[vcpkg] Add build scripts to produce signed vcpkg binaries. (#13508)

scripts/azure-pipelines/linux/azure-pipelines.yml

@@ -41,15 +41,15 @@ jobs:
     inputs:
       failOnStderr: true
       filePath: 'scripts/azure-pipelines/test-modified-ports.ps1'
-      arguments: '-Triplet x64-linux -BuildReason $(Build.Reason) -ArchivesRoot /archives -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactsDirectory $(System.ArtifactsDirectory)'
+      arguments: '-Triplet x64-linux -BuildReason $(Build.Reason) -ArchivesRoot /archives -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)'
   - bash: |
       df -h
     displayName: 'Report on Disk Space After Build'
     condition: always()
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: failure logs for x64-linux'
     inputs:
-      PathtoPublish: '$(System.ArtifactsDirectory)/failure-logs'
+      PathtoPublish: '$(Build.ArtifactStagingDirectory)/failure-logs'
       ArtifactName: 'failure logs for x64-linux'
     condition: failed()
   - bash: |

scripts/azure-pipelines/osx/azure-pipelines.yml

@@ -51,15 +51,15 @@ jobs:
     inputs:
       failOnStderr: true
       filePath: 'scripts/azure-pipelines/test-modified-ports.ps1'
-      arguments: '-Triplet x64-osx -BuildReason $(Build.Reason) -ArchivesRoot ${{ variables.WORKING_ROOT }}/archives -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactsDirectory $(System.ArtifactsDirectory)'
+      arguments: '-Triplet x64-osx -BuildReason $(Build.Reason) -ArchivesRoot ${{ variables.WORKING_ROOT }}/archives -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)'
   - bash: |
       df -h
     displayName: 'Report on Disk Space After Build'
     condition: always()
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: failure logs for x64-osx'
     inputs:
-      PathtoPublish: '$(System.ArtifactsDirectory)/failure-logs'
+      PathtoPublish: '$(Build.ArtifactStagingDirectory)/failure-logs'
       ArtifactName: 'failure logs for x64-osx'
     condition: failed()
   - bash: |

