Add osx signing

AzureAD · Jun 20, 2024 · 413c238 · 413c238
1 parent b5c055e
commit 413c238
Showing 1 changed file with 41 additions and 64 deletions.
diff --git a/.github/workflows/release-azure-pipelines.yml b/.github/workflows/release-azure-pipelines.yml
@@ -151,11 +151,11 @@ extends:
               targetPath: $(Pipeline.Workspace)/azureauth-${{ parameters.version }}-${{ config.runtime }}
             outputs:
             - output: pipelineArtifact
-              artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}
-              targetPath: $(Pipeline.Workspace)/azureauth-${{ parameters.version }}-${{ config.runtime }}
+              artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
+              targetPath: $(Pipeline.Workspace)/azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
           steps:
             - task: EsrpCodeSigning@5
-              displayName: Sign artifacts with ESRP ADO Task
+              displayName: Sign artifacts win10-x64
               condition: eq('${{ config.runtime }}', 'win10-x64')
               env:
                 SIGNING_KEY_CODE_AUTHENTICODE: $(SIGNING_KEY_CODE_AUTHENTICODE) 
@@ -196,65 +196,42 @@ extends:
                 MaxConcurrency: '50'
                 MaxRetryAttempts: '5'
                 PendingAnalysisWaitTimeoutMinutes: '5'
-          #- download: current
-          #  artifact: azureauth-${{ parameters.version }}-${{ config.runtime }}
-          #- checkout: self
-          #- task: UsePythonVersion@0
-          #  displayName: Use Python $(pythonVersion)
-          #  inputs:
-          #    versionSpec: $(pythonVersion)
-          #- task: NuGetToolInstaller@1
-          #  inputs:
-          #    versionSpec: 5.x
-          #- task: PowerShell@2
-          #  displayName: Download ESRPClient.exe
-          #  env:
-          #    ESRP_VERSION: $(esrpVersion)
-          #    NUGET_CREDENTIALS: $(System.AccessToken)
-          #  inputs:
-          #    targetType: inline
-          #    script: |
-          #      nuget sources add -Name esrp -Username esrp-downloader -Password $env:NUGET_CREDENTIALS -Source https://pkgs.dev.azure.com/office/_packaging/Office/nuget/v3/index.json
-          #      nuget install Microsoft.EsrpClient -Version "$env:ESRP_VERSION" -OutputDirectory .\esrp -Source https://pkgs.dev.azure.com/office/_packaging/Office/nuget/v3/index.json
-          #    failOnStderr: true
-          #- task: AzureCLI@2
-          #  displayName: Login to Azure with Service Principal
-          #  env:
-          #    AZURE_SUBSCRIPTION: $(AZURE_SUBSCRIPTION)
-          #    AZURE_VAULT: $(AZURE_VAULT)
-          #    ESRP_AAD_CERT_NAME: $(AZURE_VAULT_ESRP_AAD_CERT_NAME)
-          #    ESRP_REQ_CERT_NAME: $(AZURE_VAULT_ESRP_REQ_CERT_NAME)
-          #  inputs:
-          #    azureSubscription: $(esrpKVServiceConnection)
-          #    scriptType: ps
-          #    scriptLocation: inlineScript
-          #    addSpnToEnvironment: true
-          #    inlineScript: |
-          #      Write-Output "Downloading certs"
-          #      az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_AAD_CERT_NAME" -f cert.pfx
-          #      Write-Output "Downloaded AAD cert"
-          #      certutil -f -importpfx cert.pfx
-          #      Write-Output "Completed cert util"
-          #      Remove-Item cert.pfx
-          #      Write-Output "Finished AAD cert"
-          #      az keyvault secret download --subscription "$env:AZURE_SUBSCRIPTION" --vault-name "$env:AZURE_VAULT" --name "$env:ESRP_REQ_CERT_NAME" -f cert.pfx
-          #      certutil -f -importpfx cert.pfx
-          #      Remove-Item cert.pfx
-          #      Write-Output "Downloaded REQ cert"
-          # - task: PowerShell@2
-          #   displayName: Sign artifacts
-          #   env:
-          #     SIGNING_AAD_ID: ${{ secrets.SIGNING_AAD_ID }}
-          #     SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }}
-          #     SIGNING_KEY_CODE_AUTHENTICODE: ${{ secrets.SIGNING_KEY_CODE_AUTHENTICODE }}
-          #     SIGNING_KEY_CODE_MAC: ${{ secrets.SIGNING_KEY_CODE_MAC }}
-          #     SIGNING_KEY_CODE_LINUX: ${{ secrets.SIGNING_KEY_CODE_LINUX }}
-          #     SIGNING_CUSTOMER_CORRELATION_ID: ${{ secrets.SIGNING_CUSTOMER_CORRELATION_ID }}
-          #     ESRP_CLIENT_EXE: ".\\esrp\\Microsoft.EsrpClient.${{ secrets.ESRP_VERSION }}\\tools\\EsrpClient.exe"
-          #   inputs:
-          #     targetType: inline
-          #     script: |
-          #       python .\bin\sign.py $env:ESRP_CLIENT_EXE --runtime=${{ config.runtime }} --source=azureauth-${{ parameters.version }}-${{ config.runtime }}
+            - task: EsrpCodeSigning@5
+              displayName: Sign artifacts osx
+              condition: startsWith('${{ config.runtime }}', 'osx')
+              env:
+                SIGNING_KEY_CODE_MAC: $(SIGNING_KEY_CODE_MAC) 
+              inputs:
+                ConnectedServiceName: $(esrpKVServiceConnection)
+                AppRegistrationClientId: $(SIGNING_AAD_ID)
+                AppRegistrationTenantId: $(SIGNING_TENANT_ID)
+                AuthAKVName: $(AZURE_VAULT)
+                AuthCertName: $(AZURE_VAULT_ESRP_AAD_CERT_NAME)
+                AuthSignCertName: $(AZURE_VAULT_ESRP_REQ_CERT_NAME)
+                FolderPath: $(Pipeline.Workspace)/azureauth-${{ parameters.version }}-${{ config.runtime }}/AzureAuth
+                Pattern: '*.dll,*.dylib'
+                signConfigType: 'inlineSignParams'
+                inlineOperation: |
+                  [
+                    {
+                      "KeyCode": "$(SIGNING_KEY_CODE_MAC)",
+                      "OperationCode": "MacAppDeveloperSign",
+                      "ToolName": "sign",
+                      "ToolVersion": "1.0",
+                      "Parameters": {}
+                   },
+                   {
+                    "KeyCode": "$(SIGNING_KEY_CODE_MAC)",
+                    "OperationCode": "SigntoolVerify",
+                    "ToolName": "sign",
+                    "ToolVersion": "1.0",
+                    "Parameters": {}
+                   }
+                  ]
+                SessionTimeout: '60'
+                MaxConcurrency: '50'
+                MaxRetryAttempts: '5'
+                PendingAnalysisWaitTimeoutMinutes: '5'
 
     # Currently we package artifacts into the most commonly accessible archive format for their respective platforms.
     - stage: package
@@ -271,8 +248,8 @@ extends:
             inputs:
             - ${{ each config in parameters.buildConfigs }}:
               - input: pipelineArtifact
-                artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}
-                targetPath: $(Pipeline.Workspace)/azureauth-${{ parameters.version }}-${{ config.runtime }}
+                artifactName: azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
+                targetPath: $(Pipeline.Workspace)/azureauth-${{ parameters.version }}-${{ config.runtime }}-signed
             outputs:
             - ${{ each config in parameters.buildConfigs }}:
               - output: pipelineArtifact