Preserve unsigned file

EsrpScan.yml

@@ -0,0 +1,16 @@
+parameters:
+  - name: "scanPath"
+    default: "$(Pipeline.Workspace)"
+  - name: "pattern"
+    default: "*.dll,*.exe"
+
+steps:
+- task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1
+  displayName: 'Malware Scanning'
+  inputs:
+    ConnectedServiceName: pwshEsrpScanning
+    FolderPath: ${{ parameters.scanPath }}
+    Pattern: ${{ parameters.pattern }}
+    UseMinimatch: true
+    SessionTimeout: 30
+

EsrpSign.yml

@@ -9,8 +9,6 @@ parameters:
     default: "*.dll,*.exe"
   - name: "useMinimatch"
     default: "false"
-  - name: "condition"
-    default: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
 
 steps:
 - task: UseDotNet@2
@@ -60,31 +58,36 @@ steps:
     Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'"
   displayName: Log Json
 
+- pwsh: |
+    Write-Verbose "BUILD_OUTPUT_PATH- ${{ parameters.buildOutputPath }}" -Verbose
+    Write-Verbose "SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose
+    if(!(Test-Path '${{ parameters.signOutputPath }}'))
+    {
+      Write-Verbose "Creating SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose
+      $null = New-Item -Path '${{ parameters.signOutputPath }}' -ItemType Directory -force
+    }
+    Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose
+  displayName: Copy unsigned files to signed output directory
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+  timeoutInMinutes: 10
+
 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
   displayName: Sign files
   inputs:
     ConnectedServiceName: pwshSigning
-    FolderPath: '${{ parameters.buildOutputPath }}'
+    FolderPath: '${{ parameters.signOutputPath }}'
     signConfigType: inlineSignParams
     inlineOperation: $(EsrpJson)
     Pattern: ${{ parameters.pattern }}
     UseMinimatch: ${{ parameters.useMinimatch }}
-  condition: ${{ parameters.condition }}
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
   timeoutInMinutes: 30
 
 - pwsh: |
-    Write-Verbose "BUILD_OUTPUT_PATH- ${{ parameters.buildOutputPath }}" -Verbose
-    Write-Verbose "SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose
-    if(!(Test-Path '${{ parameters.signOutputPath }}'))
-    {
-      Write-Verbose "Creating SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose
-      $null = New-Item -Path '${{ parameters.signOutputPath }}' -ItemType Directory -force
-    }
-    $file = Get-ChildItem -Path "${{ parameters.buildOutputPath }}\codesignsummary-*.md" -File
+    $file = Get-ChildItem -Path "${{ parameters.signOutputPath }}\codesignsummary-*.md" -File
     $fileName = $file.Name
-    Move-Item -Path "${{ parameters.buildOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName"
+    Move-Item -Path "${{ parameters.signOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName"
     Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName"
-    Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose
-  displayName: Copy signed files to signed output directory
-  condition: ${{ parameters.condition }}
+  displayName: Upload codesign summary
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
   timeoutInMinutes: 10

README.md

@@ -27,7 +27,7 @@ The following sample shows how the templates can be included in your release YAM
       jobs:
       - job: Compliance_Job
           pool:
-          name: Package ES CodeHub Lab E
+            name: Package ES Standard Build
           steps:
           - checkout: self
           - checkout: ComplianceRepo
@@ -60,7 +60,7 @@ The following sample shows how the templates can be included in your release YAM
             APIScan: false # set to false when not using Windows APIs.
     ```
 
-## ESRP Template Overview
+## ESRP Signing Template Overview
 
 ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel **
 
@@ -141,3 +141,33 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch.
             **\*.nupkg
         useMinimatch: true
 ```
+
+## ESRP Malware Scanning Template Overview
+
+** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel **
+
+Details can be found in the PowerShell Maintainers teams channel's Wiki tab.
+
+This should be use in multi-Job builds when you are uploading unsigned binaries.
+Files are automatically scanned on signing,
+scanning on each upload will allow us to detect when any malware was introduced.
+
+This should be use in multi-Job builds when you are uploading unsigned binaries.
+Files are automatically scanned on signing,
+scanning on each upload will allow us to detect when any malware was introduced.
+
+1. Call the template from this repo in your yaml file and specify the values for the parameters.
+
+```yaml
+
+  - template: EsrpScan.yml@ComplianceRepo
+    parameters:
+        # the path with the files to scan
+        scanPath: $(System.ArtifactsDirectory)
+        # the minimatch pattern to find the files
+        # https://github.com/isaacs/minimatch#features
+        pattern: |
+          **\*.rpm
+          **\*.deb
+          **\*.tar.gz
+```