From 2088583ac6efa04b3ac5269fa586f71a8268ea78 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Moreno?= <joao.moreno@microsoft.com>
Date: Tue, 13 Oct 2020 15:56:16 +0200
Subject: [PATCH 1/2] ESRP Cert (#108366)

* update ESRP

* update to new ESRP cert

* make gulp fail when inno setup fails

* fix esrp

* debug

* update esrp client version

* :facepalm:

* argh

* update esrpclient

* argh
---
 .../win32/ESRPClient/packages.config          |  2 +-
 .../win32/import-esrp-auth-cert.ps1           | 31 ++++++++++---------
 .../win32/product-build-win32-arm64.yml       |  8 +++--
 .../win32/product-build-win32.yml             |  8 +++--
 build/azure-pipelines/win32/sign.ps1          |  3 +-
 build/gulpfile.vscode.win32.js                |  8 ++++-
 6 files changed, 37 insertions(+), 23 deletions(-)

diff --git a/build/azure-pipelines/win32/ESRPClient/packages.config b/build/azure-pipelines/win32/ESRPClient/packages.config
index c10bed141215a..ef586de976273 100644
--- a/build/azure-pipelines/win32/ESRPClient/packages.config
+++ b/build/azure-pipelines/win32/ESRPClient/packages.config
@@ -1,4 +1,4 @@
 <?xml version="1.0" encoding="utf-8"?>
 <packages>
-  <package id="Microsoft.ESRPClient" version="1.2.25" />
+  <package id="Microsoft.ESRPClient" version="1.2.47" />
 </packages>
diff --git a/build/azure-pipelines/win32/import-esrp-auth-cert.ps1 b/build/azure-pipelines/win32/import-esrp-auth-cert.ps1
index c345c7802310e..ce5831f908cd1 100644
--- a/build/azure-pipelines/win32/import-esrp-auth-cert.ps1
+++ b/build/azure-pipelines/win32/import-esrp-auth-cert.ps1
@@ -1,14 +1,17 @@
-Param(
-  [string]$AuthCertificateBase64,
-  [string]$AuthCertificateKey
-)
-
-# Import auth certificate
-$AuthCertificateFileName = [System.IO.Path]::GetTempFileName()
-$AuthCertificateBytes = [Convert]::FromBase64String($AuthCertificateBase64)
-[IO.File]::WriteAllBytes($AuthCertificateFileName, $AuthCertificateBytes)
-$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertificateFileName -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertificateKey -AsPlainText -Force)
-rm $AuthCertificateFileName
-$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject
-
-Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")
\ No newline at end of file
+param ($CertBase64)
+$ErrorActionPreference = "Stop"
+
+$CertBytes = [System.Convert]::FromBase64String($CertBase64)
+$CertCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
+$CertCollection.Import($CertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable)
+
+$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
+$CertStore.Open("ReadWrite")
+$CertStore.AddRange($CertCollection)
+$CertStore.Close()
+
+echo $CertCollection[0].HasPrivateKey
+echo $CertCollection[0].PrivateKey
+
+$ESRPAuthCertificateSubjectName = $CertCollection[0].Subject
+Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")
diff --git a/build/azure-pipelines/win32/product-build-win32-arm64.yml b/build/azure-pipelines/win32/product-build-win32-arm64.yml
index ecb50ad678ed2..2e53167e61329 100644
--- a/build/azure-pipelines/win32/product-build-win32-arm64.yml
+++ b/build/azure-pipelines/win32/product-build-win32-arm64.yml
@@ -171,9 +171,11 @@ steps:
   inputs:
     ESRP: 'ESRP CodeSign'
 
-- powershell: |
-    $ErrorActionPreference = "Stop"
-    .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(esrp-auth-certificate) -AuthCertificateKey $(esrp-auth-certificate-key)
+- task: PowerShell@2
+  inputs:
+    targetType: filePath
+    filePath: .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1
+    arguments: "$(ESRP-SSL-AADAuth)"
   displayName: Import ESRP Auth Certificate
 
