Enabled ESRPCodeSign for docfx v2 - dev (dotnet#5832)

* Enable code sign for docfxv2 - dev * Updated matched paths with include filters instead of exclude paths. * minor fix * fixed build error * Included pack step * Resolved review comments. * Fixed batchsign policy file. * Fixed build/pack/codesign * Fixed indentation; Moved pack after e2etest
turrisxyz · Apr 29, 2020 · 6289083 · 6289083
1 parent 70fd778
commit 6289083
Show file tree

Hide file tree

Showing 6 changed files with 350 additions and 142 deletions.
diff --git a/azure-pipelines-stable.yml b/azure-pipelines-stable.yml
@@ -28,6 +28,24 @@ steps:
 
 - task: CmdLine@1
   displayName: 'gulp build'
+  inputs:
+    filename: node
+    arguments: '.\node_modules\gulp\bin\gulp.js dev:build'
+    workingFolder: tools/Deployment
+
+- task: EsrpCodeSigning@1
+  displayName: Sign executables and dlls
+  inputs:
+    ConnectedServiceName: 'CodeSigning-APEX'
+    FolderPath: '$(Build.SourcesDirectory)/target/Release'
+    signType: 'batchSigning'
+    batchSignPolicyFile: '$(Build.SourcesDirectory)/codesign_policy.json'
+    SessionTimeout: '60'
+    MaxConcurrency: '50'
+    MaxRetryAttempts: '5'
+
+- task: CmdLine@1
+  displayName: 'gulp pack'
   inputs:
     filename: node
     arguments: '.\node_modules\gulp\bin\gulp.js dev:release'

diff --git a/build.ps1 b/build.ps1
@@ -14,28 +14,20 @@ param(
 #   [-skipTests]: If it's set, running unit tests will be skipped
 ################################################################################################
 
+# Include
+$scriptRoot = $($MyInvocation.MyCommand.Definition) | Split-Path
+. "$scriptRoot/common.ps1"
+
 $ErrorActionPreference = 'Stop'
 $releaseBranch = "master"
 $gitCommand = "git"
 $framework = "net472"
 $packageVersion = "1.0.0"
 $assemblyVersion = "1.0.0.0"
 
-if ([environment]::OSVersion.Platform -eq "Win32NT") {
-    $os = "Windows"
-}
-else {
-    $os = "Linux"
-}
+$os = GetOperatingSystemName
 Write-Host "Running on OS $os"
-
-if ($os -eq "Windows") {
-    $nugetCommand = "$env:LOCALAPPDATA/Nuget/Nuget.exe"
-}
-else {
-    $nugetCommand = "nuget"
-}
-
+$nugetCommand = GetNuGetCommand ($os)
 $scriptPath = $MyInvocation.MyCommand.Path
 $scriptHome = Split-Path $scriptPath
 $versionCsFolderPath = $scriptHome + "/TEMP/"
@@ -46,47 +38,11 @@ $global:LASTEXITCODE = $null
 
 Push-Location $scriptHome
 
-function NugetPack {
-    param($basepath, $nuspec, $version)
-    if (Test-Path $nuspec) {
-        & $nugetCommand pack $nuspec -Version $version -OutputDirectory artifacts/$configuration -BasePath $basepath
-        ProcessLastExitCode $lastexitcode "$nugetCommand pack $nuspec -Version $version -OutputDirectory artifacts/$configuration -BasePath $basepath"
-    }
-}
-
-function ProcessLastExitCode {
-    param($exitCode, $msg)
-    if ($exitCode -eq 0) {
-        Write-Host "Success: $msg
-        " -ForegroundColor Green
-    }
-    else {
-        Write-Host "Error $($exitCode): $msg
-        " -ForegroundColor Red
-        Pop-Location
-        Exit 1
-    }
-}
-
-function ValidateCommand {
-    param($command)
-    return (Get-Command $command -ErrorAction SilentlyContinue) -ne $null
-}
-
 # Check if dotnet cli exists globally
 if (-not(ValidateCommand("dotnet"))) {
     ProcessLastExitCode 1 "Dotnet CLI is not successfully configured. Please follow https://www.microsoft.com/net/core to install .NET Core."
 }
 
-# Check if nuget.exe exists
-if (-not(ValidateCommand($nugetCommand))) {
-    Write-Host "Downloading NuGet.exe..."
-    mkdir -Path "$env:LOCALAPPDATA/Nuget" -Force
-    $ProgressPreference = 'SilentlyContinue'
-    [Net.WebRequest]::DefaultWebProxy.Credentials = [Net.CredentialCache]::DefaultCredentials
-    Invoke-WebRequest 'https://dist.nuget.org/win-x86-commandline/latest/nuget.exe' -OutFile $nugetCommand
-}
-
 # Update template
 if ($raw -eq $false) {
     ./UpdateTemplate.ps1
@@ -164,6 +120,10 @@ do ()
 
