ESRP codesign master branch

CodeSign.targets

@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+	<UsingTask TaskName="ESRPSignTask" AssemblyFile="$(CISignRepoPath)\tools\sdkbuildtools\tasks\MS.Az.Sdk.OnPremise.Build.Tasks.dll" />
+
+	<PropertyGroup>
+		<!-- CISignRepo is an environment variable that points to ci-signing repo clone -->
+		<CISignRepoPath>$(CISignRepo)</CISignRepoPath>
+	</PropertyGroup>
+
+	<Target Name="CodeSignBinaries" DependsOnTargets="RestoreNugetPackages;BuildMsBuildTask">
+
+		<Message Text="====> Executing CodeSignBinaries Target..." Importance="high"/>
+
+		<PropertyGroup>
+			<!--public token associated with MSSharedLibKey.snk-->
+			<StrongNameToken Condition=" '$(StrongNameToken)' == '' ">31bf3856ad364e35</StrongNameToken>
+		</PropertyGroup>
+
+		<Message Text="----> Dlls signing section" Importance="high"/>
+
+		 <!-- Azure -->
+		<ItemGroup Condition="'$(Scope)' == 'All' or '$(Scope)' == 'Latest' or '$(Scope)' == 'Netcore'">
+			<DelaySignedAssembliesToSign Include="$(PackageDirectory)\$(Configuration)\**\Microsoft*Azure*PowerShell*Cmdlets*.dll" />
+			<DelaySignedAssembliesToSign Include="$(PackageDirectory)\$(Configuration)\**\Microsoft.Azure.Management.Sql.Legacy.dll" />
+		</ItemGroup>
+
+		<Message Importance="high" Text="$(PackageDirectory)\$(Configuration) does not contains any files to sign. Code sign will skip."
+			Condition="'@(DelaySignedAssembliesToSign)' == ''" />
+
+		<ESRPSignTask
+			CopyBackSignedFilesToOriginalLocation="true"
+			UnsignedFileList="@(DelaySignedAssembliesToSign)"
+			SignLogDirPath="$(LibraryRoot)dlls-signing.log" 
+			Condition="!$(DelaySign) and '@(DelaySignedAssembliesToSign)' != ''"/>
+
+		<Exec Command="$(PowerShellCommandPrefix) &quot;. $(LibraryToolsFolder)\UpdateModules.ps1 -BuildConfig $(Configuration) -Scope $(Scope) &quot;" />
+
+		<!-- Copying shortcut to be signed -->
+		<Copy SourceFiles="$(LibraryRoot)tools\Az\Az.psm1" DestinationFolder="$(PackageDirectory)\$(Configuration)" Condition="'$(Scope)' == 'Netcore'" />
+
+		<Message Text="----> Scripts signing section" Importance="high"/>
+
+		 <!-- Azure -->
+		<ItemGroup Condition="'$(Scope)' == 'All' or '$(Scope)' == 'Latest' or '$(Scope)' == 'Netcore'">
+			<ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.ps1" />
+			<ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.psm1" />
+			<ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.ps1xml" />
+			<ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.js" />
+		</ItemGroup>
+
+		<ESRPSignTask
+			CopyBackSignedFilesToOriginalLocation="true"
+			UnsignedFileList="@(ScriptsToSign)"
+			SignLogDirPath="$(LibraryRoot)scripts-signing.log" 
+			Condition="!$(DelaySign) and '@(ScriptsToSign)' != ''"/>			
+
+		<!-- RemoveCodeSignArtifacts.ps1 -->
+		<Message Text="----> Remove artifacts section" Importance="high"/>		
+		<Exec Command="$(PowerShellCommandPrefix) &quot;. $(LibraryToolsFolder)\RemoveCodeSignArtifacts.ps1 -Path $(PackageDirectory)\$(Configuration) &quot;"
+			Condition="'$(Scope)' != 'Stack'"
+			ContinueOnError="ErrorAndContinue" />
+
+		<!-- CheckSignature.ps1 -->	
+		<Message Text="----> CheckSignature section" Importance="high"/>		
+		<Exec Command="$(PowerShellCommandPrefix) &quot;. $(LibraryToolsFolder)\CheckSignature.ps1 -CustomPath $(PackageDirectory)\$(Configuration) &quot;" Condition="'$(Scope)' != 'Stack'" ContinueOnError="ErrorAndContinue" />
+
+		<!-- Copy files back after signing -->
+		<Copy SourceFiles="$(PackageDirectory)\$(Configuration)\Az.psm1" DestinationFolder="$(LibraryRoot)tools\Az" Condition="'$(Scope)' == 'Netcore'" />
+	</Target>
+
+	<Target Name="CodeSignInstaller">
+		<Message Text="----> CodeSignInstaller section" Importance="high"/>
+		<PropertyGroup>
+			<!--public token associated with MSSharedLibKey.snk-->
+			<StrongNameToken Condition=" '$(StrongNameToken)' == '' ">31bf3856ad364e35</StrongNameToken>
+		</PropertyGroup>
+		<GetFrameworkSdkPath>
+			<Output TaskParameter="Path" PropertyName="WindowsSdkPath"/>
+		</GetFrameworkSdkPath>
+
+		<ItemGroup>
+			<InstallersToSign Include="$(LibraryRoot)\setup\*.msi" />
+		</ItemGroup>
+
+		<Message Importance="high" Text="$(LibraryRoot)\setup does not contain any installers to sign. Code sign will skip."
+			Condition="'@(InstallersToSign)' == ''" />
+
+		<ESRPSignTask
+			SignedFilesRootDirPath="$(SignedOutputRootDir)"
+			UnsignedFileList="@(InstallersToSign)"
+			SignLogDirPath="$(LibraryRoot)\msi-signing.log" 
+			Condition="!$(DelaySign) and '@(InstallersToSign)' != ''"/>
+
+		<!--If we are testing locally then we copy the binaries and do not submit to the code sign server-->
+		<Copy SourceFiles="@(InstallersToSign)" DestinationFolder="signed" Condition="$(DelaySign)" />
+		<SetEnvVar EnvName="SignedMsiDir" EnvValue="$(SignedOutputRootDir)" />
+	</Target>
+</Project>

