Fix release signing (#301)

yao-msft · web-flow · commit 9d09d7238f63 · 2025-07-24T13:14:32.000-07:00
diff --git a/pipelines/publish-powershell-module.yml b/pipelines/publish-powershell-module.yml
@@ -12,6 +12,10 @@ variables:
   moduleName: Microsoft.WinGet.RestSource
   sourceArtifactName: WinGet.RestSource-WinGet.PowerShell.Source
   downloadRoot: $(Pipeline.Workspace)\buildRelease\$(sourceArtifactName)
+  azureFunctionArtifactName: WinGet.RestSource-WinGet.RestSource.Functions
+  azureFunctionDownloadRoot: $(Pipeline.Workspace)\buildRelease\$(azureFunctionArtifactName)
+  azureFunctionLegacyArtifactName: WinGet.RestSource-WinGet.RestSource.Functions.LegacySupport
+  azureFunctionLegacyDownloadRoot: $(Pipeline.Workspace)\buildRelease\$(azureFunctionLegacyArtifactName)
 
   # Docker image which is used to build the project
   WindowsContainerImage: 'onebranch.azurecr.io/windows/ltsc2019/vse2022:latest'
@@ -49,7 +53,7 @@ extends:
           pool:
             type: windows
           variables:
-            ob_outputDirectory: $(Build.ArtifactStagingDirectory)/$(moduleName)
+            ob_outputDirectory: $(Build.ArtifactStagingDirectory)
 
           steps:
           - task: NuGetToolInstaller@1
@@ -90,11 +94,11 @@ extends:
               signing_profile: 'external_distribution'
               search_root: '$(downloadRoot)'
               files_to_sign: |
-                Microsoft.WinGet.RestSource.psd1
-                Microsoft.WinGet.RestSource.psm1
-                Library/*.ps1
-                Library/WinGet.RestSource.PowershellSupport/Microsoft.WinGet.PowershellSupport.dll
-                Library/WinGet.RestSource.PowershellSupport/Microsoft.WinGet.RestSource.Utils.dll
+                Microsoft.WinGet.RestSource.psd1;
+                Microsoft.WinGet.RestSource.psm1;
+                Library/*.ps1;
+                Library/WinGet.RestSource.PowershellSupport/Microsoft.WinGet.PowershellSupport.dll;
+                Library/WinGet.RestSource.PowershellSupport/Microsoft.WinGet.RestSource.Utils.dll;
 
           - task: onebranch.pipeline.signing@1
             displayName: 'Sign 3rd party module files'
@@ -103,7 +107,11 @@ extends:
               cp_code: '135020002' # CP-231522 - Microsoft 3rd Party Application Component (SHA2)
               search_root: '$(downloadRoot)'
               files_to_sign: |
-                Library/WinGet.RestSource.PowershellSupport/YamlDotNet.dll
+                Library/WinGet.RestSource.PowershellSupport/YamlDotNet.dll;
+
+          - template: pipelines/templates/sign-azure-function.yml@self
+            parameters:
+              azureFunctionFolder: '$(downloadRoot)\Data'
 
           - task: CopyFiles@2
             displayName: Copy files to be published to staging directory
@@ -116,6 +124,40 @@ extends:
                 Library/**
                 Data/**
 
