[Code Sign] Integrated ESRP Sign Step

Author: AdityaMankal-MS

.azure-pipelines/common-steps.yml

@@ -36,9 +36,47 @@ steps:
 # Acquire the `vsce` tool and use it to package
 - script: |
     npm install -g @vscode/vsce
-    vsce package
+  displayName: Install VSCE
+
+- script: |
+    vsce package -o $(Build.ArtifactStagingDirectory)/extension.vsix
   displayName: Create VSIX
 
+- script: |
+    vsce generate-manifest -i $(Build.ArtifactStagingDirectory)/extension.vsix -o $(Build.ArtifactStagingDirectory)/extension.manifest
+  displayName: Create VSIX Manifest
+
+- script: |
+    cp $(Build.ArtifactStagingDirectory)/extension.manifest $(Build.ArtifactStagingDirectory)/extension.signature.p7s
+  displayName: Prepare Manifest Signature
+
+- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
+  inputs:
+    ConnectedServiceName: PipelinesAgentAndTasksESRP
+    AppRegistrationClientId: $(AppRegistrationClientId)
+    AppRegistrationTenantId: $(AppRegistrationTenantId)
+    AuthAKVName: $(AuthAKVName)
+    AuthCertName: $(AuthCertName)
+    AuthSignCertName: $(AuthSignCertName)
+    FolderPath: '$(Build.ArtifactStagingDirectory)'
+    Pattern: 'extension.signature.p7s'
+    signConfigType: inlineSignParams
+    inlineOperation: |
+      [
+        {
+          "keyCode": "CP-401405",
+          "operationSetCode": "VSCodePublisherSign",
+          "parameters" : [],
+          "toolName": "sign",
+          "toolVersion": "1.0"
+        }
+      ]
+    SessionTimeout: 90
+    MaxConcurrency: 25
+    MaxRetryAttempts: 5
+    PendingAnalysisWaitTimeoutMinutes: 5
+  displayName: Sign Extension
+  
 - script: |
     npm run vscode:prepublish
     cat /home/vsts/.npm/_logs/*.log
@@ -63,4 +101,6 @@ steps:
       version.txt
       branch.txt
       minichangelog.txt
+      extension.signature.p7s
+      extension.manifest
     targetFolder: $(Build.ArtifactStagingDirectory)

.azure-pipelines/github-release/github-release.js

@@ -11,6 +11,9 @@ const DEBUG_LOGGING = process.env.SYSTEM_DEBUG && process.env.SYSTEM_DEBUG == 't
 let vsixName = process.argv[2] || null;
 let version = process.argv[3] || null;
 let token = process.argv[4] || null
+let signature = process.argv[5] || null
+let manifest = process.argv[6] || null
+
 if (token === null) {
     console.log(`Usage:
 
@@ -59,12 +62,12 @@ async function createRelease() {
         console.log(createReleaseResult);
     }
 
+    // Upload the VSIX
     const vsixSize = fs.statSync(vsixName).size;
-
     console.log('Uploading VSIX...');
-    let uploadResult;
+    let vsixUploadResult;
     try {
-        uploadResult = await octokit.repos.uploadAsset({
+        vsixUploadResult = await octokit.repos.uploadAsset({
             url: createReleaseResult.data.upload_url,
             headers: {
                 'content-length': vsixSize,
@@ -78,8 +81,48 @@ async function createRelease() {
     }
     console.log('Uploaded VSIX.');
 
+    // Upload the Manifest
+    const manifestSize = fs.statSync(manifest).size;
+    console.log('Uploading Manifest...');
+    let manifestUploadResult;
+    try {
+        manifestUploadResult = await octokit.repos.uploadAsset({
+            url: createReleaseResult.data.upload_url,
+            headers: {
+                'content-length': manifestSize,
+                'content-type': application/xml,
+            },
+            name: manifest,
+            file: fs.createReadStream(manifest)
+        });
+    } catch (e) {
+        throw e;
+    }
+    console.log('Uploaded Manifest.');
+
+    // Upload the Signature
+    const signatureSize = fs.statSync(signature).size;
+    console.log('Uploading Signature...');
+    let signatureUploadResult;
+    try {
+        signatureUploadResult = await octokit.repos.uploadAsset({
+            url: createReleaseResult.data.upload_url,
+            headers: {
+                'content-length': signatureSize,
+                'content-type': application/pkcs7-signature,
+            },
+            name: signature,
+            file: fs.createReadStream(signature)
+        });
+    } catch (e) {
+        throw e;
+    }
+    console.log('Uploaded Signature.');
+
     if (DEBUG_LOGGING) {
-        console.log(uploadResult);
+        console.log("VISX Upload Result:" + vsixUploadResult);
+        console.log("Manifest Upload Result:" + manifestUploadResult);
+        console.log("Signature Upload Result:" + signatureUploadResult);
     }
 }
 

.azure-pipelines/release-pipeline.yml

@@ -4,17 +4,17 @@
 
 # Only trigger manually
 
-# This Yaml Document has been converted by ESAI Yaml Pipeline Conversion Tool.
-# This pipeline will be extended to the OneESPT template
-
 trigger: none
+
 pr: none
+
 resources:
   repositories:
   - repository: 1ESPipelineTemplates
     type: git
     name: 1ESPipelineTemplates/1ESPipelineTemplates
     ref: refs/tags/release
+
 extends:
   template: v1/1ES.Official.PipelineTemplate.yml@1ESPipelineTemplates
   parameters:
@@ -36,6 +36,7 @@ extends:
       os: linux
     customBuildTags:
     - ES365AIMigrationTooling
+
     stages:
     - stage: stage
       jobs:
@@ -46,6 +47,7 @@ extends:
             displayName: 'Publish VSIX'
             artifactName: azure-pipelines-vscode
             targetPath: $(Build.ArtifactStagingDirectory)
+
         steps:
         # release version should be correctly set in package.json
         - bash: |
@@ -72,11 +74,14 @@ extends:
             npm install
           displayName: Prepare to create GitHub Release
           workingDirectory: '$(Build.SourcesDirectory)/.azure-pipelines/github-release'
+
         - bash: |
             SCRIPT=.azure-pipelines/github-release/github-release.js
             VSIX=*.vsix
             VERSION=$(node -p "require('./package.json').version")
-            node $SCRIPT $VSIX $VERSION $GITHUB_TOKEN
+            VSIX_SIGNATURE=extension.signature.p7s
+            VSIX_MANIFEST=extension.manifest
+            node $SCRIPT $VSIX $VERSION $GITHUB_TOKEN $VSIX_SIGNATURE $VSIX_MANIFEST
           displayName: Create GitHub Release
           env:
             GITHUB_TOKEN: $(GitHubSecret)