From 681302aa86e159396b316d6d160e89eaf2ed9f4f Mon Sep 17 00:00:00 2001 From: Dan Fiedler Date: Wed, 30 Oct 2024 16:11:17 -0400 Subject: [PATCH 1/2] add release stage with new signing --- Pipelines/recursive-extractor-release.yml | 312 +++++++++++----------- 1 file changed, 156 insertions(+), 156 deletions(-) diff --git a/Pipelines/recursive-extractor-release.yml b/Pipelines/recursive-extractor-release.yml index aa542b5..a7852f1 100644 --- a/Pipelines/recursive-extractor-release.yml +++ b/Pipelines/recursive-extractor-release.yml @@ -1,170 +1,170 @@ -# Azure Pipelines -# https://aka.ms/yaml - name: RecursiveExtractor_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) -trigger: - batch: true - branches: - include: - - main - paths: - include: - - RecursiveExtractor - - RecursiveExtractor.Cli +trigger: none pr: none resources: repositories: - repository: templates type: git - name: SecurityEngineering/OSS-Tools-Pipeline-Templates - ref: refs/tags/v1.1.1 + name: Data/OSS-Tools-Pipeline-Templates + ref: refs/tags/v2.0.0 + - repository: 1esPipelines + type: git + name: 1ESPipelineTemplates/1ESPipelineTemplates + ref: refs/tags/release variables: BuildConfiguration: 'Release' DotnetVersion: '8.0.x' -stages: -- stage: Test - dependsOn: [] - jobs: - - template: dotnet-test-job.yml@templates - parameters: - jobName: 'lib_dotnet_test_windows' - dotnetVersions: ['6.0.x','7.0.x','8.0.x'] - vmImage: 'win2022-image-base' - projectPath: 'RecursiveExtractor.Tests/RecursiveExtractor.Tests.csproj' - - template: dotnet-test-job.yml@templates - parameters: - jobName: 'cli_dotnet_test_windows' - dotnetVersions: ['6.0.x','7.0.x','8.0.x'] - vmImage: 'win2022-image-base' - projectPath: 'RecursiveExtractor.Cli.Tests/RecursiveExtractor.Cli.Tests.csproj' - -- stage: SDL - dependsOn: [] - jobs: - - template: sdl-job.yml@templates - parameters: - preScan: - - template: policheck-exclusion-steps.yml@templates +extends: + template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines + parameters: + pool: + name: MSSecurity-1ES-Build-Agents-Pool + image: MSSecurity-1ES-Windows-2022 + os: windows + sdl: + armory: + enabled: false + sourceRepositoriesToScan: + exclude: + - repository: 1esPipelines + - repository: templates + stages: + - stage: Test + dependsOn: [] + jobs: + - template: dotnet-test-job.yml@templates parameters: - ExcludeFolderPathStart: 'RecursiveExtractor.Tests' - policheckExclusionFile: $(Build.SourcesDirectory)/PolicheckExclusions.xml - -- stage: Build - dependsOn: - - Test - jobs: - - template: nuget-build-job.yml@templates - parameters: - jobName: 'pack_lib' - buildConfiguration: ${{ variables.BuildConfiguration }} - dotnetVersion: ${{ variables.DotnetVersion }} - projectPath: 'RecursiveExtractor/RecursiveExtractor.csproj' - projectName: 'RecursiveExtractor' - customPackFlags: '/p:ContinuousIntegrationBuild=true' - preBuild: - - template: nbgv-set-version-steps.yml@templates - - template: nuget-build-job.yml@templates - parameters: - jobName: 'pack_cli' - buildConfiguration: ${{ variables.BuildConfiguration }} - dotnetVersion: ${{ variables.DotnetVersion }} - projectPath: 'RecursiveExtractor.Cli/RecursiveExtractor.Cli.csproj' - projectName: 'RecursiveExtractor_CLI' - customPackFlags: '/p:ContinuousIntegrationBuild=true' - preBuild: - - template: nbgv-set-version-steps.yml@templates + jobName: 'lib_dotnet_test_windows' + dotnetVersions: ['6.0.x','7.0.x','8.0.x'] + projectPath: 'RecursiveExtractor.Tests/RecursiveExtractor.Tests.csproj' + poolName: MSSecurity-1ES-Build-Agents-Pool + poolImage: MSSecurity-1ES-Windows-2022 + poolOs: windows + - template: dotnet-test-job.yml@templates + parameters: + jobName: 'cli_dotnet_test_windows' + dotnetVersions: ['6.0.x','7.0.x','8.0.x'] + projectPath: 'RecursiveExtractor.Cli.Tests/RecursiveExtractor.Cli.Tests.csproj' + poolName: MSSecurity-1ES-Build-Agents-Pool + poolImage: MSSecurity-1ES-Windows-2022 + poolOs: windows -- stage: Release - dependsOn: - - SDL - - Build - condition: succeeded() - jobs: - - job: sign_hash_release - displayName: Code Sign, Generate Hashes, Publish Public Releases - pool: - name: 'CSPA' - demands: ImageOverride -equals win2022-image-base - steps: - - task: UseDotNet@2 # For ESRP. Do not use variable. - inputs: - packageType: 'sdk' - version: '6.0.x' - - template: nbgv-set-version-steps.yml@templates - - task: DownloadBuildArtifacts@0 - displayName: Download Unsigned Archives - inputs: - buildType: 'current' - downloadType: 'specific' - itemPattern: 'Unsigned_Binaries/*.zip' - downloadPath: '$(Build.BinariesDirectory)' - - task: ExtractFiles@1 - displayName: Extract Artifacts for Signing - inputs: - archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip' - destinationFolder: '$(Build.BinariesDirectory)' - cleanDestinationFolder: false - overwriteExistingFiles: true - - task: AntiMalware@4 - displayName: Anti-Malware Scan - inputs: - InputType: 'Basic' - ScanType: 'CustomScan' - FileDirPath: '$(Build.BinariesDirectory)' - EnableServices: true - SupportLogOnError: true - TreatSignatureUpdateFailureAs: 'Warning' - SignatureFreshness: 'UpToDate' - TreatStaleSignatureAs: 'Warning' - - task: EsrpCodeSigning@3 - displayName: Code Sign Nuget Packages - inputs: - ConnectedServiceName: 'RecursiveExtractor_CodeSign' - FolderPath: '$(Build.BinariesDirectory)' - Pattern: '*.nupkg, *.snupkg' - signConfigType: 'inlineSignParams' - inlineOperation: | - [ - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetSign", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - }, - { - "KeyCode" : "CP-401405", - "OperationCode" : "NuGetVerify", - "Parameters" : {}, - "ToolName" : "sign", - "ToolVersion" : "1.0" - } - ] - SessionTimeout: '60' - MaxConcurrency: '50' - MaxRetryAttempts: '5' - - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' - displayName: 'Delete Code Sign Summaries' - - task: PowerShell@2 - displayName: Move NuGet Packages - inputs: - targetType: 'inline' - script: | - mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/ - mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/ - - task: PublishPipelineArtifact@1 - displayName: Pipeline Publish Signed Artifacts - inputs: - targetPath: '$(Build.StagingDirectory)' - artifact: 'Signed_Binaries' - - task: NuGetCommand@2 - displayName: Publish NuGet Packages - inputs: - command: 'push' - packagesToPush: '$(Build.StagingDirectory)/*.nupkg' - nuGetFeedType: 'external' - publishFeedCredentials: 'CST-E Nuget CI' - verbosityPush: 'Normal' + - stage: Build + dependsOn: + - Test + jobs: + - template: nuget-build-job.yml@templates + parameters: + jobName: 'pack_lib' + buildConfiguration: ${{ variables.BuildConfiguration }} + dotnetVersion: ${{ variables.DotnetVersion }} + projectPath: 'RecursiveExtractor/RecursiveExtractor.csproj' + projectName: 'RecursiveExtractor' + customPackFlags: '/p:ContinuousIntegrationBuild=true' + artifactName: 'lib-archive' + preBuild: + - template: nbgv-set-version-steps.yml@templates + - template: nuget-build-job.yml@templates + parameters: + jobName: 'pack_cli' + buildConfiguration: ${{ variables.BuildConfiguration }} + dotnetVersion: ${{ variables.DotnetVersion }} + projectPath: 'RecursiveExtractor.Cli/RecursiveExtractor.Cli.csproj' + projectName: 'RecursiveExtractor_CLI' + customPackFlags: '/p:ContinuousIntegrationBuild=true' + artifactName: 'cli-archive' + preBuild: + - template: nbgv-set-version-steps.yml@templates + + - stage: Release + dependsOn: + - Build + condition: succeeded() + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Releases + templateContext: + outputs: + - output: pipelineArtifact + path: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)' + steps: + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: '6.0.x' # ESRP requires a specific version. + - template: nbgv-set-version-steps.yml@templates + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download lib-archive' + buildType: 'current' + artifactName: 'lib-archive' + targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\ + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download cli-archive' + buildType: 'current' + artifactName: 'cli-archive' + targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\ + - task: ExtractFiles@1 + displayName: Extract Artifacts for Signing + inputs: + archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip' + destinationFolder: '$(Build.BinariesDirectory)' + cleanDestinationFolder: false + overwriteExistingFiles: true + - task: AntiMalware@4 