add release stage with new signing (#159)

* add release stage with new signing

Author: danfiedler-msft

Pipelines/recursive-extractor-release.yml

@@ -1,31 +1,18 @@
-# Azure Pipelines
-# https://aka.ms/yaml
-
 name: RecursiveExtractor_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
-# trigger:
-#   batch: true
-#   branches:
-#     include:
-#     - main
-#   paths:
-#     include:
-#     - RecursiveExtractor
-#     - RecursiveExtractor.Cli
-# pr: none
 trigger: none
 pr: none
 
 resources:
   repositories:
     - repository: templates
       type: git
-      name: SecurityEngineering/OSS-Tools-Pipeline-Templates
+      name: Data/OSS-Tools-Pipeline-Templates
       ref: refs/tags/v2.0.0
     - repository: 1esPipelines
       type: git
       name: 1ESPipelineTemplates/1ESPipelineTemplates
       ref: refs/tags/release
-      
+
 variables:
   BuildConfiguration: 'Release'
   DotnetVersion: '8.0.x'
@@ -40,6 +27,10 @@ extends:
     sdl:
       armory:
         enabled: false
+      sourceRepositoriesToScan:
+        exclude:
+          - repository: 1esPipelines
+          - repository: templates
     stages:
     - stage: Test
       dependsOn: []
@@ -87,3 +78,93 @@ extends:
           artifactName: 'cli-archive'
           preBuild:
           - template: nbgv-set-version-steps.yml@templates
+  
+    - stage: Release
+      dependsOn:
+      - Build
+      condition: succeeded()
+      jobs:
+      - job: sign_hash_release
+        displayName: Code Sign, Generate Hashes, Publish Public Releases
+        templateContext:
+          outputs:
+          - output: pipelineArtifact
+            path: '$(Build.StagingDirectory)'
+            artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)'
+        steps:
+        - task: UseDotNet@2
+          inputs:
+            packageType: 'sdk'
+            version: '6.0.x' # ESRP requires a specific version.
+        - template: nbgv-set-version-steps.yml@templates
+        - task: DownloadPipelineArtifact@2
+          inputs:
+            displayName: 'Download lib-archive'  
+            buildType: 'current'
+            artifactName: 'lib-archive'
+            targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\
+        - task: DownloadPipelineArtifact@2
+          inputs:
+            displayName: 'Download cli-archive'  
+            buildType: 'current'
+            artifactName: 'cli-archive'
+            targetPath: $(Build.BinariesDirectory)\Unsigned_Binaries\
+        - task: ExtractFiles@1
+          displayName: Extract Artifacts for Signing
+          inputs:
+            archiveFilePatterns: '$(Build.BinariesDirectory)\Unsigned_Binaries\*.zip'
+            destinationFolder: '$(Build.BinariesDirectory)'
+            cleanDestinationFolder: false
+            overwriteExistingFiles: true
+        - task: AntiMalware@4
+          displayName: Anti-Malware Scan
+          inputs:
+            InputType: 'Basic'
+            ScanType: 'CustomScan'
+            FileDirPath: '$(Build.BinariesDirectory)'
+            EnableServices: true
+            SupportLogOnError: true
+            TreatSignatureUpdateFailureAs: 'Warning'
+            SignatureFreshness: 'UpToDate'
+            TreatStaleSignatureAs: 'Warning'
+        - task: EsrpCodeSigning@5
+          displayName: Code Sign Nuget Packages
+          inputs:
+            ConnectedServiceName: 'oss-esrp-signing-recext-v5-connection'
+            AppRegistrationClientId: 'caf746ee-b288-4155-8cc0-0bedca65f230'
+            AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d'
+            AuthAKVName: 'oss-signing-vault'
+            AuthCertName: 'oss-recursive-auth-cert'
+            AuthSignCertName: 'oss-recursive-signing-cert'
+            FolderPath: '$(Build.BinariesDirectory)'
+            Pattern: '*.nupkg, *.snupkg'
+            signConfigType: 'inlineSignParams'
+            inlineOperation: |
+              [
+                      {
+                          "KeyCode" : "CP-401405",
+                          "OperationCode" : "NuGetSign",
+                          "Parameters" : {},
+                          "ToolName" : "sign",
+                          "ToolVersion" : "1.0"
+                      },
+                      {
+                          "KeyCode" : "CP-401405",
+                          "OperationCode" : "NuGetVerify",
+                          "Parameters" : {},
+                          "ToolName" : "sign",
+                          "ToolVersion" : "1.0"
+                      }
+                  ]
+            SessionTimeout: '60'
+            MaxConcurrency: '50'
+            MaxRetryAttempts: '5'
+        - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }'
+          displayName: 'Delete Code Sign Summaries'
+        - task: PowerShell@2
+          displayName: Move NuGet Packages
+          inputs:
+            targetType: 'inline'
+            script: |
+              mv $env:BUILD_BINARIESDIRECTORY/*.nupkg $env:BUILD_STAGINGDIRECTORY/
+              mv $env:BUILD_BINARIESDIRECTORY/*.snupkg $env:BUILD_STAGINGDIRECTORY/