microsoft · joaomoreno · Jul 2, 2018 · Jul 2, 2018 · Jul 2, 2018 · Jul 2, 2018
diff --git a/build/gulpfile.hygiene.js b/build/gulpfile.hygiene.js
@@ -82,6 +82,7 @@ const indentationFilter = [
 	'!build/{lib,tslintRules}/**/*.js',
 	'!build/**/*.sh',
 	'!build/tfs/**/*.js',
+	'!build/tfs/**/*.config',
 	'!**/Dockerfile',
 	'!extensions/markdown-language-features/media/*.js'
 ];

diff --git a/build/gulpfile.vscode.win32.js b/build/gulpfile.vscode.win32.js
@@ -26,6 +26,7 @@ const zipPath = arch => path.join(zipDir(arch), `VSCode-win32-${arch}.zip`);
 const setupDir = (arch, target) => path.join(repoPath, '.build', `win32-${arch}`, `${target}-setup`);
 const issPath = path.join(__dirname, 'win32', 'code.iss');
 const innoSetupPath = path.join(path.dirname(path.dirname(require.resolve('innosetup-compiler'))), 'bin', 'ISCC.exe');
+const signPS1 = path.join(repoPath, 'build', 'tfs', 'win32', 'sign.ps1');
 
 function packageInnoSetup(iss, options, cb) {
 	options = options || {};
@@ -42,7 +43,11 @@ function packageInnoSetup(iss, options, cb) {
 	keys.forEach(key => assert(typeof definitions[key] === 'string', `Missing value for '${key}' in Inno Setup package step`));
 
 	const defs = keys.map(key => `/d${key}=${definitions[key]}`);
-	const args = [iss].concat(defs);
+	const args = [
+		iss,
+		...defs,
+		`/sesrp=powershell.exe -ExecutionPolicy bypass ${signPS1} $f`
+	];
 
 	cp.spawn(innoSetupPath, args, { stdio: ['ignore', 'inherit', 'inherit'] })
 		.on('error', cb)

diff --git a/build/tfs/product-build.yml b/build/tfs/product-build.yml
@@ -125,91 +125,29 @@ phases:
         ]
       SessionTimeout: 120
 
+  - task: NuGetCommand@2
+    displayName: Install ESRPClient.exe
+    inputs:
+      restoreSolution: 'build\tfs\win32\ESRPClient\packages.config'
+      feedsToUse: config
+      nugetConfigPath: 'build\tfs\win32\ESRPClient\NuGet.config'
+      externalFeedCredentials: 3fc0b7f7-da09-4ae7-a9c8-d69824b1819b
+      restoreDirectory: packages
+
+  - task: ESRPImportCertTask@1
+    displayName: Import ESRP Request Signing Certificate
+    inputs:
+      ESRP: 'ESRP CodeSign'
+
   - powershell: |
       $ErrorActionPreference = "Stop"
-      npm run gulp -- "vscode-win32-$(VSCODE_ARCH)-archive" "vscode-win32-$(VSCODE_ARCH)-system-setup" "vscode-win32-$(VSCODE_ARCH)-user-setup"
-
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
-    inputs:
-      ConnectedServiceName: 'ESRP CodeSign'
-      FolderPath: '$(agent.builddirectory)'
-      Pattern: VSCodeSetup.exe
-      signConfigType: inlineSignParams
-      inlineOperation: |
-        [
-          {
-            "keyCode": "CP-229803",
-            "operationSetCode": "SigntoolSign",
-            "parameters": [
-              {
-                "parameterName": "OpusName",
-                "parameterValue": "VS Code"
-              },
-              {
-                "parameterName": "OpusInfo",
-                "parameterValue": "https://code.visualstudio.com/"
-              },
-              {
-                "parameterName": "PageHash",
-                "parameterValue": "/NPH"
-              },
-              {
-                "parameterName": "TimeStamp",
-                "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\""
-              }
-            ],
-            "toolName": "sign",
-            "toolVersion": "1.0"
-          },
-          {
-            "keyCode": "CP-230012",
-            "operationSetCode": "SigntoolSign",
-            "parameters": [
-              {
-                "parameterName": "OpusName",
-                "parameterValue": "VS Code"
-              },
-              {
-                "parameterName": "OpusInfo",
-                "parameterValue": "https://code.visualstudio.com/"
-              },
-              {
-                "parameterName": "Append",
-                "parameterValue": "/as"
-              },
-              {
-                "parameterName": "FileDigest",
-                "parameterValue": "/fd \"SHA256\""
-              },
-              {
-                "parameterName": "PageHash",
-                "parameterValue": "/NPH"
-              },
-              {
-                "parameterName": "TimeStamp",
-                "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
-              }
-            ],
-            "toolName": "sign",
-            "toolVersion": "1.0"
-          },
-          {
-            "keyCode": "CP-230012",
-            "operationSetCode": "SigntoolVerify",
-            "parameters": [
-              {
-                "parameterName": "VerifyAll",
-                "parameterValue": "/all"
-              }
-            ],
-            "toolName": "sign",
-            "toolVersion": "1.0"
-          }
-        ]
-      SessionTimeout: 120
+      .\build\tfs\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(ESRP_AUTH_CERTIFICATE) -AuthCertificateKey $(ESRP_AUTH_CERTIFICATE_KEY)
+    displayName: Import ESRP Auth Certificate
 
