Update Azure Pipelines release pipeline with ESRP support#908
Open
mjcheetham wants to merge 5 commits intovfs-2.53.0from
Open
Update Azure Pipelines release pipeline with ESRP support#908mjcheetham wants to merge 5 commits intovfs-2.53.0from
mjcheetham wants to merge 5 commits intovfs-2.53.0from
Conversation
The stub release pipeline added in 4b88e15 had placeholder steps and was missing several pieces needed for real builds. Flesh it out: - Add poolArch to the Windows and Linux matrix entries so we can set hostArchitecture on the pool, which is required for the arm64 hosted agents to get the correct image. - Convert macOS from a single hardcoded job to a matrix parameter, matching the pattern used by Windows and Linux. This makes it easy to add additional macOS configurations in the future. - Add a resolve-version.sh script that derives the Git version, tag name, and tag SHA from the repository state. The prereqs stage currently inlines a static placeholder; the script is provided for when we are ready to switch. - Add a setup-git-bash.cmd script that prepends Git Bash to the PATH on Windows agents, so that subsequent Bash tasks can find the shell. - Add checkout with fetchDepth: 0 and fetchTags: true to the prereqs stage so the version resolution script can inspect tags. - Add macOS validation jobs to the release stage, and wire up macOS artifacts in the GitHub release publishing job. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Add ESRP code signing support to the release pipeline, gated behind an 'esrp' boolean parameter that defaults to false for now. The Windows signing flow uses a custom script (esrpsign.sh) rather than the EsrpCodeSigning ADO task so that we can later integrate signing with the 'git signtool' alias from Git for Windows' build process. The setup template uses AzureCLI@2 to bind to the WIF service connection by name (avoiding hardcoded GUIDs) and derives the service principal ID, tenant ID, and connection GUID at runtime via addSpnToEnvironment and ENDPOINT_URL_* env vars. EsrpClientTool@4 handles downloading and caching the ESRP client binary. For macOS and Linux, we use the EsrpCodeSigning@6 ADO task through a reusable sign.yml template. On macOS, files must be submitted as a zip archive (useArchive: true); the template handles the copy, zip, sign, and extract cycle. New files: - esrp/windows/setup.yml: installs ESRP client and generates the auth JSON needed by ESRPClient.exe - esrp/windows/esrpsign.sh: invokes ESRPClient.exe with Authenticode signing operations - esrp/sign.yml: reusable step template wrapping EsrpCodeSigning@6 with optional archive support for macOS Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
The Linux hosted agents do not have .NET pre-installed, but the EsrpCodeSigning ADO task requires it. Add a UseDotNet@2 step to install the .NET 8 SDK before invoking the ESRP signing template in Linux build jobs. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
The arm64 Windows hosted agents do not have Azure CLI pre-installed, which is required by the AzureCLI@2 task used in the ESRP setup step. Install the x64 MSI (which runs under x86-64 emulation on arm64 Windows) and prepend it to the PATH. This step only runs on arm64 jobs via a poolArch condition. This is a workaround until a bug preventing us from baking the Azure CLI into the hosted pool image is fixed, at which point this step can be removed. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Member
Author
|
For Microsoft employees, here's an example run of this pipeline: https://dev.azure.com/mseng/1ES/_build/results?buildId=31429071 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Flesh out release pipeline with ESRP code signing
This series builds on the stub release pipeline added in 4b88e15 to create a working build + sign + release flow for Windows, macOS, and Linux.
What this does
Pipeline infrastructure (
167cf79692)poolArchto matrix entries for correcthostArchitectureon arm64 hosted agentsresolve-version.shto derive version/tag info from the repo statesetup-git-bash.cmdto put Git Bash on PATH for Windows agentsESRP code signing (
406d385f6e)esrpboolean parameter (default: false)esrpsign.sh) so we can later integrate with thegit signtoolalias from Git for Windows' build processAzureCLI@2withaddSpnToEnvironmentto resolve the WIF service connection by name — no hardcoded GUIDs in YAMLEsrpCodeSigning@6via a reusablesign.ymltemplate with archive support for macOSPrerequisite installs (
b1ea20f4c2,9749c3979e)Files
release.ymlscripts/resolve-version.shscripts/windows/setup-git-bash.cmdesrp/windows/setup.ymlesrp/windows/esrpsign.shesrp/sign.ymlTesting
The
esrpparameter defaults to false. Enable it in a pipeline run to test signing. The TO-DROP commit at the top overrides version resolution with a static value for testing; drop it before merging.