diff --git a/EsrpScan.yml b/EsrpScan.yml index c2fb4b0..8e8d828 100644 --- a/EsrpScan.yml +++ b/EsrpScan.yml @@ -5,6 +5,11 @@ parameters: default: "*.dll,*.exe" steps: +- task: UseDotNet@2 + displayName: 'Install .NET Core sdk 2.x for ESRP' + inputs: + version: 2.x + - task: SFP.build-tasks.custom-build-task-2.EsrpMalwareScanning@1 displayName: 'Malware Scanning' inputs: diff --git a/EsrpSign.yml b/EsrpSign.yml index e59a49e..8cdaab6 100644 --- a/EsrpSign.yml +++ b/EsrpSign.yml @@ -9,6 +9,12 @@ parameters: default: "*.dll,*.exe" - name: "useMinimatch" default: "false" + - name: "signingService" + default: "pwshSigning" + - name: "shouldSign" + default: "auto" + - name: "alwaysCopy" + default: "False" steps: - task: UseDotNet@2 @@ -23,6 +29,22 @@ steps: Write-Verbose -Verbose "pattern = '${{ parameters.pattern }}'" displayName: Log parameters +- pwsh: | + if ('${{ parameters.shouldSign }}' -eq 'auto') { + Write-Verbose -Verbose -Message 'calculating shouldsign' + $shouldSign = $env:BUILD_REASON -eq 'Manual' -and $env:SKIPSIGNING -eq 'True' -and $env:SIGNINGSERVER -ne '' + } + elseif ('${{ parameters.shouldSign }}' -eq 'false') { + $shouldSign = $false + } + else { + $shouldSign = $true + } + $vstsCommandString = "vso[task.setvariable variable=ESRP_TEMPLATE_SHOULD_SIGN]$shouldSign" + Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose + Write-Host "##$vstsCommandString" + displayName: Set ESRP_TEMPLATE_SHOULD_SIGN + - ${{ if eq(parameters.certificateId , 'CP-230012') }}: - template: template-compliance/authenticode-sign.yml parameters: @@ -75,19 +97,19 @@ steps: } Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose displayName: Copy unsigned files to signed output directory - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), or(eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True'),ne('${{ parameters.alwaysCopy }}', 'False'))) timeoutInMinutes: 10 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 displayName: Sign files inputs: - ConnectedServiceName: pwshSigning + ConnectedServiceName: ${{ parameters.signingService }} FolderPath: '${{ parameters.signOutputPath }}' signConfigType: inlineSignParams inlineOperation: $(EsrpJson) Pattern: ${{ parameters.pattern }} UseMinimatch: ${{ parameters.useMinimatch }} - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True')) timeoutInMinutes: 30 - pwsh: | @@ -96,5 +118,5 @@ steps: Move-Item -Path "${{ parameters.signOutputPath }}\$fileName" -Dest "$(Agent.TempDirectory)\$fileName" Write-Host "##vso[artifact.upload containerfolder=signingReport;artifactname=signingReport]$(Agent.TempDirectory)\$fileName" displayName: Upload codesign summary - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True')) timeoutInMinutes: 10 diff --git a/template-compliance/authenticode-sign.yml b/template-compliance/authenticode-sign.yml index 16f7920..b4beb21 100644 --- a/template-compliance/authenticode-sign.yml +++ b/template-compliance/authenticode-sign.yml @@ -57,4 +57,4 @@ steps: Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose Write-Host "##$vstsCommandString" displayName: Generate Authenticode signing JSON - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True')) diff --git a/template-compliance/macOS-sign.yml b/template-compliance/macOS-sign.yml index 34033a6..67f60f1 100644 --- a/template-compliance/macOS-sign.yml +++ b/template-compliance/macOS-sign.yml @@ -32,4 +32,4 @@ steps: Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose Write-Host "##$vstsCommandString" displayName: Generate PGP signing JSON - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True')) diff --git a/template-compliance/nuget-sign.yml b/template-compliance/nuget-sign.yml index 0227d0b..86b4dc9 100644 --- a/template-compliance/nuget-sign.yml +++ b/template-compliance/nuget-sign.yml @@ -32,4 +32,4 @@ steps: Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose Write-Host "##$vstsCommandString" displayName: Generate NuGet signing JSON - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True')) diff --git a/template-compliance/pgp-sign.yml b/template-compliance/pgp-sign.yml index 5d08406..bca58e5 100644 --- a/template-compliance/pgp-sign.yml +++ b/template-compliance/pgp-sign.yml @@ -32,4 +32,4 @@ steps: Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose Write-Host "##$vstsCommandString" displayName: Generate PGP signing JSON - condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], '')) + condition: and(succeeded(), eq(variables['ESRP_TEMPLATE_SHOULD_SIGN'], 'True'))