Merge pull request #7490 from dibarbet/dev/dibarbet/signing

dibarbet · web-flow · commit ee27ecae50fd · 2024-09-13T11:16:33.000-07:00
Add signing support to VSIX
diff --git a/.gitignore b/.gitignore
@@ -14,6 +14,8 @@ out
 .razortelemetry/
 .razorDevKit/
 .vscode-test/
+msbuild/signing/signJs/*.log
+msbuild/signing/signVsix/*.log
 dist/
 *.razor.json
 
diff --git a/.vscodeignore b/.vscodeignore
@@ -14,7 +14,7 @@
 .vscode-test/**
 coverage/**
 out/**
-server/**
+msbuild/**
 src/**
 tasks/**
 test/**
@@ -33,6 +33,9 @@ azure-pipelines
 .editorconfig
 .gitignore
 CODEOWNERS
+Directory.Build.props
+global.json
+NuGet.config
 gulpfile.ts
 !install.Lock
 ISSUE_TEMPLATE
diff --git a/Directory.Build.props b/Directory.Build.props
@@ -1,5 +1,6 @@
 <Project>
     <PropertyGroup>
+        <RepoRoot>$(MSBuildThisFileDirectory)</RepoRoot>
         <!--
             Defines the lowest supported target framework for the extension.
             Used by server download / integration tests to ensure they run when only this SDK is installed.
diff --git a/NuGet.config b/NuGet.config
diff --git a/azure-pipelines-official.yml b/azure-pipelines-official.yml
@@ -19,6 +19,13 @@ parameters:
   - prerelease
   - auto
   default: auto
+# Allows the sign type to be set manually for a specific build
+- name: signType
+  values:
+  - test
+  - real
+  - auto
+  default: auto
 
 resources:
   repositories:
@@ -51,3 +58,4 @@ extends:
         versionNumberOverride: ${{ parameters.versionNumberOverride }}
         isOfficial: true
         channel: ${{ parameters.channel }}
+        signType: ${{ parameters.signType }}
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -22,6 +22,7 @@ stages:
 - template: azure-pipelines/build-all.yml
   parameters:
     isOfficial: false
+    signType: test
 
 - stage: Test_Linux_Stage
   displayName: Test Linux
diff --git a/azure-pipelines/build-all.yml b/azure-pipelines/build-all.yml
@@ -10,13 +10,20 @@ parameters:
   - prerelease
   - auto
   default: auto
+- name: signType
+  values:
+  - test
+  - real
+  - auto
+  default: auto
+
 stages:
 - stage: Build
   displayName: 'Build VSIXs'
   dependsOn: []
   jobs:
-  - job: SetChannelVariable
-    displayName: 'Set Channel Variable'
+  - job: SetRunVariables
+    displayName: 'Set Run Variables'
     pool:
       ${{ if eq(parameters.isOfficial, true) }}:
         name: netcore1espool-internal
@@ -53,8 +60,37 @@ stages:
           Write-Host "Setting pipeline channel variable to Release."
           Write-Host "##vso[task.setvariable variable=channel;isoutput=true]Release"
         }
-      name: passOutput
-      
+      name: passChannel
+      displayName: Set Channel Variable
+
+    - pwsh: |
+        $signType = "test"
+        if ("${{ parameters.isOfficial }}" -ne "true") {
+          Write-Host "Not an official build, test signing"
+          $signType = "test"
+        } elseif ("${{ parameters.signType }}"  -eq "test") {
+          Write-Host "Sign type override set to ${{ parameters.signType }}"
+          $signType = "test"
+        } elseif ("${{ parameters.signType }}"  -eq "real") {
+          Write-Host "Sign type override set to ${{ parameters.signType }}"
+          $signType = "real"
+        } else {
+          Write-Host "Sign type override is ${{ parameters.signType }}, using branch configuration to determine sign type"
+          Write-Host "Detected branch $(Build.SourceBranchName)"
+          if ( ("$(Build.SourceBranchName)" -eq "release") -or ("$(Build.SourceBranchName)" -eq "prerelease")) {
+            Write-Host "Branch is a release branch, using real sign type."
+            $signType = 'real'
+          } else {
+            Write-Host "Branch is test branch, using test sign type."
+            $signType = 'test'
+          }
+        }
+
+        Write-Host "Setting pipeline signType variable to " $signType
+        Write-Host "##vso[task.setvariable variable=signType;isoutput=true]$signType"
+      name: passSignType
+      displayName: Set Sign Type
+
   - template: /azure-pipelines/build.yml@self
     parameters:
       versionNumberOverride: ${{ parameters.versionNumberOverride }}
diff --git a/azure-pipelines/build.yml b/azure-pipelines/build.yml
@@ -13,9 +13,11 @@ jobs:
 - job: 'Build_${{ parameters.platform }}_vsixs'
   pool: ${{ parameters.pool }}
   displayName: 'Build ${{ parameters.platform }} vsixs'
-  dependsOn: SetChannelVariable
+  dependsOn: SetRunVariables
   variables:
-    channel: $[ dependencies.SetChannelVariable.outputs['passOutput.channel'] ]
+    channel: $[ dependencies.SetRunVariables.outputs['passChannel.channel'] ]
+    signType: $[ dependencies.SetRunVariables.outputs['passSignType.signType'] ]
+    teamName: DotNetCore
   steps:
   - checkout: self
     clean: true
@@ -25,6 +27,20 @@ jobs:
   - template: /azure-pipelines/prereqs.yml@self
     parameters:
       versionNumberOverride: ${{ parameters.versionNumberOverride }}
+
+  # If we're in an official build, install the signing plugin
+  - ${{ if eq(parameters.isOfficial, true) }}:
+    - task: MicroBuildSigningPlugin@4
+      displayName: 🔧 Install MicroBuild Signing Plugin
+      inputs:
+        signType: $(signType)
+        zipSources: false
+        feedSource: https://dnceng.pkgs.visualstudio.com/_packaging/MicroBuildToolset/nuget/v3/index.json
+        azureSubscription: 'MicroBuild Signing Task (DevDiv)'
+      env:
+        SignType: $(signType)
+        TeamName: $(teamName)
+
   - pwsh: |
       Write-Host "Building VSIXs for platform ${{ parameters.platform }} and channel $(channel)"
       if ("$(channel)" -eq "Release") {
@@ -33,6 +49,15 @@ jobs:
         gulp vsix:release:package:${{ parameters.platform }} --prerelease
       }
     displayName: 'Build VSIXs'
+    env:
+      SignType: $(signType)
+
+  - ${{ if eq(parameters.isOfficial, true) }}:
+    - script: gulp signVsix
+      condition: succeeded()
+      displayName: 'Sign VSIXs'
+      env:
+        SignType: $(signType)
 