 Write-Host "Using package version $packageVersion, and assembly version $assemblyVersion, assembly file version $assemblyFileVersion"
 
+$packageVersionFilePath = ".\package_version_temp.txt"
+$packageVersion | Out-File -FilePath $packageVersionFilePath -Force
+Write-Host "Package version saved to $packageVersionFilePath"
+
 foreach ($sln in (Get-ChildItem *.sln)) {
     Write-Host "Start building $($sln.FullName)"
 
@@ -202,98 +162,14 @@ if (-not $skipTests) {
     }
 }
 
-# dotnet pack first
-foreach ($proj in (Get-ChildItem -Path ("src", "plugins") -Include *.[cf]sproj -Exclude 'docfx.msbuild.csproj' -Recurse)) {
-    if ($os -eq "Windows") {
-        & dotnet pack $proj.FullName -c $configuration -o $scriptHome/artifacts/$configuration /p:Version=$packageVersion
-        ProcessLastExitCode $lastexitcode "dotnet pack $($proj.FullName) -c $configuration -o $scriptHome/artifacts/$configuration /p:Version=$packageVersion"
-    }
- else {
-        & nuget pack $($proj.FullName) -Properties Configuration=$configuration -OutputDirectory $scriptHome/artifacts/$configuration -Version $packageVersion
-        ProcessLastExitCode $lastexitcode "nuget pack $($proj.FullName) -Properties Configuration=$configuration -OutputDirectory $scriptHome/artifacts/$configuration -Version $packageVersion"
-    }
-}
-
-# Pack docfx.console
-$docfxTarget = "target/$configuration/docfx";
-if (-not(Test-Path -path $docfxTarget)) {
-    New-Item $docfxTarget -Type Directory
-}
-
-Copy-Item -Path "src/nuspec/docfx.console/build" -Destination $docfxTarget -Force -Recurse
-Copy-Item -Path "src/nuspec/docfx.console/content" -Destination $docfxTarget -Force -Recurse
-
-$packages = @{
-    "docfx"                     = @{
-        "proj"    = $null;
-        "nuspecs" = @("src/nuspec/docfx.console/docfx.console.nuspec");
-    };
-    "MergeDeveloperComments"    = @{
-        "proj"    = $null;
-        "nuspecs" = @("src/nuspec/MergeDeveloperComments/MergeDeveloperComments.nuspec");
-    };
-    "MergeSourceInfo"           = @{
-        "proj"    = $null;
-        "nuspecs" = @("src/nuspec/MergeSourceInfo/MergeSourceInfo.nuspec");
-    };
-    "TocConverter"              = @{
-        "proj"    = $null;
-        "nuspecs" = @("src/nuspec/TocConverter/TocConverter.nuspec");
-    };
-    "MarkdownMigrateTool"       = @{
-        "proj"    = $null;
-        "nuspecs" = @("src/nuspec/MarkdownMigrateTool/MarkdownMigrateTool.nuspec");
-    };
-    "YamlSplitter"              = @{
-        "proj"    = $null;
-        "nuspecs" = @("src/nuspec/YamlSplitter/YamlSplitter.nuspec");
-    };
-	"SandcastleRefMapper"       = @{
-		"proj"    = $null;
-		"nuspecs" = @("src/nuspec/SandcastleRefMapper/SandcastleRefMapper.nuspec")
-	};
-}
-
-# Pack plugins and tools
-foreach ($proj in (Get-ChildItem -Path ("src", "plugins", "tools") -Include *.csproj -Recurse)) {
+foreach ($proj in (Get-ChildItem -Path ("src", "plugins", "tools") -Include *.csproj -Recurse))
+{
     $name = $proj.BaseName
-    if ($packages.ContainsKey($name)) {
-        $packages[$name].proj = $proj
-    }
-    $nuspecs = Join-Path $proj.DirectoryName "*.nuspec" -Resolve
-    if ($nuspecs -ne $null) {
-        if ($packages.ContainsKey($name)) {
-            $packages[$name].nuspecs = $packages[$name].nuspecs + $nuspecs
-        }
-        else {
-            $packages[$name] = @{
-                nuspecs = $nuspecs;
-                proj    = $proj;
-            }
-        }
-    }
-}
-
-foreach ($name in $packages.Keys) {
-    $val = $packages[$name]
-    $proj = $val.proj
-
-    if ($proj -eq $null) {
-        Write-Host $package
-        ProcessLastExitCode 1 "$name does not have project found"
-    }
-
     $outputFolder = "$scriptHome/target/$configuration/$name"
-    # publish to target folder before pack
-    & dotnet publish $proj.FullName -c $configuration -f $framework -o $outputFolder
-    ProcessLastExitCode $lastexitcode "dotnet publish $($proj.FullName) -c $configuration -f $framework -o $outputFolder"
-
-    $nuspecs = $val.nuspecs
-    foreach ($nuspec in $nuspecs) {
-        NugetPack $outputFolder $nuspec $packageVersion
-    }
+    # publish to target folder
+    & dotnet publish $proj.FullName -c $configuration --no-build -f $framework -o $outputFolder
+    ProcessLastExitCode $lastexitcode "dotnet publish $($proj.FullName) -c $configuration --no-build -f $framework -o $outputFolder"
 }
 
