Add Pgp signing template

EsrpSign.yml

@@ -9,6 +9,8 @@ parameters:
     default: "*.dll,*.exe"
   - name: "useMinimatch"
     default: "false"
+  - name: "condition"
+    default: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
 
 steps:
 - task: UseDotNet@2
@@ -47,6 +49,18 @@ steps:
       pattern: ${{ parameters.pattern }}
       certificateId: ${{ parameters.certificateId }}
 
+- ${{ if or(eq(parameters.certificateId, 'CP-450779-Pgp'),eq(parameters.certificateId, 'CP-450778-Pgp')) }}:
+  - template: template-compliance/pgp-sign.yml
+    parameters:
+      buildOutputPath: ${{ parameters.buildOutputPath }}
+      signOutputPath: ${{ parameters.signOutputPath }}
+      pattern: ${{ parameters.pattern }}
+      certificateId: ${{ parameters.certificateId }}
+
+- pwsh: |
+    Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'"
+  displayName: Log Json
+
 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
   displayName: Sign files
   inputs:
@@ -56,7 +70,7 @@ steps:
     inlineOperation: $(EsrpJson)
     Pattern: ${{ parameters.pattern }}
     UseMinimatch: ${{ parameters.useMinimatch }}
-  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+  condition: ${{ parameters.condition }}
   timeoutInMinutes: 30
 
 - pwsh: |
@@ -73,5 +87,5 @@ steps:
     Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName"
     Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose
   displayName: Copy signed files to signed output directory
-  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+  condition: ${{ parameters.condition }}
   timeoutInMinutes: 10

README.md

@@ -60,7 +60,7 @@ The following sample shows how the templates can be included in your release YAM
             APIScan: false # set to false when not using Windows APIs.
     ```
 
-## ESRP Template Example
+## ESRP Template Overview
 
 ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel **
 
@@ -69,24 +69,75 @@ Details can be found in the PowerShell Maintainers teams channel's Wiki tab.
 
 1. Call the template from this repo in your yaml file and specify the values for the parameters.
 
-    ```yaml
-    - template: EsrpSign.yml@ComplianceRepo
-        parameters:
-           # the folder which contains the binaries to sign
-           buildOutputPath: $(signSrcPath)
-           # the location to put the signed output
-           signOutputPath: $(signOutPath)
-           # the certificate ID to use
-           certificateId: "CP-230012"
-           # The file pattern to use
-           # If not using minimatch: comma separated, with * supported
-           # If using minimatch: newline separated, with !, **, and * supported.
-           # See link in the useMinimatch comments.
-           pattern: '*.dll,*.psd1,*.psm1,*.ps1xml,*.mof'
-           # decides if the task should use minimatch for the pattern matching.
-           # https://github.com/isaacs/minimatch#features
-           useMinimatch: false
-    ```
-
-
-
+```yaml
+- template: EsrpSign.yml@ComplianceRepo
+    parameters:
+        # the folder which contains the binaries to sign
+        buildOutputPath: $(signSrcPath)
+        # the location to put the signed output
+        signOutputPath: $(signOutPath)
+        # the certificate ID to use
+        certificateId: "CP-230012"
+        # The file pattern to use
+        # If not using minimatch: comma separated, with * supported
+        # If using minimatch: newline separated, with !, **, and * supported.
+        # See link in the useMinimatch comments.
+        pattern: '*.dll,*.psd1,*.psm1,*.ps1xml,*.mof'
+        # decides if the task should use minimatch for the pattern matching.
+        # https://github.com/isaacs/minimatch#features
+        useMinimatch: false
+```
+
+### ESRP Authenticode minimatch example
+
+This example signs `dll` and `psm1` files recursively and `psd1` files in the root of the `buildOutputPath`, using minimatch.
+
+For full features see:  https://github.com/isaacs/minimatch#features
+
+```yaml
+  - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+        buildOutputPath: $(signSrcPath)
+        signOutputPath: $(signOutPath)
+        certificateId: "CP-230012"
+        pattern: |
+          **\*.dll
+          *.psd1
+          **\*.psm1
+        useMinimatch: true
+```
+
+### ESRP RPM example
+
+This example signs `dll` `psd1` and `psm1` files recursively, using minimatch.
+
+```yaml
+  - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+        buildOutputPath: $(signSrcPath)
+        signOutputPath: $(signOutPath)
+        # this is the cert for RPM signing
+        certificateId: "CP-450779-Pgp"
+        # this is the pattern for RPM signing
+        pattern: |
+            **\*.rpm
+        useMinimatch: true
+```
+
+
+### ESRP NuPkg example
+
+This example signs `dll` `psd1` and `psm1` files recursively, using minimatch.
+
+```yaml
+  - template: EsrpSign.yml@ComplianceRepo
+      parameters:
+        buildOutputPath: $(signSrcPath)
+        signOutputPath: $(signOutPath)
+        # this is the cert for NuPkg signing
+        certificateId: "CP-401405"
+        # this is the pattern for NuPkg signing
+        pattern: |
+            **\*.nupkg
+        useMinimatch: true
+```

template-compliance/authenticode-sign.yml

@@ -56,5 +56,5 @@ steps:
     $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
     Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
     Write-Host "##$vstsCommandString"
-  displayName: Generate signing JSON
+  displayName: Generate Authenticode signing JSON
   condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))

template-compliance/nuget-sign.yml

@@ -31,5 +31,5 @@ steps:
     $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
     Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
     Write-Host "##$vstsCommandString"
-  displayName: Generate signing JSON
+  displayName: Generate NuGet signing JSON
   condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))

template-compliance/pgp-sign.yml

@@ -0,0 +1,35 @@
+parameters:
+  - name: "signOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\signed"
+  - name: "pattern"
+    default: "*.rpm,*.deb"
+  - name: "certificateId"
+    default: "CP-450778-Pgp"
+
+steps:
+
+- pwsh: |
+    [string] $CertificateId = "${{ parameters.certificateId }}"
+    Write-Verbose "CertificateId - $CertificateId" -Verbose
+
+    [string] $VariableName = "EsrpJson"
+
+    [string] $SigningServer = '$(SigningServer)'
+    Write-Verbose "SigningServer - $SigningServer" -Verbose
+
+    $esrp = @(@{
+    keyCode = $CertificateId
+    operationSetCode = "LinuxSign"
+    toolName = "sign"
+    toolVersion = "1.0"
+    })
+
+    $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+
+    $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+  displayName: Generate PGP signing JSON
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))