From 6bbc178ae133f1c3b3c54aabd54724de78bc5442 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 20 Nov 2020 11:37:51 -0800 Subject: [PATCH 1/7] refactor --- EsrpSign.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index 1483684..668d2e1 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -9,8 +9,6 @@ parameters: default: "*.dll,*.exe" - name: "useMinimatch" default: "false" - - name: "condition" - default: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) steps: - task: UseDotNet@2 @@ -60,18 +58,6 @@ steps: Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'" displayName: Log Json -- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: Sign files - inputs: - ConnectedServiceName: pwshSigning - FolderPath: '${{ parameters.buildOutputPath }}' - signConfigType: inlineSignParams - inlineOperation: $(EsrpJson) - Pattern: ${{ parameters.pattern }} - UseMinimatch: ${{ parameters.useMinimatch }} - condition: ${{ parameters.condition }} - timeoutInMinutes: 30 - - pwsh: | Write-Verbose "BUILD_OUTPUT_PATH- ${{ parameters.buildOutputPath }}" -Verbose Write-Verbose "SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose @@ -85,6 +71,20 @@ steps: Move-Item -Path "${{ parameters.buildOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose - displayName: Copy signed files to signed output directory - condition: ${{ parameters.condition }} + displayName: Copy unsigned files to signed output directory + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) timeoutInMinutes: 10 + +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + displayName: Sign files + inputs: + ConnectedServiceName: pwshSigning + FolderPath: '${{ parameters.signOutputPath }}' + signConfigType: inlineSignParams + inlineOperation: $(EsrpJson) + Pattern: ${{ parameters.pattern }} + UseMinimatch: ${{ parameters.useMinimatch }} + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + timeoutInMinutes: 30 + + From 0a0aabd523b4a38cb3f23b7e67718cdb95f6d6be Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 20 Nov 2020 12:07:58 -0800 Subject: [PATCH 2/7] add scanning template --- EsrpScan.yml | 17 +++++++++++++++++ README.md | 26 ++++++++++++++++++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 EsrpScan.yml diff --git a/EsrpScan.yml b/EsrpScan.yml new file mode 100644 index 0000000..c15d8df --- /dev/null +++ b/EsrpScan.yml @@ -0,0 +1,17 @@ +parameters: + - name: "scanPath" + default: "$(System.ArtifactsDirectory)" + - name: "pattern" + default: "*.dll,*.exe" + +steps: +- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1 + displayName: 'Malware Scanning' + inputs: + ConnectedServiceName: pwshEsrpScanning + FolderPath: ${{ parameters.scanPath }} + Pattern: ${{ parameters.pattern }} + UseMinimatch: true + SessionTimeout: 30 + + diff --git a/README.md b/README.md index d9bbc40..ba173d6 100644 --- a/README.md +++ b/README.md @@ -27,7 +27,7 @@ The following sample shows how the templates can be included in your release YAM jobs: - job: Compliance_Job pool: - name: Package ES CodeHub Lab E + name: Package ES Standard Build steps: - checkout: self - checkout: ComplianceRepo @@ -60,7 +60,7 @@ The following sample shows how the templates can be included in your release YAM APIScan: false # set to false when not using Windows APIs. ``` -## ESRP Template Overview +## ESRP Signing Template Overview ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** @@ -141,3 +141,25 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. **\*.nupkg useMinimatch: true ``` + +## ESRP Malware Scanning Template Overview + +** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** + +Details can be found in the PowerShell Maintainers teams channel's Wiki tab. + +1. Call the template from this repo in your yaml file and specify the values for the parameters. + +```yaml + + - template: EsrpScan.yml@ComplianceRepo + parameters: + # the path with the files to scan + scanPath: $(System.ArtifactsDirectory) + # the minimatch pattern to find the files + # https://github.com/isaacs/minimatch#features + pattern: | + **\*.rpm + **\*.deb + **\*.tar.gz +``` From d4e9b9a71e631812ef4145d59a8d1ba8fdc8909b Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 20 Nov 2020 12:15:32 -0800 Subject: [PATCH 3/7] fix code sign summary --- EsrpSign.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index 668d2e1..b061011 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -66,10 +66,6 @@ steps: Write-Verbose "Creating SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose $null = New-Item -Path '${{ parameters.signOutputPath }}' -ItemType Directory -force } - $file = Get-ChildItem -Path "${{ parameters.buildOutputPath }}\codesignsummary-*.md" -File - $fileName = $file.Name - Move-Item -Path "${{ parameters.buildOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" - Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose displayName: Copy unsigned files to signed output directory condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) @@ -87,4 +83,11 @@ steps: condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) timeoutInMinutes: 30 - +- pwsh: | + $file = Get-ChildItem -Path "${{ parameters.signOutputPath }}\codesignsummary-*.md" -File + $fileName = $file.Name + Move-Item -Path "${{ parameters.buildOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" + Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" + displayName: Upload codesign summary + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + timeoutInMinutes: 10 From ca28d296bd6452c2862bd31d767835686f8263be Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Fri, 20 Nov 2020 12:31:29 -0800 Subject: [PATCH 4/7] one more fix --- EsrpSign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index b061011..c51a9c4 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -86,7 +86,7 @@ steps: - pwsh: | $file = Get-ChildItem -Path "${{ parameters.signOutputPath }}\codesignsummary-*.md" -File $fileName = $file.Name - Move-Item -Path "${{ parameters.buildOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" + Move-Item -Path "${{ parameters.signOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" displayName: Upload codesign summary condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) From cb086a55ec9b5b8781829a49b08c656cacaabd43 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 23 Nov 2020 10:50:59 -0800 Subject: [PATCH 5/7] Update EsrpScan.yml --- EsrpScan.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/EsrpScan.yml b/EsrpScan.yml index c15d8df..c2fb4b0 100644 --- a/EsrpScan.yml +++ b/EsrpScan.yml @@ -1,6 +1,6 @@ parameters: - name: "scanPath" - default: "$(System.ArtifactsDirectory)" + default: "$(Pipeline.Workspace)" - name: "pattern" default: "*.dll,*.exe" @@ -14,4 +14,3 @@ steps: UseMinimatch: true SessionTimeout: 30 - From 3d7a7a785ee5bdf72179bb3fac405c7a732e36c3 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 23 Nov 2020 11:59:24 -0800 Subject: [PATCH 6/7] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index ba173d6..f37fab7 100644 --- a/README.md +++ b/README.md @@ -148,6 +148,10 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. Details can be found in the PowerShell Maintainers teams channel's Wiki tab. +This should be use in multi-Job builds when you are uploading unsigned binaries. +Files are automatically scanned on signing, +scanning on each upload will allow us to detect when any malware was introduced. + 1. Call the template from this repo in your yaml file and specify the values for the parameters. ```yaml From e58c8e3464618c2f4927776cee92f5a5713cfb58 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Mon, 23 Nov 2020 12:00:11 -0800 Subject: [PATCH 7/7] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index f37fab7..d4cdb7c 100644 --- a/README.md +++ b/README.md @@ -152,6 +152,10 @@ This should be use in multi-Job builds when you are uploading unsigned binaries. Files are automatically scanned on signing, scanning on each upload will allow us to detect when any malware was introduced. +This should be use in multi-Job builds when you are uploading unsigned binaries. +Files are automatically scanned on signing, +scanning on each upload will allow us to detect when any malware was introduced. + 1. Call the template from this repo in your yaml file and specify the values for the parameters. ```yaml