Merge pull request #46 from microsoft/esrpCodeSigningV5

Updated EsrpCodeSigning to v5.
microsoft · Jun 17, 2024 · 29094d8 · 29094d8
2 parents 46c142d + d1c5a15
commit 29094d8
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 10 deletions.
diff --git a/.pipelines/build.yml b/.pipelines/build.yml
@@ -75,4 +75,5 @@ extends:
                 parameters:
                   dotnet_configuration: ${{ dotnet_config }}
                   AgentOS: $(Agent.OS)
-                  DoEsrp: false
+                  DoEsrp: false
+                  signingIdentity: {}
diff --git a/.pipelines/release.yml b/.pipelines/release.yml
@@ -24,6 +24,15 @@ parameters:
   - name: DoEsrp
     type: boolean
     default: true
+  - name: signingIdentity
+    type: object
+    default:
+      serviceName: $(SigningServiceName)
+      appId: $(SigningAppId)
+      tenantId: $(SigningTenantId)
+      akvName: $(SigningAKVName)
+      authCertName: $(SigningAuthCertName)
+      signCertName: $(SigningSignCertName)
   - name: pools
     type: object
     default:
@@ -95,11 +104,13 @@ extends:
                   dotnet_configuration: ${{ dotnet_config }}
                   AgentOS: $(Agent.OS)
                   DoEsrp: ${{ parameters.DoEsrp }}
+                  signingIdentity: ${{ parameters.signingIdentity }}
               - template: ./.pipelines/templates/pack-nuget.yaml@self
                 parameters:
                   dotnet_configuration: ${{ dotnet_config }}
                   AgentOS: $(Agent.OS)
                   DoEsrp: ${{ parameters.DoEsrp }}
+                  signingIdentity: ${{ parameters.signingIdentity }}
 
       - stage: CLI
         dependsOn: NuGet
@@ -148,4 +159,5 @@ extends:
                     dotnet_arch: ${{ platform }}
                     dotnet_configuration: ${{ dotnet_config }}
                     AgentOS: $(Agent.OS)
-                    DoEsrp: ${{ parameters.DoEsrp }}
+                    DoEsrp: ${{ parameters.DoEsrp }}
+                    signingIdentity: ${{ parameters.signingIdentity }}
diff --git a/.pipelines/templates/build-cli.yaml b/.pipelines/templates/build-cli.yaml
@@ -5,6 +5,13 @@ parameters:
   dotnet_configuration: ''
   AgentOS: ''
   DoEsrp: false
+  signingIdentity:
+    serviceName: ''
+    appId: ''
+    tenantId: ''
+    akvName: ''
+    authCertName: ''
+    signCertName: ''
 
 steps:
 - task: DotNetCoreCLI@2
@@ -31,11 +38,16 @@ steps:
 - script: dotnet publish MSStore.CLI --no-build --no-self-contained -r ${{ parameters.dotnet_runtime }}-${{ parameters.dotnet_arch }} -f ${{ parameters.dotnet_framework }} /p:Configuration=${{ parameters.dotnet_configuration }} /p:PublishProfile=${{ parameters.dotnet_runtime }}-${{ parameters.dotnet_arch }}
   displayName: Publish NoSelfContained CLI
 - ${{ if eq(parameters['DoEsrp'], 'true') }}:
-  - task: EsrpCodeSigning@2
+  - task: EsrpCodeSigning@5
     displayName: Code Sign ESRP - CLI - 3rd Party Dependencies
     condition: startsWith(variables.AgentOS, 'Windows_NT')
     inputs:
-      ConnectedServiceName: 'MSStoreCLI - ESRP Code Signing'
+      ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }}
+      AppRegistrationClientId: ${{ parameters.signingIdentity.appId }}
+      AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }}
+      AuthAKVName: ${{ parameters.signingIdentity.akvName }}
+      AuthCertName: ${{ parameters.signingIdentity.authCertName }}
+      AuthSignCertName: ${{ parameters.signingIdentity.signCertName }}
       FolderPath: '$(System.DefaultWorkingDirectory)/MSStore.CLI/bin/${{ parameters.dotnet_configuration }}/${{ parameters.dotnet_framework }}/${{ parameters.dotnet_runtime }}-${{ parameters.dotnet_arch }}/publish'
       Pattern: |
         Meziantou.Framework.Win32.CredentialManager.dll,
@@ -66,11 +78,16 @@ steps:
                 "ToolVersion": "1.0"
             }
         ]
-  - task: EsrpCodeSigning@2
+  - task: EsrpCodeSigning@5
     displayName: Code Sign ESRP - CLI Windows + Existing DLLs & Authenticode
     condition: startsWith(variables.AgentOS, 'Windows_NT')
     inputs:
-      ConnectedServiceName: 'MSStoreCLI - ESRP Code Signing'
+      ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }}
+      AppRegistrationClientId: ${{ parameters.signingIdentity.appId }}
+      AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }}
+      AuthAKVName: ${{ parameters.signingIdentity.akvName }}
+      AuthCertName: ${{ parameters.signingIdentity.authCertName }}
+      AuthSignCertName: ${{ parameters.signingIdentity.signCertName }}
       FolderPath: '$(System.DefaultWorkingDirectory)/MSStore.CLI/bin/${{ parameters.dotnet_configuration }}/${{ parameters.dotnet_framework }}/${{ parameters.dotnet_runtime }}-${{ parameters.dotnet_arch }}/publish'
       Pattern: |
         msstore.exe

