-
Notifications
You must be signed in to change notification settings - Fork 1.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
release: update Windows to use Azure Code Signing
Update Windows component of release workflow to use Azure Code Signing.
- Loading branch information
1 parent
d966009
commit 8ba45f5
Showing
1 changed file
with
71 additions
and
73 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -139,12 +139,13 @@ jobs: | |
| ./payload/* | ||
| # ================================ | ||
| # Windows | ||
| # Windows | ||
| # ================================ | ||
| win-sign: | ||
| name: Build and Sign Windows | ||
| create-windows-artifacts: | ||
| name: Create Windows Artifacts | ||
| runs-on: windows-latest | ||
| environment: release | ||
| needs: prereqs | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
|
|
@@ -153,9 +154,6 @@ jobs: | |
| with: | ||
| dotnet-version: 7.0.x | ||
|
|
||
| - name: Install dependencies | ||
| run: dotnet restore | ||
|
|
||
| - name: Build | ||
| run: | | ||
| dotnet build --configuration=WindowsRelease | ||
|
|
@@ -165,80 +163,75 @@ jobs: | |
| dotnet test --configuration=WindowsRelease | ||
| - name: Lay out Windows payload and symbols | ||
| shell: pwsh | ||
| run: | | ||
| cd src/windows/Installer.Windows/ | ||
| ./layout.ps1 -Configuration WindowsRelease -Output payload -SymbolOutput symbols | ||
| mkdir unsigned-payload | ||
| Get-ChildItem -Path payload/* -Include *.exe, *.dll | Move-Item -Destination unsigned-payload | ||
| cd $env:GITHUB_WORKSPACE\src\windows\Installer.Windows\ | ||
| ./layout.ps1 -Configuration WindowsRelease ` | ||
| -Output $env:GITHUB_WORKSPACE\payload ` | ||
| -SymbolOutput $env:GITHUB_WORKSPACE\symbols | ||
| # The AzureCodeSigning PowerShell module currently cannot handle files | ||
| # without extensions. This is a temporary workaround until the issue is | ||
| # fixed. | ||
| mkdir $env:GITHUB_WORKSPACE\incompatible-files | ||
| Get-ChildItem -Path $env:GITHUB_WORKSPACE\payload\* -Include NOTICE ` | ||
| | Move-Item -Destination $env:GITHUB_WORKSPACE\incompatible-files | ||
| - uses: azure/login@v1 | ||
| - name: Log into Azure | ||
| uses: azure/login@v1 | ||
| with: | ||
| creds: ${{ secrets.AZURE_CREDENTIALS }} | ||
|
|
||
| - name: Set up ESRP client | ||
| shell: pwsh | ||
| env: | ||
| AZURE_VAULT: ${{ secrets.AZURE_VAULT }} | ||
| AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} | ||
| REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} | ||
| run: | | ||
| .github\set_up_esrp.ps1 | ||
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | ||
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | ||
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | ||
|
|
||
| - name: Run ESRP client for unsigned payload | ||
| shell: pwsh | ||
| env: | ||
| AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} | ||
| WINDOWS_KEY_CODE: ${{ secrets.WINDOWS_KEY_CODE }} | ||
| WINDOWS_OP_CODE: ${{ secrets.WINDOWS_OPERATION_CODE }} | ||
| run: | | ||
| python .github\run_esrp_signing.py ` | ||
| src/windows/Installer.Windows/unsigned-payload ` | ||
| $env:WINDOWS_KEY_CODE $env:WINDOWS_OP_CODE ` | ||
| --params 'OpusName' 'Microsoft' ` | ||
| 'OpusInfo' 'http://www.microsoft.com' ` | ||
| 'FileDigest' '/fd "SHA256"' 'PageHash' '/NPH' ` | ||
| 'TimeStamp' '/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256' | ||
| - name: Lay out signed payload | ||
| shell: pwsh | ||
| run: | | ||
| mkdir signed-payload | ||
| Move-Item -Path signed/* -Destination signed-payload | ||
| # ESRP will not sign the *.exe.config or NOTICE files, but they are needed to build the installers. | ||
| # Due to this, we copy them after signing. | ||
| Get-ChildItem -Path src/windows/Installer.Windows/payload/* -Include *.exe.config, NOTICE | Move-Item -Destination signed-payload | ||
| Remove-Item signed -Recurse -Force | ||
| - name: Sign payload files with Azure Code Signing | ||
| uses: azure/[email protected] | ||
| with: | ||
| endpoint: https://wus2.codesigning.azure.net/ | ||
| code-signing-account-name: git-fundamentals-signing | ||
| certificate-profile-name: git-fundamentals-windows-signing | ||
| files-folder: ${{ github.workspace }}\payload | ||
| files-folder-filter: exe,dll | ||
| file-digest: SHA256 | ||
| timestamp-rfc3161: http://timestamp.acs.microsoft.com | ||
| timestamp-digest: SHA256 | ||
|
|
||
| # The Azure Code Signing action overrides the .NET version, so we reset it. | ||
| - name: Set up .NET | ||
| uses: actions/[email protected] | ||
| with: | ||
| dotnet-version: 7.0.x | ||
|
|
||
| - name: Build with signed payload | ||
| shell: pwsh | ||
| run: | | ||
