From 850820f714f63aa102d46b06f24837aa2125e798 Mon Sep 17 00:00:00 2001 From: peterstone2017 <12449837+YunchuWang@users.noreply.github.com> Date: Thu, 27 Mar 2025 10:59:40 -0700 Subject: [PATCH 1/2] ESRP sign the packages to be compliant for release --- azurefunctions/build.gradle | 7 +++---- azuremanaged/build.gradle | 4 ++++ client/build.gradle | 7 +++---- eng/templates/build.yml | 14 ++++++++++---- 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/azurefunctions/build.gradle b/azurefunctions/build.gradle index f24c3ec4..42da9b61 100644 --- a/azurefunctions/build.gradle +++ b/azurefunctions/build.gradle @@ -77,10 +77,9 @@ publishing { } } -// TODO: manual signing temporarily disabled, in favor of 1ES signing utils -//signing { -// sign publishing.publications.mavenJava -//} +signing { + sign publishing.publications.mavenJava +} java { withSourcesJar() diff --git a/azuremanaged/build.gradle b/azuremanaged/build.gradle index 697664e9..8ea6ce81 100644 --- a/azuremanaged/build.gradle +++ b/azuremanaged/build.gradle @@ -110,6 +110,10 @@ publishing { } } +signing { + sign publishing.publications.mavenJava +} + java { withSourcesJar() withJavadocJar() diff --git a/client/build.gradle b/client/build.gradle index 3c270bb1..baf9496b 100644 --- a/client/build.gradle +++ b/client/build.gradle @@ -173,10 +173,9 @@ publishing { } } -// TODO: manual signing temporarily disabled, in favor of 1ES signing -//signing { -// sign publishing.publications.mavenJava -//} +signing { + sign publishing.publications.mavenJava +} java { withSourcesJar() diff --git a/eng/templates/build.yml b/eng/templates/build.yml index 9919c6d2..42550475 100644 --- a/eng/templates/build.yml +++ b/eng/templates/build.yml @@ -8,7 +8,6 @@ jobs: artifact: drop sbomBuildDropPath: $(System.DefaultWorkingDirectory) sbomPackageName: 'Durable Task / Durable Functions Java SBOM' - steps: - checkout: self @@ -25,9 +24,15 @@ jobs: jdkArchitectureOption: 'x64' publishJUnitResults: false tasks: clean assemble - displayName: Assemble durabletask-client and durabletask-azure-functions + displayName: Assemble durabletask-client and durabletask-azure-functions and durabletask-azuremanaged + + # the secring.gpg file is required to sign the artifacts, it's generated from GnuPG, and it's stored in the library of the durabletaskframework ADO + - task: DownloadSecureFile@1 + name: gpgSecretFile + displayName: 'Download GPG secret file' + inputs: + secureFile: 'secring.gpg' - # TODO: add 1ES-level signing - task: Gradle@3 inputs: workingDirectory: '' @@ -37,7 +42,8 @@ jobs: jdkVersionOption: 1.11 jdkArchitectureOption: 'x64' tasks: publish - displayName: Publish durabletask-client and durabletask-azure-functions + options: '-Psigning.keyId=$(gpgSignKey) -Psigning.password=$(gpgSignPassword) -Psigning.secretKeyRingFile=$(gpgSecretFile.secureFilePath)' + displayName: Publish durabletask-client and durabletask-azure-functions and durabletask-azuremanaged - task: CopyFiles@2 displayName: 'Copy publish file to Artifact Staging Directory' From a93808d0cd524dc86e7235274aee9f6c2632ea7b Mon Sep 17 00:00:00 2001 From: peterstone2017 <12449837+YunchuWang@users.noreply.github.com> Date: Thu, 27 Mar 2025 11:26:20 -0700 Subject: [PATCH 2/2] skip signing pub to local --- .github/workflows/build-validation.yml | 4 ++-- azurefunctions/build.gradle | 1 + azuremanaged/build.gradle | 3 ++- client/build.gradle | 1 + 4 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-validation.yml b/.github/workflows/build-validation.yml index 28eeda4b..7659f586 100644 --- a/.github/workflows/build-validation.yml +++ b/.github/workflows/build-validation.yml @@ -131,7 +131,7 @@ jobs: uses: gradle/gradle-build-action@v2 - name: Publish to local - run: ./gradlew publishToMavenLocal + run: ./gradlew publishToMavenLocal -PskipSigning - name: Build azure functions sample run: ./gradlew azureFunctionsPackage @@ -170,7 +170,7 @@ jobs: uses: gradle/gradle-build-action@v2 - name: Publish to local - run: ./gradlew publishToMavenLocal + run: ./gradlew publishToMavenLocal -PskipSigning - name: Build azure functions sample run: ./gradlew azureFunctionsPackage diff --git a/azurefunctions/build.gradle b/azurefunctions/build.gradle index 42da9b61..4a3eeac7 100644 --- a/azurefunctions/build.gradle +++ b/azurefunctions/build.gradle @@ -78,6 +78,7 @@ publishing { } signing { + required = !project.hasProperty("skipSigning") sign publishing.publications.mavenJava } diff --git a/azuremanaged/build.gradle b/azuremanaged/build.gradle index 8ea6ce81..5343b3bd 100644 --- a/azuremanaged/build.gradle +++ b/azuremanaged/build.gradle @@ -111,7 +111,8 @@ publishing { } signing { - sign publishing.publications.mavenJava + required = !project.hasProperty("skipSigning") + sign publishing.publications.mavenJava } java { diff --git a/client/build.gradle b/client/build.gradle index baf9496b..937d2ba1 100644 --- a/client/build.gradle +++ b/client/build.gradle @@ -174,6 +174,7 @@ publishing { } signing { + required = !project.hasProperty("skipSigning") sign publishing.publications.mavenJava }