From cfe3415716b959ccb9ddd3a2f247276bc5e048ad Mon Sep 17 00:00:00 2001 From: Keegan Caruso Date: Sat, 4 Nov 2023 08:12:11 -0700 Subject: [PATCH 1/2] Collapse signing dlls to single task change signing pattern Revert "change signing pattern" This reverts commit 48a4cbefe32bc7e55567b4cc63e7d5e648f00b8e. fix signing pattern fix glob pattern fix match patterns --- build/template-pack-and-sign-all-nugets.yaml | 129 ++++++++++++++----- build/template-pack-and-sign-nuget.yaml | 87 ------------- build/template-pack-nuget.yaml | 21 +++ 3 files changed, 116 insertions(+), 121 deletions(-) delete mode 100644 build/template-pack-and-sign-nuget.yaml create mode 100644 build/template-pack-nuget.yaml diff --git a/build/template-pack-and-sign-all-nugets.yaml b/build/template-pack-and-sign-all-nugets.yaml index 321949f4f..17c638adb 100644 --- a/build/template-pack-and-sign-all-nugets.yaml +++ b/build/template-pack-and-sign-all-nugets.yaml @@ -5,7 +5,6 @@ parameters: BuildConfiguration: 'release' NugetPackagesWildcard: '$(Build.ArtifactStagingDirectory)\packages\*.nupkg' - steps: # The signing task requires dotnet core 2.x @@ -14,100 +13,161 @@ steps: inputs: version: 2.x -# Pack and sign Microsoft.Identity.Web -- template: template-pack-and-sign-nuget.yaml +- task: EsrpCodeSigning@4 + inputs: + ConnectedServiceName: 'IDDP Code Signing' + FolderPath: '$(Build.SourcesDirectory)\src' + Pattern: 'Microsoft.Identity.Web*.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolSign", + "parameters": [ + { + "parameterName": "OpusName", + "parameterValue": "Microsoft.Identity.Web" + }, + { + "parameterName": "OpusInfo", + "parameterValue": "http://www.microsoft.com" + }, + { + "parameterName": "PageHash", + "parameterValue": "/NPH" + }, + { + "parameterName": "FileDigest", + "parameterValue": "/fd sha256" + }, + { + "parameterName": "TimeStamp", + "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } + ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + }, + { + "keyCode": "CP-230012", + "operationSetCode": "SigntoolVerify", + "parameters": [ ], + "toolName": "signtool.exe", + "toolVersion": "6.2.9304.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + PendingAnalysisWaitTimeoutMinutes: '5' + +- task: BinSkim@4 + inputs: + InputType: Basic + AnalyzeTargetGlob: '$(Build.SourcesDirectory)\src\**\bin\**\Microsoft.Identity.Web*.dll' + AnalyzeVerbose: true + AnalyzeHashes: true + toolVersion: Exact + +- task: PostAnalysis@2 + displayName: 'Check BinSkim Results' + inputs: + GdnBreakGdnToolBinSkim: true + +# Pack Microsoft.Identity.Web +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web' AssemblyName: 'Microsoft.Identity.Web' - HasRefAssembly: 'false' -# Pack and sign Microsoft.Identity.Web.UI -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.UI +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.UI' AssemblyName: 'Microsoft.Identity.Web.UI*' -# Pack and sign Microsoft.Identity.Web.MicrosoftGraph -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.MicrosoftGraph +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.MicrosoftGraph' AssemblyName: 'Microsoft.Identity.Web.MicrosoftGraph*' -# Pack and sign Microsoft.Identity.Web.MicrosoftGraphBeta -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.MicrosoftGraphBeta +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.MicrosoftGraphBeta' AssemblyName: 'Microsoft.Identity.Web.MicrosoftGraphBeta*' -# Pack and sign Microsoft.Identity.Web.GraphServiceClient -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.GraphServiceClient +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.GraphServiceClient' AssemblyName: 'Microsoft.Identity.Web.GraphServiceClient*' -# Pack and sign Microsoft.Identity.Web.GraphServiceClientBeta -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.GraphServiceClientBeta +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.GraphServiceClientBeta' AssemblyName: 'Microsoft.Identity.Web.GraphServiceClientBeta*' -# Pack and sign Microsoft.Identity.Web.TokenCache -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.TokenCache +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.TokenCache' AssemblyName: 'Microsoft.Identity.Web.TokenCache*' -# Pack and sign Microsoft.Identity.Web.TokenAcquisition -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.TokenAcquisition +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.TokenAcquisition' AssemblyName: 'Microsoft.Identity.Web.TokenAcquisition*' -# Pack and sign Microsoft.Identity.Web.Certificate -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.Certificate +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Certificate' AssemblyName: 'Microsoft.Identity.Web.Certificate*' -# Pack and sign Microsoft.Identity.Web.Certificateless -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.Certificateless +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Certificateless' AssemblyName: 'Microsoft.Identity.Web.Certificateless*' -# Pack and sign Microsoft.Identity.Web.OWIN -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.OWIN +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.OWIN' AssemblyName: 'Microsoft.Identity.Web.OWIN*' -# Pack and sign Microsoft.Identity.Web.DownstreamApi -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.DownstreamApi +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.DownstreamApi' AssemblyName: 'Microsoft.Identity.Web.DownstreamApi*' -# Pack and sign Microsoft.Identity.Web.Diagnostics -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.Diagnostics +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Diagnostics' AssemblyName: 'Microsoft.Identity.Web.Diagnostics*' -# Pack and sign Microsoft.Identity.Web.Diagnostics -- template: template-pack-and-sign-nuget.yaml +# Pack Microsoft.Identity.Web.Diagnostics +- template: template-pack-nuget.yaml parameters: BuildConfiguration: ${{ parameters.BuildConfiguration }} ProjectRootPath: '$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Azure' @@ -123,7 +183,7 @@ steps: flattenFolders: true # Sign all final nuget packages in the staging directory -- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 +- task: EsrpCodeSigning@4 displayName: 'Sign Packages' inputs: ConnectedServiceName: 'IDDP Code Signing' @@ -147,9 +207,10 @@ steps: "toolVersion": "1.0" } ] - SessionTimeout: 20 - VerboseLogin: true - timeoutInMinutes: 5 + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + PendingAnalysisWaitTimeoutMinutes: '5' - task: NuGetCommand@2 displayName: 'Verify packages are signed' diff --git a/build/template-pack-and-sign-nuget.yaml b/build/template-pack-and-sign-nuget.yaml deleted file mode 100644 index 3ea3173ac..000000000 --- a/build/template-pack-and-sign-nuget.yaml +++ /dev/null @@ -1,87 +0,0 @@ - -parameters: - BuildConfiguration: 'release' - HasRefAssembly: 'false' - NoBuild: 'true' - ProjectRootPath: '' - AssemblyName: '' - -steps: -# Signs a binary via ESRP -- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - displayName: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' - inputs: - ConnectedServiceName: 'IDDP Code Signing' - FolderPath: ${{ parameters.ProjectRootPath }} - Pattern: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' - UseMinimatch: true - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft.Identity.Web" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd sha256" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ ], - "toolName": "signtool.exe", - "toolVersion": "6.2.9304.0" - } - ] - SessionTimeout: 20 - VerboseLogin: true - timeoutInMinutes: 10 - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-binskim.BinSkim@4 - displayName: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' - inputs: - InputType: Basic - AnalyzeTargetGlob: '**\bin\**\**\${{ parameters.AssemblyName }}.dll' - AnalyzeVerbose: true - AnalyzeHashes: true - toolVersion: Exact - exactToolVersion: '4.0.0-rc2' - -- task: securedevelopmentteam.vss-secure-development-tools.build-task-postanalysis.PostAnalysis@2 - displayName: 'Check BinSkim Results' - inputs: - GdnBreakGdnToolBinSkim: true - -# Pack a nuget -- task: DotNetCoreCLI@2 - displayName: 'Pack ${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' - inputs: - command: pack - projects: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' - nobuild: '${{parameters.NoBuild}}' - packagesToPack: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' - IncludeSymbols: true - verbosityPack: normal - packDirectory: - arguments: '--configuration ${{ parameters.BuildConfiguration }}' diff --git a/build/template-pack-nuget.yaml b/build/template-pack-nuget.yaml new file mode 100644 index 000000000..ae3881cf0 --- /dev/null +++ b/build/template-pack-nuget.yaml @@ -0,0 +1,21 @@ + +parameters: + BuildConfiguration: 'release' + NoBuild: 'true' + ProjectRootPath: '' + AssemblyName: '' + +steps: + +# Pack a nuget +- task: DotNetCoreCLI@2 + displayName: 'Pack ${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' + inputs: + command: pack + projects: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' + nobuild: '${{parameters.NoBuild}}' + packagesToPack: '${{ parameters.ProjectRootPath }}\${{ parameters.AssemblyName }}.csproj' + IncludeSymbols: true + verbosityPack: normal + packDirectory: + arguments: '--configuration ${{ parameters.BuildConfiguration }}' From a57114199523ce0b00cd41bc2c53a73b2caa5614 Mon Sep 17 00:00:00 2001 From: Keegan Caruso Date: Mon, 6 Nov 2023 11:27:34 -0800 Subject: [PATCH 2/2] update build docs --- build/build.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/build/build.md b/build/build.md index 6e6bb00ef..5d7fe5fa1 100644 --- a/build/build.md +++ b/build/build.md @@ -23,19 +23,19 @@ - 'Check Roslyn Results ' - [template-sign-binary.yaml](template-sign-binary.yaml) - Sign the binaries, requires dotnet core 2.x. - [template-pack-and-sign-all-nugets.yaml](template-pack-and-sign-all-nugets.yaml) - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.UI')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.MicrosoftGraph')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.MicrosoftGraphBeta')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\ProjectTemplates')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.TokenCache')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.TokenAcquisition')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Certificate')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Certificateless')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.OWIN')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.DownstreamApi')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.GraphServiceClient')` - - [template-pack-and-sign-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.GraphServiceClientBeta')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.UI')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.MicrosoftGraph')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.MicrosoftGraphBeta')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\ProjectTemplates')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.TokenCache')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.TokenAcquisition')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Certificate')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.Certificateless')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.OWIN')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.DownstreamApi')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.GraphServiceClient')` + - [template-pack-nuget.yaml](template-pack-and-sign-nuget.yaml) `('$(Build.SourcesDirectory)\src\Microsoft.Identity.Web.GraphServiceClientBeta')` - 'Copy Files from `$(Build.SourcesDirectory)` to: `$(Build.ArtifactStagingDirectory)\packages'` - Sign Packages `'('$(Build.ArtifactStagingDirectory)\packages')` - [template-publish-packages-and-symbols.yaml](template-publish-packages-and-symbols.yaml)