Update signing config in release build (#1330)

2020-07-31 08:09:44 -07:00 · 2020-07-31 08:09:44 -07:00 · 271d326dc8
commit 271d326dc8
parent fa81d9d75d
4 changed files with 48 additions and 24 deletions
--- a/build/config/SignConfig.xml
+++ b/build/config/SignConfig.xml
@ -1,5 +0,0 @@
-<SignConfigXML>
-  <job platform="" configuration="" certSubject="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" jobname="EngFunSimpleSign" approvers="">
-   <file src="__INPATHROOT__\Microsoft.WindowsCalculator_8wekyb3d8bbwe.appxbundle" signType="FirstPartyWindowsStoreVNext" dest="__OUTPATHROOT__\Microsoft.WindowsCalculator_8wekyb3d8bbwe.appxbundle" /> 
-  </job>
-</SignConfigXML>
--- a/build/pipelines/azure-pipelines.release.yaml
+++ b/build/pipelines/azure-pipelines.release.yaml
@ -49,5 +49,7 @@ jobs:
    platform: x86

 - template: ./templates/package-appxbundle.yaml
+  parameters:
+    signBundle: true

 - template: ./templates/prepare-release-internalonly.yaml
--- a/build/pipelines/templates/package-appxbundle.yaml
+++ b/build/pipelines/templates/package-appxbundle.yaml
@ -1,6 +1,9 @@
 # This template contains a job which takes .appx packages which were built separately for each
 # architecture (arm, x86, etc.) and combines them into a single .appxbundle.

+parameters:
+  signBundle: false
+
 jobs:
 - job: Package
  dependsOn:
@ -58,3 +61,43 @@ jobs:
    inputs:
      artifactName: appxBundle
      pathToPublish: $(Build.ArtifactStagingDirectory)\appxBundle
+
+  - ${{ if eq(parameters.signBundle, true) }}:
+    - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+      displayName: Send appxbundle to code signing service
+      inputs:
+        ConnectedServiceName: Essential Experiences Codesign
+        FolderPath: $(Build.ArtifactStagingDirectory)\appxBundle
+        Pattern: Microsoft.WindowsCalculator_8wekyb3d8bbwe.appxbundle
+        signConfigType: inlineSignParams
+        inlineOperation: |
+          [
+            {
+              "CertTemplateName": "WINMSAPP1ST",
+              "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
+              "KeyCode": "Dynamic",
+              "OperationCode": "SigntoolvNextSign",
+              "Parameters": {
+                "OpusName": "Microsoft",
+                "OpusInfo": "http://www.microsoft.com",
+                "FileDigest": "/fd \"SHA256\"",
+                "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+              },
+              "ToolName": "sign",
+              "ToolVersion": "1.0"
+            },
+            {
+              "CertTemplateName": "WINMSAPP1ST",
+              "CertSubjectName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US",
+              "KeyCode": "Dynamic",
+              "OperationCode": "SigntoolvNextVerify",
+              "Parameters": {},
+              "ToolName": "sign",
+              "ToolVersion": "1.0"
+            }
+          ]
+    - task: PublishBuildArtifacts@1
+      displayName: Publish AppxBundleSigned artifact
+      inputs:
+        pathtoPublish: $(Build.ArtifactStagingDirectory)\appxBundle
+        artifactName: appxBundleSigned
--- a/build/pipelines/templates/prepare-release-internalonly.yaml
+++ b/build/pipelines/templates/prepare-release-internalonly.yaml
@ -2,8 +2,6 @@
 # Windows using Microsoft-internal systems. It relies on Microsoft-internal resources and will not
 # work outside of Microsoft.
 # Specifically, this job:
-# - Signs the bundle using a secure system. If you want to build your own, use SignTool following
-#   the example in the continuous integration pipeline.
 # - Builds VPacks for including the app in the Windows OS build. Azure DevOps Universal Packages
 #   offers similar capabilities.
 # - Creates StoreBroker packages containing Microsoft Store assets. Although the Store assets for
@ -45,29 +43,15 @@ jobs:
      versionSpec: 5.x

  - task: DownloadBuildArtifacts@0
-    displayName: Download appxBundle artifact
+    displayName: Download appxBundleSigned artifact
    inputs:
-      artifactName: appxBundle
-
-  - task: PkgESCodeSign@10
-    displayName: Send bundle to Package ES code signing service
-    env:
-      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-    inputs:
-      signConfigXml: build\config\SignConfig.xml
-      inPathRoot: $(Build.ArtifactStagingDirectory)\appxBundle
-      outPathRoot: $(Build.ArtifactStagingDirectory)\appxBundleSigned
-
-  - task: PublishBuildArtifacts@1
-    displayName: Publish AppxBundleSigned artifact
-    inputs:
-      pathtoPublish: $(Build.ArtifactStagingDirectory)\appxBundleSigned
-      artifactName: AppxBundleSigned
+      artifactName: appxBundleSigned

  - task: CopyFiles@2
    displayName: Copy signed AppxBundle to vpack staging folder
    inputs:
      sourceFolder: $(Build.ArtifactStagingDirectory)\appxBundleSigned
+      contents: Microsoft.WindowsCalculator_8wekyb3d8bbwe.appxbundle
      targetFolder: $(Build.ArtifactStagingDirectory)\vpack\appxBundle

  - task: PkgESVPack@10