   - ${{ if eq(parameters.isOfficial, true) }}:
     - task: 1ES.PublishBuildArtifacts@1
@@ -41,6 +66,12 @@ jobs:
       inputs:
         PathtoPublish: '$(Build.SourcesDirectory)/vsix'
         ArtifactName: 'VSIX_$(channel)'
+    - task: 1ES.PublishBuildArtifacts@1
+      condition: succeeded()
+      displayName: 'Publish Signing Logs'
+      inputs:
+        PathtoPublish: '$(Build.SourcesDirectory)/out/logs'
+        ArtifactName: '${{ parameters.platform }} Signing Logs'
   - ${{ else }}:
     - task: PublishBuildArtifacts@1
       condition: succeeded()
diff --git a/azure-pipelines/release.yml b/azure-pipelines/release.yml
@@ -99,6 +99,10 @@ extends:
                     $basePublishArgs += '--azure-credential'
                     $basePublishArgs += '--packagePath'
                     $publishArgs = $basePublishArgs + (Get-ChildItem $publishArtifacts\*.vsix | Sort-Object Name -Descending |% { $_ })
+                    $publishArgs += '--manifestPath'
+                    $publishArgs += (Get-ChildItem $publishArtifacts\*.manifest | Sort-Object Name -Descending |% { $_ })
+                    $publishArgs += '--signaturePath'
+                    $publishArgs += (Get-ChildItem $publishArtifacts\*.signature.p7s | Sort-Object Name -Descending |% { $_ })
 
                     If ("${{ parameters.test }}" -eq "true") {
                       Write-Host "In test mode, command is printed instead of run."
diff --git a/global.json b/global.json
@@ -0,0 +1,5 @@
+{
+    "msbuild-sdks": {
+      "Microsoft.Build.NoTargets": "3.7.0"
+    }
+}
diff --git a/gulpfile.ts b/gulpfile.ts
@@ -10,3 +10,4 @@ require('./tasks/localizationTasks');
 require('./tasks/createTagsTasks');
 require('./tasks/debuggerTasks');
 require('./tasks/snapTasks');
+require('./tasks/signingTasks');
diff --git a/msbuild/Directory.Build.props b/msbuild/Directory.Build.props
@@ -0,0 +1,6 @@
+<Project>
+    <Import Project="../Directory.Build.props" />
+    <PropertyGroup>
+        <BaseIntermediateOutputPath>$(RepoRoot)out/msbuild/obj/$(MSBuildProjectName)</BaseIntermediateOutputPath>
+    </PropertyGroup>
+</Project>
diff --git a/msbuild/server/ServerDownload.csproj b/msbuild/server/ServerDownload.csproj
@@ -4,15 +4,12 @@
     This is not a real project, just a helpful x-plat way to acquire the nuget package
     containing the language server executables.
 -->
-<Project Sdk="Microsoft.Build.NoTargets/1.0.80">
+<Project Sdk="Microsoft.Build.NoTargets">
 
