diff --git a/EsrpScan.yml b/EsrpScan.yml new file mode 100644 index 0000000..c2fb4b0 --- /dev/null +++ b/EsrpScan.yml @@ -0,0 +1,16 @@ +parameters: + - name: "scanPath" + default: "$(Pipeline.Workspace)" + - name: "pattern" + default: "*.dll,*.exe" + +steps: +- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1 + displayName: 'Malware Scanning' + inputs: + ConnectedServiceName: pwshEsrpScanning + FolderPath: ${{ parameters.scanPath }} + Pattern: ${{ parameters.pattern }} + UseMinimatch: true + SessionTimeout: 30 + diff --git a/EsrpSign.yml b/EsrpSign.yml index 1483684..c51a9c4 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -9,8 +9,6 @@ parameters: default: "*.dll,*.exe" - name: "useMinimatch" default: "false" - - name: "condition" - default: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) steps: - task: UseDotNet@2 @@ -60,31 +58,36 @@ steps: Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'" displayName: Log Json +- pwsh: | + Write-Verbose "BUILD_OUTPUT_PATH- ${{ parameters.buildOutputPath }}" -Verbose + Write-Verbose "SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose + if(!(Test-Path '${{ parameters.signOutputPath }}')) + { + Write-Verbose "Creating SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose + $null = New-Item -Path '${{ parameters.signOutputPath }}' -ItemType Directory -force + } + Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose + displayName: Copy unsigned files to signed output directory + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + timeoutInMinutes: 10 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign files inputs: ConnectedServiceName: pwshSigning - FolderPath: '${{ parameters.buildOutputPath }}' + FolderPath: '${{ parameters.signOutputPath }}' signConfigType: inlineSignParams inlineOperation: $(EsrpJson) Pattern: ${{ parameters.pattern }} UseMinimatch: ${{ parameters.useMinimatch }} - condition: ${{ parameters.condition }} + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) timeoutInMinutes: 30 - pwsh: | - Write-Verbose "BUILD_OUTPUT_PATH- ${{ parameters.buildOutputPath }}" -Verbose - Write-Verbose "SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose - if(!(Test-Path '${{ parameters.signOutputPath }}')) - { - Write-Verbose "Creating SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose - $null = New-Item -Path '${{ parameters.signOutputPath }}' -ItemType Directory -force - } - $file = Get-ChildItem -Path "${{ parameters.buildOutputPath }}\codesignsummary-*.md" -File + $file = Get-ChildItem -Path "${{ parameters.signOutputPath }}\codesignsummary-*.md" -File $fileName = $file.Name - Move-Item -Path "${{ parameters.buildOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" + Move-Item -Path "${{ parameters.signOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" - Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose - displayName: Copy signed files to signed output directory - condition: ${{ parameters.condition }} + displayName: Upload codesign summary + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) timeoutInMinutes: 10 diff --git a/README.md b/README.md index d9bbc40..d4cdb7c 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ The following sample shows how the templates can be included in your release YAM jobs: - job: Compliance_Job pool: - name: Package ES CodeHub Lab E + name: Package ES Standard Build steps: - checkout: self - checkout: ComplianceRepo @@ -60,7 +60,7 @@ The following sample shows how the templates can be included in your release YAM APIScan: false # set to false when not using Windows APIs. ``` -## ESRP Template Overview +## ESRP Signing Template Overview ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** @@ -141,3 +141,33 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. **\*.nupkg useMinimatch: true ``` + +## ESRP Malware Scanning Template Overview + +** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** + +Details can be found in the PowerShell Maintainers teams channel's Wiki tab. + +This should be use in multi-Job builds when you are uploading unsigned binaries. +Files are automatically scanned on signing, +scanning on each upload will allow us to detect when any malware was introduced. + +This should be use in multi-Job builds when you are uploading unsigned binaries. +Files are automatically scanned on signing, +scanning on each upload will allow us to detect when any malware was introduced. + +1. Call the template from this repo in your yaml file and specify the values for the parameters. + +```yaml + + - template: EsrpScan.yml@ComplianceRepo + parameters: + # the path with the files to scan + scanPath: $(System.ArtifactsDirectory) + # the minimatch pattern to find the files + # https://github.com/isaacs/minimatch#features + pattern: | + **\*.rpm + **\*.deb + **\*.tar.gz +```