From 979c73be95c37440a3c0733544a214f8f0feb64f Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <adityap@microsoft.com>
Date: Mon, 26 Oct 2020 17:02:49 -0700
Subject: [PATCH] Refactor to enable nuget signing

---
 EsrpSign.yml                              | 59 ++++------------------
 template-compliance/authenticode-sign.yml | 60 +++++++++++++++++++++++
 template-compliance/nuget-sign.yml        | 41 ++++++++++++++++
 3 files changed, 111 insertions(+), 49 deletions(-)
 create mode 100644 template-compliance/authenticode-sign.yml
 create mode 100644 template-compliance/nuget-sign.yml

diff --git a/EsrpSign.yml b/EsrpSign.yml
index 08c493d..92cfd65 100644
--- a/EsrpSign.yml
+++ b/EsrpSign.yml
@@ -14,55 +14,16 @@ steps:
   inputs:
     version: 2.x
 
-- pwsh: |
-    [string] $CertificateId = "${{ parameters.certificateId }}"
-    Write-Verbose "CertificateId - $CertificateId" -Verbose
-
-    [string] $VariableName = "EsrpJson"
-
-    [string] $SigningServer = '$(SigningServer)'
-    Write-Verbose "SigningServer - $SigningServer" -Verbose
-
-    $esrpParameters = @(
-    @{
-        ParameterName  = "OpusName"
-        ParameterValue = "Microsoft"
-    }
-    @{
-        ParameterName  = "OpusInfo"
-        ParameterValue = "http://www.microsoft.com"
-    }
-    @{
-        ParameterName  = "PageHash"
-        ParameterValue = "/NPH"
-    }
-    @{
-        ParameterName  = "FileDigest"
-        ParameterValue = "/fd sha256"
-    }
-    @{
-        ParameterName  = "TimeStamp"
-        ParameterValue = "/tr ""$SigningServer"" /td sha256"
-    }
-    )
+- template: template-compliance/authenticode-sign.yml
+  parameters:
+    buildOutputPath: ${{ parameters.buildOutputPath }}
+    signOutputPath: ${{ parameters.signOutputPath }}
+    pattern: ${{ parameters.pattern }}
+    certificateId: ${{ parameters.certificateId }}
+  condition: or(eq('${{ parameters.certificateId }}', 'CP-230012'), eq('${{ parameters.certificateId }}', 'CP-231522'))
 
-    $esrp = @(@{
-    keyCode = $CertificateId
-    operationSetCode = "SigntoolSign"
-    parameters = $esrpParameters
-    toolName = "signtool.exe"
-    toolVersion = "6.2.9304.0"
-    })
-
-    $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]"
-    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
-    Write-Host "##$vstsCommandString"
-
-    $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
-    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
-    Write-Host "##$vstsCommandString"
-  displayName: Generate signing JSON
-  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
+- template: template-compliance/nuget-sign.yml
+  condition: eq('${{ parameters.certificateId }}', 'CP-401405')
 
 - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
   displayName: Sign files
@@ -83,4 +44,4 @@ steps:
   displayName: Copy signed files to signed output directory
   condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
   timeoutInMinutes: 10
-  
+
diff --git a/template-compliance/authenticode-sign.yml b/template-compliance/authenticode-sign.yml
new file mode 100644
index 0000000..56f1a44
--- /dev/null
+++ b/template-compliance/authenticode-sign.yml
@@ -0,0 +1,60 @@
+parameters:
+  - name: "buildOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\build"
+  - name: "signOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\signed"
+  - name: "pattern"
+    default: "*.dll,*.exe"
+  - name: "certificateId"
+    default: "CP-230012"
+
+steps:
+- pwsh: |
+    [string] $CertificateId = "${{ parameters.certificateId }}"
+    Write-Verbose "CertificateId - $CertificateId" -Verbose
+
+    [string] $VariableName = "EsrpJson"
+
+    [string] $SigningServer = '$(SigningServer)'
+    Write-Verbose "SigningServer - $SigningServer" -Verbose
+
+    $esrpParameters = @(
+    @{
+        ParameterName  = "OpusName"
+        ParameterValue = "Microsoft"
+    }
+    @{
+        ParameterName  = "OpusInfo"
+        ParameterValue = "http://www.microsoft.com"
+    }
+    @{
+        ParameterName  = "PageHash"
+        ParameterValue = "/NPH"
+    }
+    @{
+        ParameterName  = "FileDigest"
+        ParameterValue = "/fd sha256"
+    }
+    @{
+        ParameterName  = "TimeStamp"
+        ParameterValue = "/tr ""$SigningServer"" /td sha256"
+    }
+    )
+
+    $esrp = @(@{
+    keyCode = $CertificateId
+    operationSetCode = "SigntoolSign"
+    parameters = $esrpParameters
+    toolName = "signtool.exe"
+    toolVersion = "6.2.9304.0"
+    })
+
+    $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+
+    $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+  displayName: Generate signing JSON
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))
diff --git a/template-compliance/nuget-sign.yml b/template-compliance/nuget-sign.yml
new file mode 100644
index 0000000..c8b734a
--- /dev/null
+++ b/template-compliance/nuget-sign.yml
@@ -0,0 +1,41 @@
+parameters:
+  - name: "buildOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\build"
+  - name: "signOutputPath"
+    default: "$(Build.ArtifactStagingDirectory)\\signed"
+  - name: "pattern"
+    default: "*.nupkg"
+  - name: "certificateId"
+    default: "CP-401405"
+
+steps:
+- pwsh: |
+    [string] $CertificateId = "${{ parameters.certificateId }}"
+    Write-Verbose "CertificateId - $CertificateId" -Verbose
+
+    [string] $VariableName = "EsrpJson"
+
+    $esrp = @(
+        @{
+         keyCode = $CertificateId
+         operationSetCode = "NuGetSign"
+         toolName = "sign"
+         toolVersion = "1.0"
+        },
+        @{
+          keyCode = $CertificateId
+          operationSetCode = "NuGetVerify"
+          toolName = "sign"
+          toolVersion = "1.0"
+        }
+    )
+
+    $vstsCommandString = "vso[task.setvariable variable=$VariableName][$($esrp | ConvertTo-Json -Compress)]"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+
+    $vstsCommandString = "vso[task.setvariable variable=GDN_CODESIGN_TARGETDIRECTORY]${{ parameters.signOutputPath }}"
+    Write-Verbose -Message ("sending " + $vstsCommandString) -Verbose
+    Write-Host "##$vstsCommandString"
+  displayName: Generate signing JSON
+  condition: and(and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')), ne(variables['SkipSigning'], 'True')), ne(variables['SigningServer'], ''))