 - powershell: |
diff --git a/build/azure-pipelines/win32/product-build-win32.yml b/build/azure-pipelines/win32/product-build-win32.yml
index be80731a7ab2f..43bd2479a4e62 100644
--- a/build/azure-pipelines/win32/product-build-win32.yml
+++ b/build/azure-pipelines/win32/product-build-win32.yml
@@ -233,9 +233,11 @@ steps:
   inputs:
     ESRP: 'ESRP CodeSign'
 
-- powershell: |
-    $ErrorActionPreference = "Stop"
-    .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(esrp-auth-certificate) -AuthCertificateKey $(esrp-auth-certificate-key)
+- task: PowerShell@2
+  inputs:
+    targetType: filePath
+    filePath: .\build\azure-pipelines\win32\import-esrp-auth-cert.ps1
+    arguments: "$(ESRP-SSL-AADAuth)"
   displayName: Import ESRP Auth Certificate
 
 - powershell: |
diff --git a/build/azure-pipelines/win32/sign.ps1 b/build/azure-pipelines/win32/sign.ps1
index 840cbe4071f8a..b73db31207f0d 100644
--- a/build/azure-pipelines/win32/sign.ps1
+++ b/build/azure-pipelines/win32/sign.ps1
@@ -12,6 +12,7 @@ $Auth = Create-TmpJson @{
 		SubjectName = $env:ESRPAuthCertificateSubjectName
 		StoreLocation = "LocalMachine"
 		StoreName = "My"
+		SendX5c = "true"
 	}
 	RequestSigningCert = @{
 		SubjectName = $env:ESRPCertificateSubjectName
@@ -67,4 +68,4 @@ $Input = Create-TmpJson @{
 
 $Output = [System.IO.Path]::GetTempFileName()
 $ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
-& "$ScriptPath\ESRPClient\packages\Microsoft.ESRPClient.1.2.25\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output
+& "$ScriptPath\ESRPClient\packages\Microsoft.ESRPClient.*\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output
diff --git a/build/gulpfile.vscode.win32.js b/build/gulpfile.vscode.win32.js
index 2abc39976b42f..2027dc350cfcc 100644
--- a/build/gulpfile.vscode.win32.js
+++ b/build/gulpfile.vscode.win32.js
@@ -54,7 +54,13 @@ function packageInnoSetup(iss, options, cb) {
 
 	cp.spawn(innoSetupPath, args, { stdio: ['ignore', 'inherit', 'inherit'] })
 		.on('error', cb)
-		.on('exit', () => cb(null));
+		.on('exit', code => {
+			if (code === 0) {
+				cb(null);
+			} else {
+				cb(new Error(`InnoSetup returned exit code: ${code}`));
+			}
+		});
 }
 
 function buildWin32Setup(arch, target) {

From 36b6d380ba8dc901c4d6e5e8faec4c2303e0acfb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Moreno?= <joao.moreno@microsoft.com>
Date: Tue, 13 Oct 2020 16:04:20 +0200
Subject: [PATCH 2/2] remove echos

---
 build/azure-pipelines/win32/import-esrp-auth-cert.ps1 | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/build/azure-pipelines/win32/import-esrp-auth-cert.ps1 b/build/azure-pipelines/win32/import-esrp-auth-cert.ps1
index ce5831f908cd1..f11f878c83fa5 100644
--- a/build/azure-pipelines/win32/import-esrp-auth-cert.ps1
+++ b/build/azure-pipelines/win32/import-esrp-auth-cert.ps1
@@ -10,8 +10,5 @@ $CertStore.Open("ReadWrite")
 $CertStore.AddRange($CertCollection)
 $CertStore.Close()
 
-echo $CertCollection[0].HasPrivateKey
-echo $CertCollection[0].PrivateKey
-
 $ESRPAuthCertificateSubjectName = $CertCollection[0].Subject
 Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")