| dotnet build src/windows/Installer.Windows /p:PayloadPath=$env:GITHUB_WORKSPACE/signed-payload /p:NoLayout=true --configuration=WindowsRelease | ||
| Get-ChildItem -Path $env:GITHUB_WORKSPACE\incompatible-files ` | ||
| -Include NOTICE | Move-Item -Destination payload | ||
| dotnet build $env:GITHUB_WORKSPACE\src\windows\Installer.Windows ` | ||
| /p:PayloadPath=$env:GITHUB_WORKSPACE\payload /p:NoLayout=true ` | ||
| --configuration=WindowsRelease --output=$env:GITHUB_WORKSPACE\installers | ||
| # The AzureCodeSigning PowerShell module currently cannot handle files | ||
| # without extensions. Since it was previously bundled with the payload, | ||
| # we can manually remove until the issue is fixed. | ||
| Remove-Item -Path $env:GITHUB_WORKSPACE\installers\NOTICE | ||
| - name: Run ESRP client for installers | ||
| shell: pwsh | ||
| env: | ||
| AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} | ||
| WINDOWS_KEY_CODE: ${{ secrets.WINDOWS_KEY_CODE }} | ||
| WINDOWS_OP_CODE: ${{ secrets.WINDOWS_OPERATION_CODE }} | ||
| run: | | ||
| python .github\run_esrp_signing.py ` | ||
| .\out\windows\Installer.Windows\bin\WindowsRelease\net472 ` | ||
| $env:WINDOWS_KEY_CODE ` | ||
| $env:WINDOWS_OP_CODE ` | ||
| --params 'OpusName' 'Microsoft' ` | ||
| 'OpusInfo' 'http://www.microsoft.com' ` | ||
| 'FileDigest' '/fd "SHA256"' 'PageHash' '/NPH' ` | ||
| 'TimeStamp' '/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256' | ||
| - name: Sign installers with Azure Code Signing | ||
| uses: azure/[email protected] | ||
| with: | ||
| endpoint: https://wus2.codesigning.azure.net/ | ||
| code-signing-account-name: git-fundamentals-signing | ||
| certificate-profile-name: git-fundamentals-windows-signing | ||
| files-folder: ${{ github.workspace }}\installers | ||
| files-folder-filter: exe | ||
| file-digest: SHA256 | ||
| timestamp-rfc3161: http://timestamp.acs.microsoft.com | ||
| timestamp-digest: SHA256 | ||
|
|
||
| - name: Publish final artifacts | ||
| uses: actions/upload-artifact@v3 | ||
| with: | ||
| name: win-sign | ||
| name: windows-artifacts | ||
| path: | | ||
| signed | ||
| signed-payload | ||
| src/windows/Installer.Windows/symbols | ||
| payload | ||
| installers | ||
| symbols | ||
| # ================================ | ||
| # Linux | ||
|
|
@@ -443,7 +436,7 @@ jobs: | |
| command: git-credential-manager | ||
| description: osx-x64 | ||
| - os: windows-latest | ||
| artifact: win-sign | ||
| artifact: windows-artifacts | ||
| # Even when a standalone GCM version is installed, GitHub actions | ||
| # runners still only recognize the version bundled with Git for | ||
| # Windows due to its placement on the PATH. For this reason, we use | ||
|
|
@@ -455,10 +448,15 @@ jobs: | |
| command: git-credential-manager | ||
| description: dotnet-tool | ||
| runs-on: ${{ matrix.component.os }} | ||
| needs: [ create-macos-artifacts, win-sign, create-linux-artifacts, create-dotnet-tool-artifacts ] | ||
| needs: [ create-macos-artifacts, create-windows-artifacts, create-linux-artifacts, create-dotnet-tool-artifacts ] | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up .NET | ||
| uses: actions/[email protected] | ||
| with: | ||
| dotnet-version: 7.0.x | ||
|
|
||
| - name: Download artifacts | ||
| uses: actions/download-artifact@v3 | ||
| with: | ||
|
|
@@ -468,7 +466,7 @@ jobs: | |
| if: contains(matrix.component.description, 'windows') | ||
| shell: pwsh | ||
| run: | | ||
| $exePaths = Get-ChildItem -Path ./signed/*.exe | %{$_.FullName} | ||
| $exePaths = Get-ChildItem -Path ./installers/*.exe | %{$_.FullName} | ||
| foreach ($exePath in $exePaths) | ||
| { | ||
| Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART" | ||
|
|
@@ -543,8 +541,8 @@ jobs: | |
| - name: Archive Windows payload and symbols | ||
| run: | | ||
| mkdir win-x86-payload-and-symbols | ||
| zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION.zip win-sign/signed-payload | ||
| zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION-symbols.zip win-sign/src/windows/Installer.Windows/symbols | ||
| zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION.zip windows-artifacts/payload | ||
| zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION-symbols.zip windows-artifacts/symbols | ||
| - uses: actions/github-script@v6 | ||
| with: | ||
|
|
@@ -592,7 +590,7 @@ jobs: | |
| await Promise.all([ | ||
| // Upload Windows artifacts | ||
| uploadDirectoryToRelease('win-sign/signed'), | ||
| uploadDirectoryToRelease('windows-artifacts/installers'), | ||
| uploadDirectoryToRelease('win-x86-payload-and-symbols'), | ||
| // Upload macOS artifacts | ||
|
|
||