@@ -15,6 +15,31 @@ parameters:
1515 default : false
1616 displayName : ' Enable ESRP code signing'
1717
18+ #
19+ # 1ES Pipeline Templates do not allow using a matrix strategy so we create
20+ # a YAML object parameter with and foreach to create jobs for each entry.
21+ # Each OS has its own matrix object since their build steps differ.
22+ #
23+ - name : windows_matrix
24+ type : object
25+ default :
26+ - id : windows_x64
27+ jobName : ' Windows (x86)'
28+ runtime : win-x86
29+ pool : GitClientPME-1ESHostedPool-intel-pc
30+ image : win-x86_64-ado1es
31+ os : windows
32+
33+ variables :
34+ - name : ' esrpAppConnectionName'
35+ value : ' 1ESGitClient-ESRP-App'
36+ # ESRP signing variables set in the pipeline settings:
37+ # - esrpEndpointUrl
38+ # - esrpClientId
39+ # - esrpTenantId
40+ # - esrpKeyVaultName
41+ # - esrpSignReqCertName
42+
1843extends :
1944 template : v1/1ES.Official.PipelineTemplate.yml@1ESPipelines
2045 parameters :
@@ -44,3 +69,144 @@ extends:
4469 script : |
4570 # Set the version variable for later stages to consume
4671 echo "##vso[task.setvariable variable=value;isOutput=true;isReadOnly=true]$(cat ./VERSION | sed -E 's/.[0-9]+$//')"
72+
73+ stage : build
74+ displayName : ' Build and Sign'
75+ dependsOn : prebuild
76+ jobs :
77+ #
78+ # Windows build jobs
79+ #
80+ - ${{ each dim in parameters.windows_matrix }} :
81+ - job : ${{ dim.id }}
82+ displayName : ${{ dim.jobName }}
83+ pool :
84+ name : ${{ dim.pool }}
85+ image : ${{ dim.image }}
86+ os : ${{ dim.os }}
87+ variables :
88+ version : $[stageDependencies.prebuild.vars.outputs['version.value']]
89+ templateContext :
90+ outputs :
91+ - output : pipelineArtifact
92+ targetPath : ' $(Build.ArtifactStagingDirectory)\payload'
93+ artifactName : ' ${{ dim.runtime }}_payload'
94+ - output : pipelineArtifact
95+ targetPath : ' $(Build.ArtifactStagingDirectory)\symbols'
96+ artifactName : ' ${{ dim.runtime }}_symbols'
97+ - output : pipelineArtifact
98+ targetPath : ' $(Build.ArtifactStagingDirectory)\installers'
99+ artifactName : ' ${{ dim.runtime }}_installers'
100+ steps :
101+ - checkout : self
102+ - task : UseDotNet@2
103+ displayName : ' Use .NET 8 SDK'
104+ inputs :
105+ packageType : sdk
106+ version : ' 8.x'
107+ - task : PowerShell@2
108+ displayName : ' Build payload'
109+ inputs :
110+ targetType : filePath
111+ filePath : ' .\src\windows\Installer.Windows\layout.ps1'
112+ arguments : |
113+ -Configuration Release `
114+ -Output $(Build.ArtifactStagingDirectory)\payload `
115+ -SymbolOutput $(Build.ArtifactStagingDirectory)\symbols_raw
116+ task : ArchiveFiles@2
117+ displayName : ' Archive symbols'
118+ inputs :
119+ rootFolderOrFile : ' $(Build.ArtifactStagingDirectory)\symbols_raw'
120+ includeRootFolder : false
121+ archiveType : zip
122+ archiveFile : ' $(Build.ArtifactStagingDirectory)\symbols\gcm-win-x86-$(version)-symbols.zip'
123+ - task : EsrpCodeSigning@5
124+ condition : and(succeeded(), eq('${{ parameters.esrp }}', true))
125+ displayName : ' Sign payload'
126+ inputs :
127+ connectedServiceName : ' $(esrpAppConnectionName)'
128+ useMSIAuthentication : true
129+ appRegistrationClientId : ' $(esrpClientId)'
130+ appRegistrationTenantId : ' $(esrpTenantId)'
131+ authAkvName : ' $(esrpKeyVaultName)'
132+ authSignCertName : ' $(esrpSignReqCertName)'
133+ serviceEndpointUrl : ' $(esrpEndpointUrl)'
134+ folderPath : ' $(Build.ArtifactStagingDirectory)\payload'
135+ pattern : |
136+ **/*.exe
137+ **/*.dll
138+ useMinimatch : true
139+ signConfigType : inlineSignParams
140+ inlineOperation : |
141+ [
142+ {
143+ "KeyCode": "CP-230012",
144+ "OperationCode": "SigntoolSign",
145+ "ToolName": "sign",
146+ "ToolVersion": "1.0",
147+ "Parameters": {
148+ "OpusName": "Microsoft",
149+ "OpusInfo": "https://www.microsoft.com",
150+ "FileDigest": "/fd SHA256",
151+ "PageHash": "/NPH",
152+ "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
153+ }
154+ },
155+ {
156+ "KeyCode": "CP-230012",
157+ "OperationCode": "SigntoolVerify",
158+ "ToolName": "sign",
159+ "ToolVersion": "1.0",
160+ "Parameters": {}
161+ }
162+ ]
163+ task : PowerShell@2
164+ displayName : ' Build installers'
165+ inputs :
166+ targetType : inline
167+ script : |
168+ dotnet build '.\src\windows\Installer.Windows\Installer.Windows.csproj' `
169+ --configuration Release `
170+ --no-dependencies `
171+ -p:NoLayout=true `
172+ -p:PayloadPath="$(Build.ArtifactStagingDirectory)\payload" `
173+ -p:OutputPath="$(Build.ArtifactStagingDirectory)\installers"
174+ task : EsrpCodeSigning@5
175+ condition : and(succeeded(), eq('${{ parameters.esrp }}', true))
176+ displayName : ' Sign installers'
177+ inputs :
178+ connectedServiceName : ' $(esrpAppConnectionName)'
179+ useMSIAuthentication : true
180+ appRegistrationClientId : ' $(esrpClientId)'
181+ appRegistrationTenantId : ' $(esrpTenantId)'
182+ authAkvName : ' $(esrpKeyVaultName)'
183+ authSignCertName : ' $(esrpSignReqCertName)'
184+ serviceEndpointUrl : ' $(esrpEndpointUrl)'
185+ folderPath : ' $(Build.ArtifactStagingDirectory)\installers'
186+ pattern : ' **/*.exe'
187+ useMinimatch : true
188+ signConfigType : inlineSignParams
189+ inlineOperation : |
190+ [
191+ {
192+ "KeyCode": "CP-230012",
193+ "OperationCode": "SigntoolSign",
194+ "ToolName": "sign",
195+ "ToolVersion": "1.0",
196+ "Parameters": {
197+ "OpusName": "Microsoft",
198+ "OpusInfo": "https://www.microsoft.com",
199+ "FileDigest": "/fd SHA256",
200+ "PageHash": "/NPH",
201+ "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
202+ }
203+ },
204+ {
205+ "KeyCode": "CP-230012",
206+ "OperationCode": "SigntoolVerify",
207+ "ToolName": "sign",
208+ "ToolVersion": "1.0",
209+ "Parameters": {}
210+ }
211+ ]
212+
0 commit comments