Use PME identity for DAC signing (#113997)

Author: hoyosjs

eng/native/signing/auth.json

@@ -1,18 +1,23 @@
 {
     "Version" : "1.0.0",
     "AuthenticationType" : "AAD_CERT",
-    "TenantId" : "72f988bf-86f1-41af-91ab-2d7cd011db47",
-    "ClientId" : "2234cdec-a13f-4bb2-aa63-04c57fd7a1f9",
+    "TenantId" : "975f013f-7f24-47e8-a7d3-abc4752bf346",
+    "ClientId" : "22346933-af99-4e94-97d5-7fa1dcf4bba6",
     "AuthCert" :
     {
-        "SubjectName" : "CN=2234cdec-a13f-4bb2-aa63-04c57fd7a1f9.microsoft.com",
+        "SubjectName" : "CN=22346933-af99-4e94-97d5-7fa1dcf4bba6.microsoft.com",
         "StoreLocation" : "CurrentUser",
         "StoreName": "My",
-        "SendX5c" : "true"
+        "SendX5c" : "true",
+        "WithAzureRegion": false
     },
-    "RequestSigningCert" : {
-        "SubjectName" : "CN=2234cdec-a13f-4bb2-aa63-04c57fd7a1f9",
-        "StoreLocation" : "CurrentUser",
-        "StoreName" : "My"
-    }
+    "RequestSigningCert" :
+    {
+        "GetCertFromKeyVault" : true,
+        "KeyVaultName": "clrdiag-esrp-pme",
+        "KeyVaultCertName": "dac-dnceng-esrpclient-cert",
+        "SendX5c": false,
+        "WithAzureRegion": false
+    },
+    "OAuthToken": null
 }

eng/native/signing/config.json

@@ -1,6 +1,6 @@
 {
     "Version" : "1.0.0",
-    "MaxDegreeOfParallelism" : "50",
-    "ExponentialRetryCount" : "5",
-    "EsrpSessionTimeoutInSec" : "1800"
+    "MaxDegreeOfParallelism" : 50,
+    "ExponentialRetryCount" : 5,
+    "EsrpSessionTimeoutInSec" : 1800
 }

eng/pipelines/coreclr/templates/install-diagnostic-certs.yml

@@ -14,12 +14,23 @@ steps:
       SecretsFilter: ${{ join(',', parameters.certNames) }}
     displayName: 'Download secrets: Diagnostic Certificates'
 
-  - task: EsrpClientTool@2
-    displayName: Download ESRPClient
+  - task: NuGetCommand@2
+    displayName: Install ESRPClient Tool
+    inputs:
+      command: 'custom'
+      arguments: 'install microsoft.esrpclient
+                -Source https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
+                -DependencyVersion Highest -OutputDirectory $(Build.StagingDirectory)'
 
   - powershell: |
       eng/pipelines/install-diagnostic-certs.ps1 "${{ join(',', parameters.certNames) }}"
-      $signArgs = '/p:DotNetEsrpToolPath=$(esrpclient.toolpath)\$(esrpclient.toolname)'
+      $esrpclient = Get-ChildItem -Path '$(Build.StagingDirectory)\microsoft.esrpclient*' -Filter esrpclient.exe -Recurse | Select-Object -First 1 | select -ExpandProperty FullName
+
+      if ($esrpclient -eq $null) {
+        throw "Failed to find esrpclient.exe in $(Build.StagingDirectory)"
+      }
+
+      $signArgs = "/p:DotNetEsrpToolPath=$esrpclient"
       echo "##vso[task.setvariable variable=_SignDiagnosticFilesArgs;]$signArgs"
     displayName: 'Install diagnostic certificates'
     workingDirectory: ${{ parameters.scriptRoot }}

eng/pipelines/runtime-official.yml

@@ -85,10 +85,9 @@ extends:
               parameters:
                 isOfficialBuild: true
                 certNames:
-                - 'dotnetesrp-diagnostics-aad-ssl-cert'
-                - 'dotnet-diagnostics-esrp-pki-onecert'
-                vaultName: 'clrdiag-esrp-id'
-                azureSubscription: 'diagnostics-esrp-kvcertuser'
+                - 'dac-dnceng-ssl-cert'
+                vaultName: 'clrdiag-esrp-pme'
+                azureSubscription: 'diagnostics-esrp-kvcertuser-pme'
 
             buildArgs: -c $(_BuildConfig) -restore -build -publish /p:DotNetBuildAllRuntimePacks=true $(_SignDiagnosticFilesArgs) $(_EnableDefaultArtifactsArg)
             nameSuffix: AllRuntimes
@@ -242,10 +241,9 @@ extends:
               parameters:
                 isOfficialBuild: true
                 certNames:
-                - 'dotnetesrp-diagnostics-aad-ssl-cert'
-                - 'dotnet-diagnostics-esrp-pki-onecert'
-                vaultName: 'clrdiag-esrp-id'
-                azureSubscription: 'diagnostics-esrp-kvcertuser'
+                - 'dac-dnceng-ssl-cert'
+                vaultName: 'clrdiag-esrp-pme'
+                azureSubscription: 'diagnostics-esrp-kvcertuser-pme'
             postBuildSteps:
             - template: /eng/pipelines/coreclr/templates/remove-diagnostic-certs.yml
               parameters: