Skip to content

Commit 1e01593

Browse files
mjcheethammjcheetham
committed
fixup! .azure-pipelines/release.yml: add macOS builds
1 parent 6220fe2 commit 1e01593

1 file changed

Lines changed: 56 additions & 4 deletions

File tree

.azure-pipelines/release.yml

Lines changed: 56 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -71,12 +71,16 @@ variables:
7171
value: '1ESGitClient-NuGet'
7272
- name: 'esrpConnectionName'
7373
value: '1ESGitClient-ESRP'
74+
- name: 'appleKeyVaultConnectionName'
75+
value: '1ESGitClient-AppleKeyVault'
7476
# ESRP signing variables set in the pipeline settings:
7577
# - esrpEndpointUrl
7678
# - esrpClientId
7779
# - esrpTenantId
7880
# - esrpAuthAkvName
7981
# - esrpAuthSignCertName
82+
# Apple signing variables set in the pipeline settings:
83+
# - appleKeyVaultName
8084

8185
extends:
8286
template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelines
@@ -296,15 +300,63 @@ extends:
296300
archiveType: tar
297301
tarCompression: gz
298302
archiveFile: '$(Build.ArtifactStagingDirectory)/symbols/gcm-${{ dim.runtime }}-$(version)-symbols.tar.gz'
299-
# ESRP code signing for macOS requires the files be packaged in a zip file first
303+
- task: AzureKeyVault@2
304+
displayName: 'Download developer certificate'
305+
inputs:
306+
azureSubscription: '$(appleKeyVaultConnectionName)'
307+
keyVaultName: '$(appleKeyVaultName)'
308+
secretsFilter: 'mac-developer-certificate,mac-developer-certificate-password,apple-team-id'
300309
- task: Bash@3
301-
displayName: 'Prepare payload files for signing'
310+
displayName: 'Import developer certificate'
302311
inputs:
303312
targetType: inline
304313
script: |
305-
mkdir -p $(Build.ArtifactStagingDirectory)/tosign
314+
# Create and unlock a keychain for the developer certificate
315+
security create-keychain -p pwd $(Agent.TempDirectory)/buildagent.keychain
316+
security default-keychain -s $(Agent.TempDirectory)/buildagent.keychain
317+
security unlock-keychain -p pwd $(Agent.TempDirectory)/buildagent.keychain
318+
319+
cat $(mac-developer-certificate) | base64 -D > $(Agent.TempDirectory)/cert.p12
320+
cat $(mac-developer-certificate-password) > $(Agent.TempDirectory)/cert.password
321+
322+
# Import the developer certificate
323+
security import $(Agent.TempDirectory)/cert.p12 \
324+
-k $(Agent.TempDirectory)/buildagent.keychain \
325+
-P "$(mac-developer-certificate-password)" \
326+
-T /usr/bin/codesign
327+
328+
# Clean up the cert file immediately after import
329+
rm $(Agent.TempDirectory)/cert.p12
330+
331+
# Set ACLs to allow codesign to access the private key
332+
security set-key-partition-list \
333+
-S apple-tool:,apple:,codesign: \
334+
-s -k pwd \
335+
$(Agent.TempDirectory)/buildagent.keychain
336+
- task: Bash@3
337+
displayName: 'Developer sign payload files'
338+
inputs:
339+
targetType: inline
340+
script: |
341+
mkdir -p $(Build.ArtifactStagingDirectory)/tosign/payload
306342
cd $(Build.ArtifactStagingDirectory)/payload
307-
zip -rX $(Build.ArtifactStagingDirectory)/tosign/payload.zip ./git-credential-manager *.dylib
343+
344+
# Copy the files that need signing
345+
cp -t $(Build.ArtifactStagingDirectory)/tosign/payload ./git-credential-manager *.dylib
346+
347+
# Developer sign the files
348+
./src/osx/Installer.Mac/codesign.sh \
349+
"$(Build.ArtifactStagingDirectory)/tosign/payload" \
350+
"$(apple-team-id)" \
351+
"./src/osx/Installer.Mac/entitlements.xml"
352+
# ESRP code signing for macOS requires the files be packaged in a zip file for submission
353+
- task: ArchiveFiles@2
354+
displayName: 'Archive files for signing'
355+
inputs:
356+
rootFolderOrFile: '$(Build.ArtifactStagingDirectory)/tosign/payload'
357+
includeRootFolder: false
358+
archiveType: zip
359+
archiveFile: '$(Build.ArtifactStagingDirectory)/tosign/payload.zip'
308360
- task: EsrpCodeSigning@5
309361
condition: and(succeeded(), eq('${{ parameters.esrp }}', true))
310362
displayName: 'Sign payload'

0 commit comments

Comments
 (0)