build.proj

@@ -51,7 +51,7 @@
     <LocalFeedFolder>$(LibraryToolsFolder)\LocalFeed</LocalFeedFolder>
     <PublishDirectory>$(LibrarySourceFolder)\Publish</PublishDirectory>
     <Configuration Condition=" '$(Configuration)' != 'Release'">Debug</Configuration>
-    <CodeSign Condition=" '$(CodeSign)' == '' ">false</CodeSign>
+    <CodeSign>false</CodeSign>
     <!--Set this true only if you want to test the code sign workflow locally-->
     <DelaySign Condition =" '$(DelaySign)' == '' ">false</DelaySign>
     <SignedOutputRootDir>$(LibraryRoot)signed</SignedOutputRootDir>
@@ -121,9 +121,9 @@
     <OnPremiseBuild Condition=" ! Exists($(OnPremiseBuildTasks)) ">false</OnPremiseBuild>
   </PropertyGroup>
 
-  <UsingTask Condition=" $(OnPremiseBuild) " TaskName="CodeSigningTask" AssemblyFile="$(CIToolsPath)\Microsoft.WindowsAzure.Tools.Build.Tasks.OnPremise.dll" />
   <UsingTask Condition=" $(OnPremiseBuild) " TaskName="CorporateValidation" AssemblyFile="$(CIToolsPath)\Microsoft.WindowsAzure.Tools.Build.Tasks.OnPremise.dll" />
   <Import Condition=" $(OnPremiseBuild) " Project="$(CIToolsPath)\Microsoft.WindowsAzure.Build.OnPremise.msbuild" />
+  <Import Project="CodeSign.targets"/>
 
   <UsingTask AssemblyFile="$(MSBuildProjectDirectory)\packages\xunit.runner.msbuild.2.1.0\build\portable-net45+win8+wp8+wpa81\xunit.runner.msbuild.dll" TaskName="Xunit.Runner.MSBuild.xunit" />
 
@@ -291,7 +291,7 @@
     <CallTarget Targets="RunPoliCheck" Condition="'$(OnPremiseBuild)'" />
 
     <CallTarget Targets="CodeSignBinaries" Condition="'$(CodeSign)' == 'true'" />
-
+	
     <Exec ContinueOnError="false" Command="$(PowerShellCoreCommandPrefix) &quot;. $(LibraryToolsFolder)\NewOutputTypeIndex.ps1 -OutputFile $(PackageDirectory)\outputtypes.json -BuildConfig $(Configuration)&quot;" Condition="('$(Scope)' == 'All' or '$(Scope)' == 'Latest') and $(CodeSign) == 'true'" />
 