 Write-Host "Build succeeds." -ForegroundColor Green
-Pop-Location
-
+Pop-Location
diff --git a/codesign_policy.json b/codesign_policy.json
@@ -0,0 +1,125 @@
+{
+  "Version": "1.0.0",
+  "UseMinimatch": true,
+  "SignBatches": [
+    {
+      "MatchedPath": [
+        "Microsoft.DocAsCode*.dll",
+        "*.exe"
+      ],
+      "SigningInfo": {
+        "Operations": [
+          {
+            "KeyCode": "CP-230012",
+            "OperationSetCode": "SigntoolSign",
+            "parameters": [
+              {
+                "parameterName": "OpusName",
+                "parameterValue": "Microsoft"
+              },
+              {
+                "parameterName": "OpusInfo",
+                "parameterValue": "http://www.microsoft.com"
+              },
+              {
+                "parameterName": "PageHash",
+                "parameterValue": "/NPH"
+              },
+              {
+                "parameterName": "TimeStamp",
+                "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+              },
+              {
+                "parameterName": "FileDigest",
+                "parameterValue": "/fd \"SHA256\""
+              }
+            ],
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          },
+          {
+            "KeyCode": "CP-230012",
+            "OperationSetCode": "SigntoolVerify",
+            "Parameters": [
+              {
+                "parameterName": "VerifyAll",
+                "parameterValue": "/all"
+              }
+            ],
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          }
+        ]
+      }
+    },
+    {
+      "MatchedPath": [
+          "DotLiquid.resources.dll",
+          "AutoMapper.dll",
+          "CommandLine.dll",
+          "DotLiquid.dll",
+          "Dotnet.ProjInfo.dll",
+          "Dotnet.ProjInfo.Helpers.dll",
+          "FSharp.Compiler.*.dll",
+          "HtmlAgilityPack.dll",
+          "itextsharp.dll",
+          "Jint.dll",
+          "Markdig.dll",
+          "Newtonsoft.Json.dll",
+          "Newtonsoft.Json.Schema.dll",
+          "Nustache.Core.dll",
+          "Owin.dll",
+          "SQLitePCLRaw.core.dll",
+          "YamlDotNet.dll"
+      ],
+      "SigningInfo": {
+        "Operations": [
+          {
+            "KeyCode": "CP-231522",
+            "OperationSetCode": "SigntoolSign",
+            "parameters": [
+              {
+                "parameterName": "OpusName",
+                "parameterValue": "Microsoft"
+              },
+              {
+                "parameterName": "OpusInfo",
+                "parameterValue": "http://www.microsoft.com"
+              },
+              {
+                "parameterName": "Append",
+                "parameterValue": "/as"
+              },
+              {
+                "parameterName": "PageHash",
+                "parameterValue": "/NPH"
+              },
+              {
+                "parameterName": "TimeStamp",
+                "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+              },
+              {
+                "parameterName": "FileDigest",
+                "parameterValue": "/fd \"SHA256\""
+              }
+            ],
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          },
+          {
+            "KeyCode": "CP-231522",
+            "OperationSetCode": "SigntoolVerify",
+            "Parameters": [
+              {
+                "parameterName": "VerifyAll",
+                "parameterValue": "/all"
+              }
+            ],
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/common.ps1 b/common.ps1
@@ -0,0 +1,38 @@
+function GetOperatingSystemName() 
+{
+    if ([environment]::OSVersion.Platform -eq "Win32NT") {
+        return "Windows"
+    }
+    else {
+        return "Linux"
+    }
+}
+
+function GetNuGetCommand([string]$os) 
+{
+    if ($os -eq "Windows") {
+        return "$env:LOCALAPPDATA/Nuget/Nuget.exe"
+    }
+    else {
+        return "nuget"
+    }
+}
+
+function ProcessLastExitCode {
+    param($exitCode, $msg)
+    if ($exitCode -eq 0) {
+        Write-Host "Success: $msg
+        " -ForegroundColor Green
+    }
+    else {
+        Write-Host "Error $($exitCode): $msg
+        " -ForegroundColor Red
+        Pop-Location
+        Exit 1
+    }
+}
+
+function ValidateCommand {
+    param($command)
+    return (Get-Command $command -ErrorAction SilentlyContinue) -ne $null
+}