ESRP sign the packages to be compliant for release (#210)

* ESRP sign the packages to be compliant for release

* skip signing pub to local

Author: YunchuWang

.github/workflows/build-validation.yml

@@ -131,7 +131,7 @@ jobs:
         uses: gradle/gradle-build-action@v2
 
       - name: Publish to local
-        run: ./gradlew publishToMavenLocal
+        run: ./gradlew publishToMavenLocal -PskipSigning
 
       - name: Build azure functions sample
         run: ./gradlew azureFunctionsPackage
@@ -170,7 +170,7 @@ jobs:
         uses: gradle/gradle-build-action@v2
 
       - name: Publish to local
-        run: ./gradlew publishToMavenLocal
+        run: ./gradlew publishToMavenLocal -PskipSigning
 
       - name: Build azure functions sample
         run: ./gradlew azureFunctionsPackage

azurefunctions/build.gradle

@@ -77,10 +77,10 @@ publishing {
     }
 }
 
-// TODO: manual signing temporarily disabled, in favor of 1ES signing utils
-//signing {
-//    sign publishing.publications.mavenJava
-//}
+signing {
+   required = !project.hasProperty("skipSigning")
+   sign publishing.publications.mavenJava
+}
 
 java {
     withSourcesJar()

azuremanaged/build.gradle

@@ -110,6 +110,11 @@ publishing {
     }
 }
 
+signing {
+    required = !project.hasProperty("skipSigning")
+    sign publishing.publications.mavenJava
+}
+
 java {
     withSourcesJar()
     withJavadocJar()

client/build.gradle

@@ -173,10 +173,10 @@ publishing {
     }
 }
 
-// TODO: manual signing temporarily disabled, in favor of 1ES signing
-//signing {
-//    sign publishing.publications.mavenJava
-//}
+signing {
+   required = !project.hasProperty("skipSigning")
+   sign publishing.publications.mavenJava
+}
 
 java {
     withSourcesJar()

eng/templates/build.yml

@@ -8,7 +8,6 @@ jobs:
                 artifact: drop
                 sbomBuildDropPath: $(System.DefaultWorkingDirectory)
                 sbomPackageName: 'Durable Task / Durable Functions Java SBOM'
-
       steps:
         - checkout: self
 
@@ -25,9 +24,15 @@ jobs:
             jdkArchitectureOption: 'x64'
             publishJUnitResults: false
             tasks: clean assemble
-          displayName: Assemble durabletask-client and durabletask-azure-functions
+          displayName: Assemble durabletask-client and durabletask-azure-functions and durabletask-azuremanaged
+
+        # the secring.gpg file is required to sign the artifacts, it's generated from GnuPG, and it's stored in the library of the durabletaskframework ADO
+        - task: DownloadSecureFile@1
+          name: gpgSecretFile
+          displayName: 'Download GPG secret file'
+          inputs:
+            secureFile: 'secring.gpg'
 
-        # TODO: add 1ES-level signing
         - task: Gradle@3
           inputs:
             workingDirectory: ''
@@ -37,7 +42,8 @@ jobs:
             jdkVersionOption: 1.11
             jdkArchitectureOption: 'x64'
             tasks: publish
-          displayName: Publish durabletask-client and durabletask-azure-functions
+            options: '-Psigning.keyId=$(gpgSignKey) -Psigning.password=$(gpgSignPassword) -Psigning.secretKeyRingFile=$(gpgSecretFile.secureFilePath)'
+          displayName: Publish durabletask-client and durabletask-azure-functions and durabletask-azuremanaged
 
         - task: CopyFiles@2
           displayName: 'Copy publish file to Artifact Staging Directory'