scripts/azure-pipelines/signing.yml

@@ -0,0 +1,109 @@
+# This script is used internally to produce signed vcpkg builds.
+# It uses machines / tasks that are not exposed here on GitHub, as
+# the hardware on which we allow signing is restricted.
+
+trigger: none
+
+variables:
+  TeamName: vcpkg
+jobs:
+  - job: windows
+    displayName: "Windows"
+    dependsOn:
+    pool:
+      name: 'VSEng-MicroBuildVS2019'
+      demands:
+        - CMAKE
+    steps:
+    - task: PoliCheck@1
+      inputs:
+        inputType: 'Basic'
+        targetType: 'F'
+        targetArgument: '$(Build.SourcesDirectory)'
+        result: 'PoliCheck.xml'
+    - task: CmdLine@2
+      displayName: "Build vcpkg with CMake"
+      inputs:
+        failOnStderr: true
+        script: |
+          call "C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\Common7\Tools\VsDevCmd.bat" -arch=x86 -host_arch=x86
+          cmake.exe -G Ninja -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -B "$(Build.StagingDirectory)" -S toolsrc
+          ninja.exe -C "$(Build.StagingDirectory)"
+    - task: MicroBuildSigningPlugin@2
+      inputs:
+        signType: 'real'
+        feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json'
+    - task: NuGetToolInstaller@1
+      inputs:
+        versionSpec: 5.7
+    - task: NuGetCommand@2
+      displayName: 'NuGet Restore MicroBuild Signing Extension'
+      inputs:
+        command: 'restore'
+        restoreSolution: 'scripts/azure-pipelines/windows/signing.signproj'
+        feedsToUse: 'config'
+        restoreDirectory: '$(Build.SourcesDirectory)\scripts\azure-pipelines\packages'
+    - task: MSBuild@1
+      displayName: 'Sign vcpkg.exe'
+      inputs:
+        solution: 'scripts\azure-pipelines\windows\signing.signproj'
+        msbuildArguments: '/p:OutDir=$(Build.ArtifactStagingDirectory)\ /p:IntermediateOutputPath=$(Build.StagingDirectory)\'
+    - task: BinSkim@3
+      inputs:
+        InputType: 'CommandLine'
+        arguments: 'analyze "$(Build.StagingDirectory)\vcpkg.exe"'
+    - task: PublishBuildArtifacts@1
+      displayName: 'Publish vcpkg.exe'
+      inputs:
+        PathtoPublish: '$(Build.ArtifactStagingDirectory)\vcpkg.exe'
+        ArtifactName: 'Windows'
+        publishLocation: 'Container'
+    - task: PublishBuildArtifacts@1
+      displayName: 'Publish vcpkg.pdb'
+      inputs:
+        PathtoPublish: '$(Build.ArtifactStagingDirectory)\vcpkg.pdb'
+        ArtifactName: 'Windows'
+        publishLocation: 'Container'
+    - task: MicroBuildCleanup@1
+      condition: succeededOrFailed()
+      displayName: MicroBuild Cleanup
+  - job: macos_build
+    displayName: 'MacOS Build'
+    pool:
+      vmImage: macOS-10.15
+    steps:
+    - task: CmdLine@2
+      displayName: "Build vcpkg with CMake"
+      inputs:
+        failOnStderr: true
+        script: |
+          cmake -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_BUILD_TYPE=Release -DBUILD_TESTING=OFF -DVCPKG_DEVELOPMENT_WARNINGS=ON -DVCPKG_WARNINGS_AS_ERRORS=ON -DVCPKG_BUILD_FUZZING=OFF -B "$(Build.StagingDirectory)" -S toolsrc
+          make -j 8 -C "$(Build.StagingDirectory)"
+          zip "$(Build.StagingDirectory)/vcpkg.zip" "$(Build.StagingDirectory)/vcpkg"
+    - task: PublishBuildArtifacts@1
+      displayName: "Publish Unsigned MacOS Binary"
+      inputs:
+        PathtoPublish: '$(Build.StagingDirectory)/vcpkg.zip'
+        ArtifactName: 'staging'
+        publishLocation: 'Container'
+  - job: macos_sign
+    displayName: 'MacOS Sign'
+    dependsOn: macos_build
+    pool:
+      name: VSEng-MicroBuildVS2019
+    steps:
+      - checkout: none
+      - task: DownloadBuildArtifacts@0
+        displayName: 'Download Unsigned Binary'
+        inputs:
+          artifactName: staging
+      - task: ms-vseng.MicroBuildTasks.7973a23b-33e3-4b00-a7d9-c06d90f8297f.MicroBuildSignMacFiles@1
+        displayName: 'Sign Mac Files'
+        inputs:
+          SigningTarget: '$(Build.ArtifactStagingDirectory)\staging\vcpkg.zip'
+          SigningCert: 8003
+      - task: PublishBuildArtifacts@1
+        displayName: 'Publish Signed Binary'
+        inputs:
+          PathtoPublish: '$(Build.ArtifactStagingDirectory)\staging\vcpkg.zip'
+          ArtifactName: 'MacOS'

scripts/azure-pipelines/test-modified-ports.ps1

@@ -15,7 +15,7 @@ The location where the binary caching archives are stored. Shared across runs of
 .PARAMETER WorkingRoot
 The location used as scratch space for 'installed', 'packages', and 'buildtrees' vcpkg directories.
 
-.PARAMETER ArtifactsDirectory
+.PARAMETER ArtifactStagingDirectory
 The Azure Pipelines artifacts directory. If not supplied, defaults to the current directory.
 
 .PARAMETER BuildReason
@@ -35,7 +35,7 @@ Param(
     [ValidateNotNullOrEmpty()]
     $WorkingRoot,
     [ValidateNotNullOrEmpty()]
-    $ArtifactsDirectory = '.',
+    $ArtifactStagingDirectory = '.',
     $BuildReason = $null
 )
 
@@ -83,11 +83,11 @@ else {
     $executableExtension = '.exe'
 }
 
-$xmlResults = Join-Path $ArtifactsDirectory 'xml-results'
+$xmlResults = Join-Path $ArtifactStagingDirectory 'xml-results'
 mkdir $xmlResults
 $xmlFile = Join-Path $xmlResults "$Triplet.xml"
 
-$failureLogs = Join-Path $ArtifactsDirectory 'failure-logs'
+$failureLogs = Join-Path $ArtifactStagingDirectory 'failure-logs'
 
