diff --git a/tools/releaseBuild/azureDevOps/releaseBuild.yml b/tools/releaseBuild/azureDevOps/releaseBuild.yml index be7714dd135..8281ec8eef4 100644 --- a/tools/releaseBuild/azureDevOps/releaseBuild.yml +++ b/tools/releaseBuild/azureDevOps/releaseBuild.yml @@ -27,6 +27,7 @@ jobs: - template: templates/linux.yml parameters: buildName: rpm + uploadDisplayName: Upload and Sign - template: templates/linux.yml parameters: diff --git a/tools/releaseBuild/azureDevOps/templates/linux.yml b/tools/releaseBuild/azureDevOps/templates/linux.yml index f33479220b3..0bb2c3a8e5f 100644 --- a/tools/releaseBuild/azureDevOps/templates/linux.yml +++ b/tools/releaseBuild/azureDevOps/templates/linux.yml @@ -1,5 +1,6 @@ parameters: buildName: '' + uploadDisplayName: 'Upload' jobs: - job: build_${{ parameters.buildName }} @@ -42,7 +43,7 @@ jobs: condition: and(succeeded(), ne(variables['SkipBuild'], 'true')) - job: upload_${{ parameters.buildName }} - displayName: Upload ${{ parameters.buildName }} + displayName: ${{ parameters.uploadDisplayName }} ${{ parameters.buildName }} dependsOn: build_${{ parameters.buildName }} condition: succeeded() pool: Package ES CodeHub Lab E @@ -80,6 +81,29 @@ jobs: - task: securedevelopmentteam.vss-secure-development-tools.build-task-antimalware.AntiMalware@3 displayName: 'Run Defender Scan' + - powershell: | + $authenticodefiles = @() + Get-ChildItem -Path '$(System.ArtifactsDirectory)\rpm\*.rpm' -recurse | ForEach-Object { $authenticodefiles += $_.FullName} + tools/releaseBuild/generatePackgeSigning.ps1 -LinuxFiles $authenticodeFiles -path "$(System.ArtifactsDirectory)\package.xml" + displayName: 'Generate RPM Signing Xml' + condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) + + - powershell: | + Get-Content "$(System.ArtifactsDirectory)\package.xml" + displayName: 'Capture RPM signing xml' + condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) + + - task: PkgESCodeSign@10 + displayName: 'CodeSign RPM $(System.ArtifactsDirectory)\package.xml' + env: + SYSTEM_ACCESSTOKEN: $(System.AccessToken) + inputs: + signConfigXml: '$(System.ArtifactsDirectory)\package.xml' + outPathRoot: '$(Build.StagingDirectory)\signedPackages' + binVersion: $(SigingVersion) + binVersionOverride: $(SigningVersionOverride) + condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) + - task: AzureFileCopy@1 displayName: 'Upload to Azure - DEB and tar.gz' inputs: @@ -94,18 +118,34 @@ jobs: artifactPath: $(System.ArtifactsDirectory)\finished\release - task: AzureFileCopy@1 - displayName: 'Upload to Azure - RPM' + displayName: 'Upload to Azure - RPM - Unsigned' inputs: SourcePath: '$(System.ArtifactsDirectory)\rpm\release' azureSubscription: '$(AzureFileCopySubscription)' Destination: AzureBlob storage: '$(StorageAccount)' - ContainerName: '$(AzureVersion)-unsigned' - condition: and(eq(variables['buildName'], 'RPM'),succeeded()) + ContainerName: '$(AzureVersion)' + condition: and(and(succeeded(), ne(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) + + - task: AzureFileCopy@1 + displayName: 'Upload to Azure - RPM - Signed' + inputs: + SourcePath: '$(Build.StagingDirectory)\signedPackages' + azureSubscription: '$(AzureFileCopySubscription)' + Destination: AzureBlob + storage: '$(StorageAccount)' + ContainerName: '$(AzureVersion)' + condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) - template: upload-final-results.yml parameters: artifactPath: $(System.ArtifactsDirectory)\rpm\release + condition: and(and(succeeded(), ne(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) + + - template: upload-final-results.yml + parameters: + artifactPath: '$(Build.StagingDirectory)\signedPackages' + condition: and(and(succeeded(), eq(variables['Build.Reason'], 'Manual')),eq(variables['buildName'], 'RPM')) - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0 displayName: 'Component Detection' diff --git a/tools/releaseBuild/generatePackgeSigning.ps1 b/tools/releaseBuild/generatePackgeSigning.ps1 index bb441741215..4f7dd01b897 100644 --- a/tools/releaseBuild/generatePackgeSigning.ps1 +++ b/tools/releaseBuild/generatePackgeSigning.ps1 @@ -6,13 +6,15 @@ param( [string[]] $AuthenticodeDualFiles, [string[]] $AuthenticodeFiles, [string[]] $NuPkgFiles, - [string[]] $MacDeveloperFiles + [string[]] $MacDeveloperFiles, + [string[]] $LinuxFiles ) if ((!$AuthenticodeDualFiles -or $AuthenticodeDualFiles.Count -eq 0) -and (!$AuthenticodeFiles -or $AuthenticodeFiles.Count -eq 0) -and (!$NuPkgFiles -or $NuPkgFiles.Count -eq 0) -and - (!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0)) + (!$MacDeveloperFiles -or $MacDeveloperFiles.Count -eq 0) -and + (!$LinuxFiles -or $LinuxFiles.Count -eq 0)) { throw "At least one file must be specified" } @@ -83,6 +85,10 @@ foreach ($file in $MacDeveloperFiles) { New-FileElement -File $file -SignType 'MacDeveloper' -XmlDoc $signingXml -Job $job } +foreach ($file in $LinuxFiles) { + New-FileElement -File $file -SignType 'LinuxPack' -XmlDoc $signingXml -Job $job +} + $signingXml.Save($path) $updateScriptPath = Join-Path -Path $PSScriptRoot -ChildPath 'updateSigning.ps1' & $updateScriptPath -SigningXmlPath $path