parameters:
      artifactPath: $(System.ArtifactsDirectory)\finished\release

+  # requires windows
  - task: AzureFileCopy@4
    displayName: 'Upload to Azure - RPM - Unsigned'
    inputs:
@ -135,6 +147,7 @@ jobs:
      ContainerName: '$(AzureVersion)'
    condition: and(and(succeeded(), ne(variables['SHOULD_SIGN'], 'true')),eq(variables['buildName'], 'RPM'))

+  # requires windows
  - task: AzureFileCopy@4
    displayName: 'Upload to Azure - RPM - Signed'
    inputs: