From ee3f14be504fb73b718ed8c40bf01b86ca1234c4 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 18 Nov 2020 09:45:56 -0800 Subject: [PATCH 1/8] Add pgp signing --- EsrpSign.yml | 8 +++++ template-compliance/authenticode-sign.yml | 2 +- template-compliance/nuget-sign.yml | 2 +- template-compliance/pgp-sign.yml | 38 +++++++++++++++++++++++ 4 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 template-compliance/pgp-sign.yml diff --git a/EsrpSign.yml b/EsrpSign.yml index 5561958..9eaa6c9 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -47,6 +47,14 @@ steps: pattern: ${{ parameters.pattern }} certificateId: ${{ parameters.certificateId }} +- ${{ if eq(parameters.certificateId, 'CP-450778-Pgp') }}: + - template: template-compliance/pgp-sign.yml + parameters: + buildOutputPath: ${{ parameters.buildOutputPath }} + signOutputPath: ${{ parameters.signOutputPath }} + pattern: ${{ parameters.pattern }} + certificateId: ${{ parameters.certificateId }} + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign files inputs: diff --git a/template-compliance/authenticode-sign.yml b/template-compliance/authenticode-sign.yml index 56f1a44..16f7920 100644 --- a/template-compliance/authenticode-sign.yml +++ b/template-compliance/authenticode-sign.yml @@ -56,5 +56,5 @@ steps: $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}" Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose Write-Host "##$vstsCommandString" - displayName: Generate signing JSON + displayName: Generate Authenticode signing JSON condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) diff --git a/template-compliance/nuget-sign.yml b/template-compliance/nuget-sign.yml index bb37438..0227d0b 100644 --- a/template-compliance/nuget-sign.yml +++ b/template-compliance/nuget-sign.yml @@ -31,5 +31,5 @@ steps: $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}" Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose Write-Host "##$vstsCommandString" - displayName: Generate signing JSON + displayName: Generate NuGet signing JSON condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) diff --git a/template-compliance/pgp-sign.yml b/template-compliance/pgp-sign.yml new file mode 100644 index 0000000..1846ad6 --- /dev/null +++ b/template-compliance/pgp-sign.yml @@ -0,0 +1,38 @@ +parameters: + - name: "buildOutputPath" + default: "$(Build.ArtifactStagingDirectory)\\build" + - name: "signOutputPath" + default: "$(Build.ArtifactStagingDirectory)\\signed" + - name: "pattern" + default: "*.rpm,*.deb" + - name: "certificateId" + default: "CP-450778-Pgp" + +steps: + +- pwsh: | + [string] $CertificateId = "${{ parameters.certificateId }}" + Write-Verbose "CertificateId - $CertificateId" -Verbose + + [string] $VariableName = "EsrpJson" + + [string] $SigningServer = '$(SigningServer)' + Write-Verbose "SigningServer - $SigningServer" -Verbose + + $esrp = @(@{ + keyCode = $CertificateId + operationSetCode = "LinuxSign" + parameters = @{} + toolName = "sign" + toolVersion = "1.0" + }) + + $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]" + Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose + Write-Host "##$vstsCommandString" + + $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}" + Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose + Write-Host "##$vstsCommandString" + displayName: Generate PGP signing JSON + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) From 0ea78b7b0722cd0bfc69403cf2ed90410c6d19f0 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 18 Nov 2020 09:46:21 -0800 Subject: [PATCH 2/8] make condition a parameter --- EsrpSign.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index 9eaa6c9..126ec6a 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -9,6 +9,8 @@ parameters: default: "*.dll,*.exe" - name: "useMinimatch" default: "false" + - name: "condition" + default: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) steps: - task: UseDotNet@2 @@ -64,7 +66,7 @@ steps: inlineOperation: $(EsrpJson) Pattern: ${{ parameters.pattern }} UseMinimatch: ${{ parameters.useMinimatch }} - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: ${{ parameters.condition }} timeoutInMinutes: 30 - pwsh: | @@ -81,5 +83,5 @@ steps: Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose displayName: Copy signed files to signed output directory - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: ${{ parameters.condition }} timeoutInMinutes: 10 From a0c1f12b71ef901f90be4e69c3b727215a1f1995 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 18 Nov 2020 14:58:25 -0800 Subject: [PATCH 3/8] log esrp json --- EsrpSign.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/EsrpSign.yml b/EsrpSign.yml index 126ec6a..ba2c8e8 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -57,6 +57,10 @@ steps: pattern: ${{ parameters.pattern }} certificateId: ${{ parameters.certificateId }} +- pwsh: | + Write-Verbose -Verbose "EsrpJson = '$(EsrpJson)'" + displayName: Log Json + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign files inputs: From adfbb65afbdf01943647567d470585738558e7bb Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 18 Nov 2020 14:58:42 -0800 Subject: [PATCH 4/8] both pgp certs --- EsrpSign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index ba2c8e8..5c5531c 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -49,7 +49,7 @@ steps: pattern: ${{ parameters.pattern }} certificateId: ${{ parameters.certificateId }} -- ${{ if eq(parameters.certificateId, 'CP-450778-Pgp') }}: +- ${{ if or(eq(parameters.certificateId, 'CP-450779-Pgp'),eq(parameters.certificateId, 'CP-450778-Pgp')) }}: - template: template-compliance/pgp-sign.yml parameters: buildOutputPath: ${{ parameters.buildOutputPath }} From bf44fd0c5a59c2fa632de101519db7db5e37b080 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 18 Nov 2020 15:14:35 -0800 Subject: [PATCH 5/8] use env to avoid escaping problems --- EsrpSign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index 5c5531c..939f1af 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -58,7 +58,7 @@ steps: certificateId: ${{ parameters.certificateId }} - pwsh: | - Write-Verbose -Verbose "EsrpJson = '$(EsrpJson)'" + Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'" displayName: Log Json - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 From 233000b10ab48882c691ddb978ab5c5b03f7ce22 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 19 Nov 2020 10:49:09 -0800 Subject: [PATCH 6/8] try removing parameters --- template-compliance/pgp-sign.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/template-compliance/pgp-sign.yml b/template-compliance/pgp-sign.yml index 1846ad6..36526e1 100644 --- a/template-compliance/pgp-sign.yml +++ b/template-compliance/pgp-sign.yml @@ -22,7 +22,6 @@ steps: $esrp = @(@{ keyCode = $CertificateId operationSetCode = "LinuxSign" - parameters = @{} toolName = "sign" toolVersion = "1.0" }) From efd83531452da6bfd98e4a6a3f92d8ac58742f73 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 19 Nov 2020 12:43:36 -0800 Subject: [PATCH 7/8] Update template-compliance/pgp-sign.yml --- template-compliance/pgp-sign.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/template-compliance/pgp-sign.yml b/template-compliance/pgp-sign.yml index 36526e1..5d08406 100644 --- a/template-compliance/pgp-sign.yml +++ b/template-compliance/pgp-sign.yml @@ -1,6 +1,4 @@ parameters: - - name: "buildOutputPath" - default: "$(Build.ArtifactStagingDirectory)\\build" - name: "signOutputPath" default: "$(Build.ArtifactStagingDirectory)\\signed" - name: "pattern" From 1634bfd8a140d548c3ea93a43980a1ede9045b97 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 19 Nov 2020 13:04:58 -0800 Subject: [PATCH 8/8] Add examples of various ESRP scenarios --- README.md | 95 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 73 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 2e36e97..d9bbc40 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ The following sample shows how the templates can be included in your release YAM APIScan: false # set to false when not using Windows APIs. ``` -## ESRP Template Example +## ESRP Template Overview ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** @@ -69,24 +69,75 @@ Details can be found in the PowerShell Maintainers teams channel's Wiki tab. 1. Call the template from this repo in your yaml file and specify the values for the parameters. - ```yaml - - template: EsrpSign.yml@ComplianceRepo - parameters: - # the folder which contains the binaries to sign - buildOutputPath: $(signSrcPath) - # the location to put the signed output - signOutputPath: $(signOutPath) - # the certificate ID to use - certificateId: "CP-230012" - # The file pattern to use - # If not using minimatch: comma separated, with * supported - # If using minimatch: newline separated, with !, **, and * supported. - # See link in the useMinimatch comments. - pattern: '*.dll,*.psd1,*.psm1,*.ps1xml,*.mof' - # decides if the task should use minimatch for the pattern matching. - # https://github.com/isaacs/minimatch#features - useMinimatch: false - ``` - - - +```yaml +- template: EsrpSign.yml@ComplianceRepo + parameters: + # the folder which contains the binaries to sign + buildOutputPath: $(signSrcPath) + # the location to put the signed output + signOutputPath: $(signOutPath) + # the certificate ID to use + certificateId: "CP-230012" + # The file pattern to use + # If not using minimatch: comma separated, with * supported + # If using minimatch: newline separated, with !, **, and * supported. + # See link in the useMinimatch comments. + pattern: '*.dll,*.psd1,*.psm1,*.ps1xml,*.mof' + # decides if the task should use minimatch for the pattern matching. + # https://github.com/isaacs/minimatch#features + useMinimatch: false +``` + +### ESRP Authenticode minimatch example + +This example signs `dll` and `psm1` files recursively and `psd1` files in the root of the `buildOutputPath`, using minimatch. + +For full features see: https://github.com/isaacs/minimatch#features + +```yaml + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signSrcPath) + signOutputPath: $(signOutPath) + certificateId: "CP-230012" + pattern: | + **\*.dll + *.psd1 + **\*.psm1 + useMinimatch: true +``` + +### ESRP RPM example + +This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. + +```yaml + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signSrcPath) + signOutputPath: $(signOutPath) + # this is the cert for RPM signing + certificateId: "CP-450779-Pgp" + # this is the pattern for RPM signing + pattern: | + **\*.rpm + useMinimatch: true +``` + + +### ESRP NuPkg example + +This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. + +```yaml + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signSrcPath) + signOutputPath: $(signOutPath) + # this is the cert for NuPkg signing + certificateId: "CP-401405" + # this is the pattern for NuPkg signing + pattern: | + **\*.nupkg + useMinimatch: true +```