Add automated RPM signing to release build (PowerShell#10013)

tools/releaseBuild/azureDevOps/releaseBuild.yml

@@ -27,6 +27,7 @@ jobs:
 - template: templates/linux.yml
   parameters:
     buildName: rpm
+    uploadDisplayName: Upload and Sign
 
 - template: templates/linux.yml
   parameters:

tools/releaseBuild/azureDevOps/templates/linux.yml

@@ -1,5 +1,6 @@
 parameters:
   buildName: ''
+  uploadDisplayName: 'Upload'
 
 jobs:
 - job: build_${{ parameters.buildName }}
@@ -42,7 +43,7 @@ jobs:
     condition: and(succeeded(), ne(variables['SkipBuild'], 'true'))
 
 - job: upload_${{ parameters.buildName }}
-  displayName: Upload ${{ parameters.buildName }}
+  displayName: ${{ parameters.uploadDisplayName }} ${{ parameters.buildName }}
   dependsOn: build_${{ parameters.buildName }}
   condition: succeeded()
   pool: Package ES CodeHub Lab E
@@ -80,6 +81,29 @@ jobs:
   - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3
     displayName: 'Run Defender Scan'
 
+  - powershell: |
+      $authenticodefiles = @()
+      Get-ChildItem -Path '$(System.ArtifactsDirectory)\rpm\*.rpm' -recurse | ForEach-Object { $authenticodefiles += $_.FullName}
+      tools/releaseBuild/generatePackgeSigning.ps1 -LinuxFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml"
+    displayName: 'Generate RPM Signing Xml'
+    condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
+
+  - powershell: |
+      Get-Content "$(System.ArtifactsDirectory)\package.xml"
+    displayName: 'Capture RPM signing xml'
+    condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
+
+  - task: PkgESCodeSign@10
+    displayName: 'CodeSign RPM $(System.ArtifactsDirectory)\package.xml'
+    env:
+      SYSTEM_ACCESSTOKEN: $(System.AccessToken)
+    inputs:
+      signConfigXml: '$(System.ArtifactsDirectory)\package.xml'
+      outPathRoot: '$(Build.StagingDirectory)\signedPackages'
+      binVersion: $(SigingVersion)
+      binVersionOverride: $(SigningVersionOverride)
+    condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
+
   - task: AzureFileCopy@1
     displayName: 'Upload to Azure - DEB and tar.gz'
     inputs:
@@ -94,18 +118,34 @@ jobs:
       artifactPath: $(System.ArtifactsDirectory)\finished\release
 
   - task: AzureFileCopy@1
-    displayName: 'Upload to Azure - RPM'
+    displayName: 'Upload to Azure - RPM - Unsigned'
     inputs:
       SourcePath: '$(System.ArtifactsDirectory)\rpm\release'
       azureSubscription: '$(AzureFileCopySubscription)'
       Destination: AzureBlob
       storage: '$(StorageAccount)'
-      ContainerName: '$(AzureVersion)-unsigned'
-    condition: and(eq(variables['buildName'], 'RPM'),succeeded())
+      ContainerName: '$(AzureVersion)'
+    condition: and(and(succeeded(), ne(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
+
+  - task: AzureFileCopy@1
+    displayName: 'Upload to Azure - RPM - Signed'
+    inputs:
+      SourcePath: '$(Build.StagingDirectory)\signedPackages'
+      azureSubscription: '$(AzureFileCopySubscription)'
+      Destination: AzureBlob
+      storage: '$(StorageAccount)'
+      ContainerName: '$(AzureVersion)'
+    condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
 
   - template: upload-final-results.yml
     parameters:
       artifactPath: $(System.ArtifactsDirectory)\rpm\release
+      condition: and(and(succeeded(), ne(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
+
+  - template: upload-final-results.yml
+    parameters:
+      artifactPath: '$(Build.StagingDirectory)\signedPackages'
+      condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM'))
 
   - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
     displayName: 'Component Detection'

tools/releaseBuild/generatePackgeSigning.ps1

@@ -6,13 +6,15 @@ param(
     [string[]] $AuthenticodeDualFiles,
     [string[]] $AuthenticodeFiles,
     [string[]] $NuPkgFiles,
-    [string[]] $MacDeveloperFiles
+    [string[]] $MacDeveloperFiles,
+    [string[]] $LinuxFiles
 )
 
 if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and
     (!$AuthenticodeFiles -or $AuthenticodeFiles.Count -eq 0) -and
     (!$NuPkgFiles -or $NuPkgFiles.Count -eq 0) -and
-    (!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0))
+    (!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0) -and
+    (!$LinuxFiles -or $LinuxFiles.Count -eq 0))
 {
     throw "At least one file must be specified"
 }
@@ -83,6 +85,10 @@ foreach ($file in $MacDeveloperFiles) {
     New-FileElement -File $file -SignType 'MacDeveloper' -XmlDoc $signingXml -Job $job
 }
 
+foreach ($file in $LinuxFiles) {
+    New-FileElement -File $file -SignType 'LinuxPack' -XmlDoc $signingXml -Job $job
+}
+
 $signingXml.Save($path)
 $updateScriptPath = Join-Path -Path $PSScriptRoot -ChildPath 'updateSigning.ps1'
 & $updateScriptPath -SigningXmlPath $path