     <Message Importance="high" Text="Running Static Analyser" />
@@ -310,118 +310,13 @@
     <MSBuild Projects="@(LocalBuildTasks)" Targets="Build" Properties="Configuration=$(Configuration);Platform=Any CPU" />
   </Target>
 
-  <Target Name="CodeSignBinaries" DependsOnTargets="RestoreNugetPackages;BuildMsBuildTask">
-    <PropertyGroup>
-      <!--public token associated with MSSharedLibKey.snk-->
-      <StrongNameToken Condition=" '$(StrongNameToken)' == '' ">31bf3856ad364e35</StrongNameToken>
-    </PropertyGroup>
-    <GetFrameworkSdkPath>
-      <Output TaskParameter="Path" PropertyName="WindowsSdkPath" />
-    </GetFrameworkSdkPath>
-
-    <!-- Azure -->
-    <ItemGroup Condition="'$(Scope)' == 'All' or '$(Scope)' == 'Latest' or '$(Scope)' == 'Netcore'">
-      <DelaySignedAssembliesToSign Include="$(PackageDirectory)\$(Configuration)\**\Microsoft*Azure*PowerShell*Cmdlets*.dll" />
-      <DelaySignedAssembliesToSign Include="$(PackageDirectory)\$(Configuration)\**\Microsoft.Azure.Management.Sql.Legacy.dll" />
-    </ItemGroup>
-
-    <Message Importance="high" Text="$(PackageDirectory)\$(Configuration) does not contains any files to sign. Code sign will skip." Condition="'@(DelaySignedAssembliesToSign)' == ''" />
-
-    <ValidateStrongNameSignatureTask
-      WindowsSdkPath="$(WindowsSdkPath)"
-      Assembly="%(DelaySignedAssembliesToSign.Identity)"
-      ExpectedTokenSignature="$(StrongNameToken)"
-      ExpectedDelaySigned="true"
-      ContinueOnError="false"
-      Condition="'@(DelaySignedAssembliesToSign)' != ''" />
-
-    <CodeSigningTask
-      Description="Microsoft Azure PowerShell"
-      Keywords="Microsoft Azure PowerShell"
-      UnsignedFiles="@(DelaySignedAssembliesToSign)"
-      DestinationPath="$(LibrarySourceFolder)"
-      BasePath="$(LibrarySourceFolder)"
-      Certificates="72, 400"
-      SigningLogPath="$(LibraryRoot)\signing.log"
-      ToolsPath="$(CIToolsPath)"
-      Condition="!$(DelaySign) and '@(DelaySignedAssembliesToSign)' != ''" />
-
-    <ValidateStrongNameSignatureTask
-        WindowsSdkPath="$(WindowsSdkPath)"
-        Assembly="%(DelaySignedAssembliesToSign.Identity)"
-        ExpectedTokenSignature="$(StrongNameToken)"
-        ExpectedDelaySigned="false"
-        ContinueOnError="false"
-        Condition="!$(DelaySign) and '@(DelaySignedAssembliesToSign)' != ''" />
-
-    <Exec Command="$(PowerShellCommandPrefix) &quot;. $(LibraryToolsFolder)\UpdateModules.ps1 -BuildConfig $(Configuration) -Scope $(Scope) &quot;" />
-
-    <!-- Copying shortcut to be signed -->
-    <Copy SourceFiles="$(LibraryRoot)tools\Az\Az.psm1" DestinationFolder="$(PackageDirectory)\$(Configuration)" Condition="'$(Scope)' == 'Netcore'" />
-
-    <!-- Azure -->
-    <ItemGroup Condition="'$(Scope)' == 'All' or '$(Scope)' == 'Latest' or '$(Scope)' == 'Netcore'">
-      <ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.ps1" />
-      <ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.psm1" />
-      <ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.ps1xml" />
-      <ScriptsToSign Include="$(PackageDirectory)\$(Configuration)\**\*.js" />
-    </ItemGroup>
-
-    <CodeSigningTask
-      Description="Microsoft Azure PowerShell"
-      Keywords="Microsoft Azure PowerShell"
-      UnsignedFiles="@(ScriptsToSign)"
-      DestinationPath="$(LibrarySourceFolder)"
-      BasePath="$(LibrarySourceFolder)"
-      Certificates="400"
-      SigningLogPath="$(LibraryRoot)\signing-scripts.log"
-      ToolsPath="$(CIToolsPath)"
-      Condition="!$(DelaySign) and '@(ScriptsToSign)' != ''" />
-
-    <Exec Command="$(PowerShellCommandPrefix) &quot;. $(LibraryToolsFolder)\CheckSignature.ps1 -CustomPath $(PackageDirectory)\$(Configuration) &quot;" Condition="'$(Scope)' != 'Stack'" ContinueOnError="ErrorAndContinue" />
-
-    <!-- Copy files back after signing -->
-    <Copy SourceFiles="$(PackageDirectory)\$(Configuration)\Az.psm1" DestinationFolder="$(LibraryRoot)tools\Az" Condition="'$(Scope)' == 'Netcore'" />
-  </Target>
-
-  <Target Name="BuildInstaller" Condition="'$(Scope)' == 'All' or '$(Scope)' == 'Latest' or '$(Scope)' == 'Netcore'">
+  <Target Name="BuildInstaller" Condition="'$(Scope)' == 'All' or '$(Scope)' == 'Latest'">
     <Exec Command="$(PowerShellCommandPrefix) &quot;. Register-PSRepository -Name MSIcreationrepository -SourceLocation $(PackageDirectory) -InstallationPolicy Trusted &quot; " />
     <Exec Command="$(PowerShellCommandPrefix) &quot;. $(LibraryRoot)\setup\generate.ps1 -repository MSIcreationrepository &quot; " />
     <Exec Command="$(PowerShellCommandPrefix) &quot;. Unregister-PSRepository -Name MSIcreationrepository &quot; " />
     <CallTarget Targets="CodeSignInstaller" Condition=" '$(CodeSign)' == 'true'" />
   </Target>
 
-  <Target Name="CodeSignInstaller">
-    <PropertyGroup>
-      <!--public token associated with MSSharedLibKey.snk-->
-      <StrongNameToken Condition=" '$(StrongNameToken)' == '' ">31bf3856ad364e35</StrongNameToken>
-    </PropertyGroup>
-    <GetFrameworkSdkPath>
-      <Output TaskParameter="Path" PropertyName="WindowsSdkPath" />
-    </GetFrameworkSdkPath>
-
-    <ItemGroup>
-      <InstallersToSign Include="$(LibraryRoot)\setup\*.msi" />
-    </ItemGroup>
-
-    <Message Importance="high" Text="$(LibraryRoot)\setup does not contain any installers to sign. Code sign will skip."
-             Condition="'@(InstallersToSign)' == ''" />
-
-    <CodeSigningTask
-      Description="Microsoft Azure PowerShell"
-      Keywords="Microsoft Azure PowerShell"
-      UnsignedFiles="@(InstallersToSign)"
-      DestinationPath="$(SignedOutputRootDir)"
-      SigningLogPath="$(LibraryRoot)\msi-signing.log"
-      Certificates="402"
-      ToolsPath="$(CIToolsPath)"
-      Condition="!$(DelaySign) and '@(InstallersToSign)' != ''" />
-
-    <!--If we are testing locally then we copy the binaries and do not submit to the code sign server-->
-    <Copy SourceFiles="@(InstallersToSign)" DestinationFolder="signed" Condition="$(DelaySign)" />
-    <SetEnvVar EnvName="SignedMsiDir" EnvValue="$(SignedOutputRootDir)" />
-  </Target>
-
   <!-- Run Validation -->
   <Target Name="DependencyAnalysis" Condition="'$(SkipDependencyAnalysis)' == 'false'">
     <Message Importance="high" Text="Running dependency analysis..." />

tools/RemoveCodeSignArtifacts.ps1

@@ -0,0 +1,32 @@
+param(
+    [Parameter(Position=0)]
+    [string]$Path
+)
+
+if ($Path -eq $null) {
+    $Path=$PSScriptRoot
+} else {
+    $Path = Resolve-Path $Path
+}
+
+Write-Output "Under the'$Path' folder"
+
+"Signed","Unsigned" | ForEach-Object {
+    Write-Output "'$_' artifacts deletion..."
+    $foldersToDelete = Get-ChildItem  -Path $Path -filter $_ -Directory -Recurse
+    $itemsQnty = $foldersToDelete.Count
+    Write-Output "Number of folders found: $itemsQnty"
+    if ($itemsQnty -gt 0) {
+        Write-Output "Folders list:"
+        $foldersToDelete | ForEach-Object {
+            $_.FullName
+        }
+        $foldersToDelete | ForEach-Object { 
+            Remove-Item (Join-Path $_.FullName *.*) -Force
+        }
+        $foldersToDelete | ForEach-Object {
+            Remove-Item $_.FullName -Force
+        }
+        Write-Output "Deleted"
+    }
+}