 & "./vcpkg$executableExtension" x-ci-clean @commonArgs
 $skipList = . "$PSScriptRoot/generate-skip-list.ps1" `

scripts/azure-pipelines/windows/azure-pipelines.yml

@@ -57,7 +57,7 @@ jobs:
     inputs:
       failOnStderr: true
       filePath: 'scripts/azure-pipelines/test-modified-ports.ps1'
-      arguments: '-Triplet ${{ parameters.triplet }} -BuildReason $(Build.Reason) -ArchivesRoot W:\ -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactsDirectory $(System.ArtifactsDirectory)'
+      arguments: '-Triplet ${{ parameters.triplet }} -BuildReason $(Build.Reason) -ArchivesRoot W:\ -WorkingRoot ${{ variables.WORKING_ROOT }} -ArtifactStagingDirectory $(Build.ArtifactStagingDirectory)'
       pwsh: true
   - task: PowerShell@2
     displayName: 'Report on Disk Space After Build'
@@ -68,7 +68,7 @@ jobs:
   - task: PublishBuildArtifacts@1
     displayName: 'Publish Artifact: failure logs for ${{ parameters.triplet }}'
     inputs:
-      PathtoPublish: '$(System.ArtifactsDirectory)\failure-logs'
+      PathtoPublish: '$(Build.ArtifactStagingDirectory)\failure-logs'
       ArtifactName: 'failure logs for ${{ parameters.triplet }}'
     condition: failed()
   - task: PowerShell@2

scripts/azure-pipelines/windows/packages.config

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="Microsoft.VisualStudioEng.MicroBuild.Core" version="0.4.1" targetFramework="native" developmentDependency="true" />
+</packages>

scripts/azure-pipelines/windows/signing.signproj

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+
+  <Import Project="$(MSBuildThisFileDirectory)..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props" Condition="Exists('..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props')" />
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="0.4.1">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <ItemGroup>
+    <FilesToSign Include="$(IntermediateOutputPath)\vcpkg.exe">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(MSBuildThisFileDirectory)..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets" Condition="Exists('..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets')" />
+  </ImportGroup>
+  <Target Name="EnsureNuGetPackageBuildImports" BeforeTargets="Build">
+    <PropertyGroup>
+      <ErrorText>This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them.  For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}.</ErrorText>
+    </PropertyGroup>
+    <Error Condition="!Exists('$(MSBuildThisFileDirectory)..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props')" Text="$([System.String]::Format('$(ErrorText)', '$(MSBuildThisFileDirectory)..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.props'))" />
+    <Error Condition="!Exists('$(MSBuildThisFileDirectory)..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets')" Text="$([System.String]::Format('$(ErrorText)', '$(MSBuildThisFileDirectory)..\packages\Microsoft.VisualStudioEng.MicroBuild.Core.0.4.1\build\Microsoft.VisualStudioEng.MicroBuild.Core.targets'))" />
+  </Target>
+
+  <!-- Define an empty build target as we don't really build anything -->
+  <Target Name="Build" />
+
+  <!-- Target AfterBuild is required to trigger signing -->
+  <Target Name="AfterBuild" AfterTargets="Build" />
+
+</Project>

toolsrc/CMakeLists.txt

@@ -56,6 +56,17 @@ set(CMAKE_CXX_STANDARD_REQUIRED ON)
 set(CMAKE_CXX_STANDARD 17)
 if(MSVC)
     string(REGEX REPLACE "[-/]W[0-4]" "" CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS}")
+    if (CMAKE_BUILD_TYPE STREQUAL "Release")
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /Zi /guard:cf")
+        set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /DEBUG /debugtype:cv,fixup /guard:cf")
+    endif()
+endif()
+
+if(APPLE)
+    SET(CMAKE_C_ARCHIVE_CREATE   "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+    SET(CMAKE_CXX_ARCHIVE_CREATE "<CMAKE_AR> Scr <TARGET> <LINK_FLAGS> <OBJECTS>")
+    SET(CMAKE_C_ARCHIVE_FINISH   "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
+    SET(CMAKE_CXX_ARCHIVE_FINISH "<CMAKE_RANLIB> -no_warning_for_no_symbols -c <TARGET>")
 endif()
 
 # ===============