Add ESRP Signing template

EsrpSign.yml

@@ -0,0 +1,86 @@
+parameters:
+  - name: "buildOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\build"
+  - name: "signOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\signed"
+  - name: "certificateId"
+    default: "CP-230012"
+  - name: "pattern"
+    default: "*.dll,*.exe"
+
+steps:
+- task: UseDotNet@2
+  displayName: 'Install .NET Core sdk 2.x for ESRP'
+  inputs:
+    version: 2.x
+
+- pwsh: |
+    [string] $CertificateId = "${{ parameters.certificateId }}"
+    Write-Verbose "CertificateId - $CertificateId" -Verbose
+
+    [string] $VariableName = "EsrpJson"
+
+    [string] $SigningServer = '$(SigningServer)'
+    Write-Verbose "SigningServer - $SigningServer" -Verbose
+
+    $esrpParameters = @(
+    @{
+        ParameterName  = "OpusName"
+        ParameterValue = "Microsoft"
+    }
+    @{
+        ParameterName  = "OpusInfo"
+        ParameterValue = "http://www.microsoft.com"
+    }
+    @{
+        ParameterName  = "PageHash"
+        ParameterValue = "/NPH"
+    }
+    @{
+        ParameterName  = "FileDigest"
+        ParameterValue = "/fd sha256"
+    }
+    @{
+        ParameterName  = "TimeStamp"
+        ParameterValue = "/tr ""$SigningServer"" /td sha256"
+    }
+    )
+
+    $esrp = @(@{
+    keyCode = $CertificateId
+    operationSetCode = "SigntoolSign"
+    parameters = $esrpParameters
+    toolName = "signtool.exe"
+    toolVersion = "6.2.9304.0"
+    })
+
+    $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+
+    $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+  displayName: Generate signing JSON
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+
+- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+  displayName: Sign files
+  inputs:
+    ConnectedServiceName: pwshSigning
+    FolderPath: '${{ parameters.buildOutputPath }}'
+    UseMinimatch: false
+    signConfigType: inlineSignParams
+    inlineOperation: $(EsrpJson)
+    Pattern: ${{ parameters.pattern }}
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+  timeoutInMinutes: 30
+
+- pwsh: |
+    Write-Verbose "BUILD_OUTPUT_PATH- ${{ parameters.buildOutputPath }}" -Verbose
+    Write-Verbose "SIGNED_OUTPUT_PATH- ${{ parameters.signOutputPath }}" -Verbose
+    Copy-Item -Path ${{ parameters.buildOutputPath }}\* -Dest ${{ parameters.signOutputPath }}\ -Recurse -Force -Verbose
+  displayName: Copy signed files to signed output directory
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+  timeoutInMinutes: 10
+

README.md

@@ -58,5 +58,24 @@ The following sample shows how the templates can be included in your release YAM
             APIScan: false # set to false when not using Windows APIs.
     ```
 
+## ESRP Template Example
+
+** Requires on-boarding, see the wiki in the internal PowerShell Maintainers teams channel **
+
+1. Call the template from this repo in your yaml file and specify the values for the parameters.
+
+    ```yaml
+    - template: EsrpSign@ComplianceRepo
+        parameters:
+           # the folder which contains the binaries to sign
+           buildOutputPath: $(signSrcPath)
+           # the location to put the signed output
+           signOutputPath: $(signOutPath)
+           # the certificate ID to use
+           certificateId: "CP-230012"
+           # the file pattern to use, comma separated
+           pattern: '*.dll,*.psd1,*.psm1,*.ps1xml,*.mof'
+    ```
+