From c33650e52c5791441373d318346eea3bfeebec36 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 2 Dec 2020 13:19:14 -0800 Subject: [PATCH 1/4] add macos signing --- EsrpSign.yml | 8 +++++++ template-compliance/macOS-sign.yml | 35 ++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 template-compliance/macOS-sign.yml diff --git a/EsrpSign.yml b/EsrpSign.yml index c51a9c4..9fd051d 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -54,6 +54,14 @@ steps: pattern: ${{ parameters.pattern }} certificateId: ${{ parameters.certificateId }} +- ${{ if eq(parameters.certificateId, 'CP-401337-Apple') }}: + - template: template-compliance/macOS-sign.yml + parameters: + buildOutputPath: ${{ parameters.buildOutputPath }} + signOutputPath: ${{ parameters.signOutputPath }} + pattern: ${{ parameters.pattern }} + certificateId: ${{ parameters.certificateId }} + - pwsh: | Write-Verbose -Verbose "EsrpJson = '${env:EsrpJson}'" displayName: Log Json diff --git a/template-compliance/macOS-sign.yml b/template-compliance/macOS-sign.yml new file mode 100644 index 0000000..f641eca --- /dev/null +++ b/template-compliance/macOS-sign.yml @@ -0,0 +1,35 @@ +parameters: + - name: "signOutputPath" + default: "$(Build.ArtifactStagingDirectory)\\signed" + - name: "pattern" + default: "*.pkg" + - name: "certificateId" + default: "CP-401337-Apple" + +steps: + +- pwsh: | + [string] $CertificateId = "${{ parameters.certificateId }}" + Write-Verbose "CertificateId - $CertificateId" -Verbose + + [string] $VariableName = "EsrpJson" + + [string] $SigningServer = '$(SigningServer)' + Write-Verbose "SigningServer - $SigningServer" -Verbose + + $esrp = @(@{ + keyCode = $CertificateId + operationSetCode = "MacAppDeveloperSign" + toolName = "sign" + toolVersion = "1.0" + }) + + $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]" + Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose + Write-Host "##$vstsCommandString" + + $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}" + Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose + Write-Host "##$vstsCommandString" + displayName: Generate PGP signing JSON + condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) From fb8b6be3d427cd5f24088c2723eca67230dc71d7 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 2 Dec 2020 13:20:50 -0800 Subject: [PATCH 2/4] macos example --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index d4cdb7c..4ee93b7 100644 --- a/README.md +++ b/README.md @@ -142,6 +142,22 @@ This example signs `dll` `psd1` and `psm1` files recursively, using minimatch. useMinimatch: true ``` +### ESRP macOS example + +This example signs `pkg` files recursively, using minimatch. + +```yaml + - template: EsrpSign.yml@ComplianceRepo + parameters: + buildOutputPath: $(signSrcPath) + signOutputPath: $(signOutPath) + # this is the cert for macOS signing + certificateId: "CP-401337-Apple" + # this is the pattern for pkg signing + pattern: | + **\*.pkg + useMinimatch: true +``` ## ESRP Malware Scanning Template Overview ** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel ** From a9b987708dbcd6de64987112211bd44295bcceff Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Wed, 2 Dec 2020 14:34:00 -0800 Subject: [PATCH 3/4] fix call to template --- EsrpSign.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/EsrpSign.yml b/EsrpSign.yml index 9fd051d..e59a49e 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -57,7 +57,6 @@ steps: - ${{ if eq(parameters.certificateId, 'CP-401337-Apple') }}: - template: template-compliance/macOS-sign.yml parameters: - buildOutputPath: ${{ parameters.buildOutputPath }} signOutputPath: ${{ parameters.signOutputPath }} pattern: ${{ parameters.pattern }} certificateId: ${{ parameters.certificateId }} From 9165776e089ddef91c526014ca0941a7f57abc24 Mon Sep 17 00:00:00 2001 From: Travis Plunk Date: Thu, 3 Dec 2020 13:59:38 -0800 Subject: [PATCH 4/4] Update template-compliance/macOS-sign.yml Co-authored-by: James Truher [MSFT] --- template-compliance/macOS-sign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template-compliance/macOS-sign.yml b/template-compliance/macOS-sign.yml index f641eca..34033a6 100644 --- a/template-compliance/macOS-sign.yml +++ b/template-compliance/macOS-sign.yml @@ -17,7 +17,7 @@ steps: [string] $SigningServer = '$(SigningServer)' Write-Verbose "SigningServer - $SigningServer" -Verbose - $esrp = @(@{ + [hashtable[]] $esrp = @(@{ keyCode = $CertificateId operationSetCode = "MacAppDeveloperSign" toolName = "sign"