   - powershell: |
       $ErrorActionPreference = "Stop"
+      npm run gulp -- "vscode-win32-$(VSCODE_ARCH)-archive" "vscode-win32-$(VSCODE_ARCH)-system-setup" "vscode-win32-$(VSCODE_ARCH)-user-setup"
+
       $Repo = "$(pwd)"
       $Root = "$Repo\.."
       $SystemExe = "$Repo\.build\win32-$(VSCODE_ARCH)\system-setup\VSCodeSetup.exe"

diff --git a/build/tfs/win32/ESRPClient/NuGet.config b/build/tfs/win32/ESRPClient/NuGet.config
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+    <packageSources>
+        <add key="ESRP" value="https://microsoft.pkgs.visualstudio.com/_packaging/ESRP/nuget/v3/index.json" />
+    </packageSources>
+</configuration>
diff --git a/build/tfs/win32/ESRPClient/packages.config b/build/tfs/win32/ESRPClient/packages.config
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<packages>
+  <package id="EsrpClient" version="1.0.27" />
+</packages>
diff --git a/build/tfs/win32/import-esrp-auth-cert.ps1 b/build/tfs/win32/import-esrp-auth-cert.ps1
@@ -0,0 +1,14 @@
+Param(
+  [string]$AuthCertificateBase64,
+  [string]$AuthCertificateKey
+)
+
+# Import auth certificate
+$AuthCertificateFileName = [System.IO.Path]::GetTempFileName()
+$AuthCertificateBytes = [Convert]::FromBase64String($AuthCertificateBase64)
+[IO.File]::WriteAllBytes($AuthCertificateFileName, $AuthCertificateBytes)
+$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertificateFileName -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertificateKey -AsPlainText -Force)
+rm $AuthCertificateFileName
+$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject
+
+Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")
diff --git a/build/tfs/win32/sign.ps1 b/build/tfs/win32/sign.ps1
@@ -0,0 +1,82 @@
+function Create-TmpJson($Obj) {
+	$FileName = [System.IO.Path]::GetTempFileName()
+	ConvertTo-Json -Depth 100 $Obj | Out-File -Encoding UTF8 $FileName
+	return $FileName
+}
+
+$Auth = Create-TmpJson @{
+	Version = "1.0.0"
+	AuthenticationType = "AAD_CERT"
+	ClientId = $env:ESRPClientId
+	AuthCert = @{
+		SubjectName = $env:ESRPAuthCertificateSubjectName
+		StoreLocation = "LocalMachine"
+		StoreName = "My"
+	}
+	RequestSigningCert = @{
+		SubjectName = $env:ESRPCertificateSubjectName
+		StoreLocation = "LocalMachine"
+		StoreName = "My"
+	}
+}
+
+$Policy = Create-TmpJson @{
+	Version = "1.0.0"
+}
+
+$Input = Create-TmpJson @{
+	Version = "1.0.0"
+	SignBatches = @(
+		@{
+			SourceLocationType = "UNC"
+			SignRequestFiles = @(
+				@{
+					SourceLocation = $args[0]
+				}
+			)
+			SigningInfo = @{
+				Operations = @(
+					@{
+						KeyCode = "CP-229803"
+						OperationCode = "SigntoolSign"
+						Parameters = @{
+							OpusName = "VS Code"
+							OpusInfo = "https://code.visualstudio.com/"
+							PageHash = "/NPH"
+							TimeStamp = "/t `"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS`""
+						}
+						ToolName = "sign"
+						ToolVersion = "1.0"
+					},
+					@{
+						KeyCode = "CP-230012"
+						OperationCode = "SigntoolSign"
+						Parameters = @{
+							OpusName = "VS Code"
+							OpusInfo = "https://code.visualstudio.com/"
+							Append = "/as"
+							FileDigest = "/fd `"SHA256`""
+							PageHash = "/NPH"
+							TimeStamp = "/tr `"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer`" /td sha256"
+						}
+						ToolName = "sign"
+						ToolVersion = "1.0"
+					},
+					@{
+						KeyCode = "CP-230012"
+						OperationCode = "SigntoolVerify"
+						Parameters = @{
+							VerifyAll = "/all"
+						}
+						ToolName = "sign"
+						ToolVersion = "1.0"
+					}
+				)
+			}
+		}
+	)
+}
+
+$Output = [System.IO.Path]::GetTempFileName()
+$ScriptPath = Split-Path -Path $MyInvocation.MyCommand.Definition -Parent
+& "$ScriptPath\ESRPClient\packages\EsrpClient.1.0.27\tools\ESRPClient.exe" Sign -a $Auth -p $Policy -i $Input -o $Output
diff --git a/build/win32/code.iss b/build/win32/code.iss
@@ -32,6 +32,7 @@ VersionInfoVersion={#RawVersion}
 ShowLanguageDialog=auto
 ArchitecturesAllowed={#ArchitecturesAllowed}
 ArchitecturesInstallIn64BitMode={#ArchitecturesInstallIn64BitMode}
+SignTool=esrp
 
 #if "user" == InstallTarget
 DefaultDirName={userpf}\{#DirName}