release: add signing step for .deb package

- sign using Azure-stored certificates & client
- sign on Windows agent via python script
- job skipped if credentials for accessing certificate aren't present

Author: vdye

.github/scripts/sign-debian-packages.py

@@ -0,0 +1,117 @@
+import json
+import os
+import glob
+import pprint
+import subprocess
+import sys
+
+esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
+
+AAD_ID  = "38aa33bc-a7e7-4007-bfb2-e8b17f04aadc"
+WORKSPACE = os.environ['GITHUB_WORKSPACE'].strip()
+ARTIFACTS_DIR = os.environ['ARTIFACTS_DIR'].strip()
+
+def main():
+    source_root_location = os.path.join(WORKSPACE, ARTIFACTS_DIR, "unsigned")
+    destination_location = os.path.join(WORKSPACE, ARTIFACTS_DIR)
+
+    files = glob.glob(os.path.join(source_root_location, "*.deb"))
+
+    print("Found files:")
+    pprint.pp(files)
+
+    if len(files) < 1 or not files[0].endswith(".deb"):
+        print("Error: cannot find .deb to sign")
+        exit(1)
+
+    file_to_sign = os.path.basename(files[0])
+
+    auth_json = {
+        "Version": "1.0.0",
+        "AuthenticationType": "AAD_CERT",
+        "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
+        "ClientId": AAD_ID,
+        "AuthCert": {
+            "SubjectName": f"CN={AAD_ID}.microsoft.com",
+            "StoreLocation": "LocalMachine",
+            "StoreName": "My",
+        },
+        "RequestSigningCert": {
+            "SubjectName": f"CN={AAD_ID}",
+            "StoreLocation": "LocalMachine",
+            "StoreName": "My",
+        }
+    }
+
+    input_json = {
+        "Version": "1.0.0",
+        "SignBatches": [
+            {
+                "SourceLocationType": "UNC",
+                "SourceRootDirectory": source_root_location,
+                "DestinationLocationType": "UNC",
+                "DestinationRootDirectory": destination_location,
+                "SignRequestFiles": [
+                    {
+                        "CustomerCorrelationId": "01A7F55F-6CDD-4123-B255-77E6F212CDAD",
+                        "SourceLocation": file_to_sign,
+                        "DestinationLocation": os.path.join("signed", file_to_sign),
+                    }
+                ],
+                "SigningInfo": {
+                    "Operations": [
+                        {
+                            "KeyCode": "CP-450779-Pgp",
+                            "OperationCode": "LinuxSign",
+                            "Parameters": {},
+                            "ToolName": "sign",
+                            "ToolVersion": "1.0",
+                        }
+                    ]
+                }
+            }
+        ]
+    }
+
+    policy_json = {
+        "Version": "1.0.0",
+        "Intent": "production release",
+        "ContentType": "Debian package",
+    }
+
+    configs = [
+        ("auth.json", auth_json),
+        ("input.json", input_json),
+        ("policy.json", policy_json),
+    ]
+
+    for filename, data in configs:
+        with open(filename, 'w') as fp:
+            json.dump(data, fp)
+
+    # Run ESRP Client
+    esrp_out = "esrp_out.json"
+    result = subprocess.run(
+        [esrp_tool, "sign",
+        "-a", "auth.json",
+        "-i", "input.json",
+        "-p", "policy.json",
+        "-o", esrp_out,
+        "-l", "Verbose"],
+        cwd=WORKSPACE)
+
+    if result.returncode != 0:
+        print("Failed to run ESRPClient.exe")
+        sys.exit(1)
+
+    if os.path.isfile(esrp_out):
+        print("ESRP output json:")
+        with open(esrp_out, 'r') as fp:
+            pprint.pp(json.load(fp))
+
+    signed_file = os.path.join(destination_location, "signed", file_to_sign)
+    if os.path.isfile(signed_file):
+        print(f"Success!\nSigned {signed_file}")
+
+if __name__ == "__main__":
+    main()

.github/workflows/build-git-installers.yml

@@ -18,12 +18,16 @@ jobs:
     outputs:
       tag_name: ${{ steps.tag.outputs.name }}           # The full name of the tag, e.g. v2.32.0.vfs.0.0
       tag_version: ${{ steps.tag.outputs.version }}     # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0
+      deb_signable: ${{ steps.deb.outputs.signable }}   # Whether the credentials needed to sign the .deb package are available
     steps:
       - name: Determine tag to build
         run: |
           echo "::set-output name=name::${GITHUB_REF#refs/tags/}"
           echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
         id: tag
+      - name: Determine whether signing certificates are present
+        run: echo "::set-output name=signable::$([[ $AZ_SUB != '' && $AZ_CREDS != '' ]] && echo 'true' || echo 'false')"
+        id: deb
       - name: Clone git
         uses: actions/checkout@v2
       - name: Validate the tag identified with trigger
@@ -297,7 +301,7 @@ jobs:
           path: artifacts
   # End build Mac OSX installers
 
-  # Build unsigned Ubuntu package
+  # Build & sign Ubuntu package
   ubuntu_build:
     runs-on: ubuntu-latest
     needs: prereqs
@@ -373,4 +377,39 @@ jobs:
         with:
           name: deb-package-unsigned
           path: artifacts/
-  # End build unsigned Ubuntu package
+  ubuntu_sign-artifacts:
+    runs-on: windows-latest # Must be run on Windows due to ESRP executable OS compatibility
+    needs: [ubuntu_build, prereqs]
+    if: needs.prereqs.outputs.deb_signable == 'true'
+    env:
+      ARTIFACTS_DIR: artifacts
+    steps:
+      - name: Clone repository
+        uses: actions/checkout@v2
+      - name: Download unsigned packages
+        uses: actions/download-artifact@v2
+        with:
+          name: deb-package-unsigned
+          path: ${{ env.ARTIFACTS_DIR }}/unsigned
+      - uses: azure/login@v1
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+      - name: Download ESRP client
+        run: |
+          az storage blob download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --account-name gitcitoolstore -c tools -n microsoft.esrpclient.1.2.47.nupkg -f esrp.zip
+          Expand-Archive -Path esrp.zip -DestinationPath .\esrp
+      - name: Install ESRP certificates
+        run: |
+          az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "git-client-ci-kv" --name "microsoft-git-publisher-ssl-cert" -f ssl_cert.pfx
+          Import-PfxCertificate ssl_cert.pfx -CertStoreLocation Cert:\LocalMachine\My
+          az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "git-client-ci-kv" --name "microsoft-git-publisher-esrp-payload-cert" -f payload_cert.pfx
+          Import-PfxCertificate payload_cert.pfx -CertStoreLocation Cert:\LocalMachine\My
+      - uses: actions/setup-python@v2
+      - name: Run ESRP client
+        run: python .github/scripts/sign-debian-packages.py
+      - name: Upload signed artifact
+        uses: actions/upload-artifact@v2
+        with:
+          name: deb-package-signed
+          path: ${{ env.ARTIFACTS_DIR }}/signed
+  # End build & sign Ubuntu package