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(Build.BinariesDirectory)' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: EsrpCodeSigning@5 + displayName: Code Sign Nuget Packages + inputs: + ConnectedServiceName: 'oss-esrp-signing-recext-v5-connection' + AppRegistrationClientId: 'caf746ee-b288-4155-8cc0-0bedca65f230' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-recursive-auth-cert' + AuthSignCertName: 'oss-recursive-signing-cert' + FolderPath: '$(Build.BinariesDirectory)' + Pattern: '*.nupkg, *.snupkg' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' + displayName: 'Delete Code Sign Summaries' + - task: PowerShell@2 + displayName: Move NuGet Packages + inputs: + targetType: 'inline' + script: | + mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/ + mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/ From 9977920c0fd9d2211b1c67dcd94f7caa74e47bb4 Mon Sep 17 00:00:00 2001 From: Dan Fiedler Date: Wed, 30 Oct 2024 16:11:17 -0400 Subject: [PATCH 2/2] add release stage with new signing --- Pipelines/recursive-extractor-release.yml | 111 +++++++++++++++++++--- 1 file changed, 96 insertions(+), 15 deletions(-) diff --git a/Pipelines/recursive-extractor-release.yml b/Pipelines/recursive-extractor-release.yml index ae29f5d..a7852f1 100644 --- a/Pipelines/recursive-extractor-release.yml +++ b/Pipelines/recursive-extractor-release.yml @@ -1,17 +1,4 @@ -# Azure Pipelines -# https://aka.ms/yaml - name: RecursiveExtractor_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) -# trigger: -# batch: true -# branches: -# include: -# - main -# paths: -# include: -# - RecursiveExtractor -# - RecursiveExtractor.Cli -# pr: none trigger: none pr: none @@ -19,13 +6,13 @@ resources: repositories: - repository: templates type: git - name: SecurityEngineering/OSS-Tools-Pipeline-Templates + name: Data/OSS-Tools-Pipeline-Templates ref: refs/tags/v2.0.0 - repository: 1esPipelines type: git name: 1ESPipelineTemplates/1ESPipelineTemplates ref: refs/tags/release - + variables: BuildConfiguration: 'Release' DotnetVersion: '8.0.x' @@ -40,6 +27,10 @@ extends: sdl: armory: enabled: false + sourceRepositoriesToScan: + exclude: + - repository: 1esPipelines + - repository: templates stages: - stage: Test dependsOn: [] @@ -87,3 +78,93 @@ extends: artifactName: 'cli-archive' preBuild: - template: nbgv-set-version-steps.yml@templates + + - stage: Release + dependsOn: + - Build + condition: succeeded() + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Releases + templateContext: + outputs: + - output: pipelineArtifact + path: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)' + steps: + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: '6.0.x' # ESRP requires a specific version. + - template: nbgv-set-version-steps.yml@templates + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download lib-archive' + buildType: 'current' + artifactName: 'lib-archive' + targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\ + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download cli-archive' + buildType: 'current' + artifactName: 'cli-archive' + targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\ + - task: ExtractFiles@1 + displayName: Extract Artifacts for Signing + inputs: + archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip' + destinationFolder: '$(Build.BinariesDirectory)' + cleanDestinationFolder: false + overwriteExistingFiles: true + - task: AntiMalware@4 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(Build.BinariesDirectory)' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: EsrpCodeSigning@5 + displayName: Code Sign Nuget Packages + inputs: + ConnectedServiceName: 'oss-esrp-signing-recext-v5-connection' + AppRegistrationClientId: 'caf746ee-b288-4155-8cc0-0bedca65f230' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-recursive-auth-cert' + AuthSignCertName: 'oss-recursive-signing-cert' + FolderPath: '$(Build.BinariesDirectory)' + Pattern: '*.nupkg, *.snupkg' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' + displayName: 'Delete Code Sign Summaries' + - task: PowerShell@2 + displayName: Move NuGet Packages + inputs: + targetType: 'inline' + script: | + mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/ + mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/