diff --git a/.pipelines/templates/build-nuget.yaml b/.pipelines/templates/build-nuget.yaml
@@ -9,6 +9,9 @@ parameters:
   - name: DoEsrp
     type: boolean
     default: false
+  - name: signingIdentity
+    type: object
+    default: {}
 
 steps:
 - bash: |
@@ -62,11 +65,16 @@ steps:
     codeCoverageTool: 'Cobertura'
     summaryFileLocation: '$(Build.SourcesDirectory)/report/Cobertura.xml'
 - ${{ if eq(parameters['DoEsrp'], 'true') }}:
-  - task: EsrpCodeSigning@2
+  - task: EsrpCodeSigning@5
     displayName: Code Sign ESRP - API DLL
     condition: startsWith(variables.AgentOS, 'Linux')
     inputs:
-      ConnectedServiceName: 'MSStoreCLI - ESRP Code Signing'
+      ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }}
+      AppRegistrationClientId: ${{ parameters.signingIdentity.appId }}
+      AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }}
+      AuthAKVName: ${{ parameters.signingIdentity.akvName }}
+      AuthCertName: ${{ parameters.signingIdentity.authCertName }}
+      AuthSignCertName: ${{ parameters.signingIdentity.signCertName }}
       FolderPath: '$(System.DefaultWorkingDirectory)/MSStore.API/bin/${{ parameters.dotnet_configuration }}/net8.0'
       Pattern: 'MSStore.API.dll'
       signConfigType: inlineSignParams

diff --git a/.pipelines/templates/pack-nuget.yaml b/.pipelines/templates/pack-nuget.yaml
@@ -9,16 +9,24 @@ parameters:
   - name: DoEsrp
     type: boolean
     default: false
+  - name: signingIdentity
+    type: object
+    default: {}
 
 steps:
 - script: dotnet pack MSStore.API --no-build -c ${{ parameters.dotnet_configuration }}
   displayName: Pack NuGet
 - ${{ if eq(parameters['DoEsrp'], 'true') }}:
-  - task: EsrpCodeSigning@2
+  - task: EsrpCodeSigning@5
     displayName: Code Sign ESRP - Nuget
     condition: startsWith(variables.AgentOS, 'Linux')
     inputs:
-      ConnectedServiceName: 'MSStoreCLI - ESRP Code Signing'
+      ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }}
+      AppRegistrationClientId: ${{ parameters.signingIdentity.appId }}
+      AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }}
+      AuthAKVName: ${{ parameters.signingIdentity.akvName }}
+      AuthCertName: ${{ parameters.signingIdentity.authCertName }}
+      AuthSignCertName: ${{ parameters.signingIdentity.signCertName }}
       FolderPath: '$(System.DefaultWorkingDirectory)/MSStore.API/bin/${{ parameters.dotnet_configuration }}'
       Pattern: '*.nupkg'
       signConfigType: inlineSignParams