     <PropertyGroup>
         <!-- Changes the global packages folder-->
-        <RestorePackagesPath>../out/.nuget/</RestorePackagesPath>
-        <!-- It's still PackageReference, so project intermediates are still created. -->
-        <MSBuildProjectExtensionsPath>$(RestorePackagesPath)obj/</MSBuildProjectExtensionsPath>
-        <!-- We use the lowest supported target framework so we can build and run integration tests against the lowest supported target framework -->
-        <TargetFramework>$(LowestSupportedTargetFramework)</TargetFramework>
+        <RestorePackagesPath Condition="'$(DownloadToGlobalNugetFolder)' == ''">../../out/.nuget/</RestorePackagesPath>
+        <TargetFramework>netstandard2.0</TargetFramework>
         <!-- If a package is resolved to a fallback folder, it may not be downloaded.-->
         <DisableImplicitNuGetFallbackFolder>true</DisableImplicitNuGetFallbackFolder>
         <!-- We don't want to build this project, so we do not need the reference assemblies for the framework we chose.-->
diff --git a/msbuild/signing/SIGNING.md b/msbuild/signing/SIGNING.md
@@ -0,0 +1,32 @@
+# Overview
+The C# extension needs to be signed with MSFT signatures in order to be uploaded to the marketplace.
+
+Server side components should be signed when those artifacts are generated (e.g. Roslyn build signs Roslyn artifacts).  However we also need to sign the artifacts we generate in the extension-
+1.  The extension JS code.
+2.  The VSIX's we produce
+3.  For MSFT publishing, we must also generate a signed manifest.
+
+Official builds are responsible for signing.  We only real sign builds from the `prerelease` or `release` branches, everything else is test signed.
+
+## Signing Steps
+
+### Signing JS
+As part of packaging, the extension TS/JS code is compiled/minified into the `dist/` folder which gets distributed inside the VSIX.  The contents of `dist/` are generated by the `vscode:prepublish` NPM target, which is run by `vsce` during packaging.
+
+After the JS code is generated, but before it gets packaged we need to sign it.  This is handled by running the `gulp signJs` target as a part of `vscode:prepublish`.  Internally the gulp task delegates to the `signJs/signJs.proj` project to configure what and how to sign using MicroBuild.
+
+### Signing VSIX
+Once we've generated the VSIX with the signed JS contents, we also need to sign the VSIX.  VSIX signing for VSCode is a bit different from VS.  Instead of submitting the VSIX itself to be signed, we submit a copy of the manifest file to the signing service.
+
+To do this, as the last step of VSIX packaging (in `gulp vsix:release:package`) we call out to `vsce generate-manifest` to generate the manifest file for each VSIX.  Once the task is finished, every `<name>.vsix` will be paired with a `<name>.manifest` file inside the `vsix/` folder.
+
+The next step is to copy the manifest file to a `<name>.signature.p7s` file which gets submitted to the signing service (and replaced with the signed version).  The `signVsix.proj` (invoked via the `gulp signVsix` task) copies and transforms the manifest file and submits it to the signing service.
+
+Finally, when we actually publish the extension, we must pass upload the vsix, manifest file, and signed signature file to `vsce`.
+
+# Running test signing locally
+To test various signing workflows, you may need to run signing locally.
+
+1.  Run `gulp installSignPlugin` - this will install the MicroBuild signing plugin to your global nuget packages directory.  This is required to make the signing targets on the various signing projects actually run.  In CI, this is installed via a pipeline step.
+2.  To test JS signing, run `npm run vscode:prepublish` (or the `gulp signJs` task to skip generation of `dist/`).  You can verify the JS is signed by checking for the 'Digital Signatures' tab on the file properties in Windows.  The binlog, in `out/logs/signJs.binlog` will have details on the signing that took place.  If you do not see a 'Sign' target running, then signing did not run.
+3.  To test VSIX signing, first generate the VSIX's as normal.  Then run the `gulp signVsix` target.  If signing ran successfully, the VSIX's should be updated in-place and have a `package/services/digital-signature` folder inside of them.  For more details on the signing, see the `out/logs/signVsix.binlog`.
diff --git a/msbuild/signing/signJs/signJs.proj b/msbuild/signing/signJs/signJs.proj
@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.Build.NoTargets">
+    <PropertyGroup>
+        <TargetFramework>netstandard2.0</TargetFramework>
+        <GenerateAssemblyVersionInfo>false</GenerateAssemblyVersionInfo>
+        <EnableDefaultSignFiles>false</EnableDefaultSignFiles>
+        <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+        <IsPackable>false</IsPackable>
+        <OutDir>$(JSOutputPath)</OutDir>
+        <MicroBuild_SigningEnabled>true</MicroBuild_SigningEnabled>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
+    </ItemGroup>
+
+    <PropertyGroup Condition="'$(SignType)' == ''">
+        <SignType>test</SignType>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <FilesToSign Include="$(OutDir)*.js">
+            <Authenticode>MicrosoftSHA2</Authenticode>
+        </FilesToSign>
+    </ItemGroup>
+</Project>
diff --git a/msbuild/signing/signVsix/signVsix.proj b/msbuild/signing/signVsix/signVsix.proj
@@ -0,0 +1,34 @@
+<Project Sdk="Microsoft.Build.NoTargets">
+    <PropertyGroup>
+        <TargetFramework>netstandard2.0</TargetFramework>
+        <GenerateAssemblyVersionInfo>false</GenerateAssemblyVersionInfo>
+        <EnableDefaultSignFiles>false</EnableDefaultSignFiles>
+        <MicroBuild_DoNotStrongNameSign>true</MicroBuild_DoNotStrongNameSign>
+        <IsPackable>false</IsPackable>
+        <OutDir>$(RepoRoot)vsix\</OutDir>
+    </PropertyGroup>
+
+    <ItemGroup>
+        <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
+    </ItemGroup>
+
+    <PropertyGroup Condition="'$(SignType)' == ''">
+        <SignType>test</SignType>
+    </PropertyGroup>
+
+    <!-- Copies the manifest file to <name>.signature.p7s which is required to submit to the signing service -->
+    <Target Name="CopyManifestAsSignature" BeforeTargets="SignFiles">
+        <ItemGroup>
+            <ManifestFiles Include="$(OutDir)*.manifest" />
+        </ItemGroup>
+        <Copy SourceFiles="@(ManifestFiles)" DestinationFiles="@(ManifestFiles->Replace('.manifest','.signature.p7s'))" />
+        <Error
+            Text="Did not find any .signature.p7s files to sign - ensure that the .manifest files have been generated."
+            Condition="'@(ManifestFiles->Count())' == '0'" />
+        <ItemGroup>
+            <FilesToSign Include="$(OutDir)*.signature.p7s">
+                <Authenticode>VSCodePublisher</Authenticode>
+            </FilesToSign>
+        </ItemGroup>
+    </Target>
+</Project>
diff --git a/package.json b/package.json
@@ -60,7 +60,7 @@
     }
   ],
   "scripts": {
-    "vscode:prepublish": "tsc -p ./ && webpack --mode production",
+    "vscode:prepublish": "tsc -p ./ && webpack --mode production && gulp signJs",
     "l10nDevGenerateLocalizationBundle": "npx @vscode/l10n-dev export --outDir ./l10n ./src",
     "compile": "tsc -p ./ && npx eslint ./ && npm run l10nDevGenerateLocalizationBundle && npm run compile:razorTextMate",
     "compile:razorTextMate": "npx js-yaml src/razor/syntaxes/aspnetcorerazor.tmLanguage.yml > src/razor/syntaxes/aspnetcorerazor.tmLanguage.json",
diff --git a/tasks/offlinePackagingTasks.ts b/tasks/offlinePackagingTasks.ts
@@ -29,7 +29,7 @@ import {
     razorDevKitDirectory,
 } from '../tasks/projectPaths';
 import { getPackageJSON } from '../tasks/packageJson';
-import { createPackageAsync } from '../tasks/vsceTasks';
+import { createPackageAsync, generateVsixManifest } from '../tasks/vsceTasks';
 import { isValidDownload } from '../src/packageManager/isValidDownload';
 import path = require('path');
 import { CancellationToken } from 'vscode';
@@ -292,7 +292,7 @@ async function restoreNugetPackage(packageName: string, packageVersion: string,
 
     const dotnetArgs = [
         'restore',
-        path.join(rootPath, 'server'),
+        path.join(rootPath, 'msbuild', 'server'),
         `/p:PackageName=${packageName}`,
         `/p:PackageVersion=${packageVersion}`,
     ];
@@ -380,7 +380,8 @@ async function buildVsix(packageJSON: any, outputFolder: string, prerelease: boo
     }
 
     const packageFileName = getPackageName(packageJSON, platformInfo?.vsceTarget);
-    await createPackageAsync(outputFolder, prerelease, packageFileName, platformInfo?.vsceTarget);
+    const packagePath = await createPackageAsync(outputFolder, prerelease, packageFileName, platformInfo?.vsceTarget);
+    await generateVsixManifest(packagePath);
 }
 
 function getPackageName(packageJSON: any, vscodePlatformId?: string) {
diff --git a/tasks/signingTasks.ts b/tasks/signingTasks.ts
diff --git a/tasks/vsceTasks.ts b/tasks/vsceTasks.ts

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +{
 +    "msbuild-sdks": {
 +      "Microsoft.Build.NoTargets": "3.7.0"
 +    }
 +}