+          - download: buildRelease
+            displayName: Download Azure Functions to sign
+            artifact: $(azureFunctionArtifactName)
+            patterns: '**'
+
+          - template: pipelines/templates/sign-azure-function.yml@self
+            parameters:
+              azureFunctionFolder: '$(azureFunctionDownloadRoot)'
+
+          - task: CopyFiles@2
+            displayName: Copy Azure Functions to be published to staging directory
+            inputs:
+              SourceFolder: $(azureFunctionDownloadRoot)
+              TargetFolder: $(Build.ArtifactStagingDirectory)/$(azureFunctionArtifactName)
+              Contents: |
+                **/*
+
+          - download: buildRelease
+            displayName: Download Azure Functions Legacy to sign
+            artifact: $(azureFunctionLegacyArtifactName)
+            patterns: '**'
+
+          - template: pipelines/templates/sign-azure-function.yml@self
+            parameters:
+              azureFunctionFolder: '$(azureFunctionLegacyDownloadRoot)'
+
+          - task: CopyFiles@2
+            displayName: Copy Azure Functions to be published to staging directory
+            inputs:
+              SourceFolder: $(azureFunctionLegacyDownloadRoot)
+              TargetFolder: $(Build.ArtifactStagingDirectory)/$(azureFunctionLegacyArtifactName)
+              Contents: |
+                **/*
+
       - stage: Publish
         displayName: Publish to PS Gallery
         dependsOn: Prepare
@@ -132,12 +174,9 @@ extends:
             inputs:
             - input: pipelineArtifact
               artifactName: drop_Prepare_Prepare_Sign
-              targetPath: $(System.DefaultWorkingDirectory)/ModuleToPublish/$(moduleName)
+              targetPath: $(System.DefaultWorkingDirectory)/ModuleToPublish/
               itemPattern: |
-                *.psm1
-                *.psd1
-                Library/**
-                Data/**
+                Microsoft.WinGet.RestSource/**
 
           steps:
           - pwsh: |
diff --git a/pipelines/templates/sign-azure-function.yml b/pipelines/templates/sign-azure-function.yml
@@ -0,0 +1,57 @@
+# Template helper to sign Azure Function zip package
+parameters:
+  azureFunctionFolder: ''
+  azureFunctionFileName: 'WinGet.RestSource.Functions.zip'
+
+steps:
+- task: ExtractFiles@1
+  displayName: 'Extract Files: ${{ parameters.azureFunctionFileName }}'
+  inputs:
+    archiveFilePatterns: '${{ parameters.azureFunctionFolder }}\${{ parameters.azureFunctionFileName }}'
+    destinationFolder: '${{ parameters.azureFunctionFolder }}\ExtractedFiles'
+
+- task: onebranch.pipeline.signing@1
+  displayName: 'Sign 1st party module files'
+  inputs:
+    command: 'sign'
+    signing_profile: 'external_distribution'
+    search_root: '${{ parameters.azureFunctionFolder }}\ExtractedFiles'
+    files_to_sign: |
+      **/Microsoft.WindowsPackageManager.*.dll;
+      **/Microsoft.WinGet.*.dll;
+
+- task: onebranch.pipeline.signing@1
+  displayName: 'Sign 3rd party module files'
+  inputs:
+    command: 'sign'
+    cp_code: '135020002' # CP-231522 - Microsoft 3rd Party Application Component (SHA2)
+    search_root: '${{ parameters.azureFunctionFolder }}\ExtractedFiles'
+    files_to_sign: |
+      **/Castle.*.dll;
+      **/DnsClient.dll;
+      **/Google.*.dll;
+      **/[Gg]rpc*.dll;
+      **/LinqKit.dll;
+      **/NCrontab.*.dll;
+      **/Newtonsoft.*.dll;
+      **/OpenTelemetry*.dll;
+      **/*[Ss][Qq][Ll][Ii][Tt][Ee]*.dll;
+      **/System.Reactive*.dll;
+      **/YamlDotNet.dll;
+
+- task: ArchiveFiles@2
+  displayName: 'Archive Files: ${{ parameters.azureFunctionFileName }}'
+  inputs:
+    rootFolderOrFile: '${{ parameters.azureFunctionFolder }}\ExtractedFiles'
+    includeRootFolder: false
+    archiveFile: '${{ parameters.azureFunctionFolder }}\${{ parameters.azureFunctionFileName }}'
+    archiveType: 'zip'
+    replaceExistingArchive: true
+
+- task: DeleteFiles@1
+  displayName: 'Clean Files: ${{ parameters.azureFunctionFileName }}'
+  inputs:
+    sourceFolder: '${{ parameters.azureFunctionFolder }}\ExtractedFiles'
+    contents: |
+      **/*
+    removeSourceFolder: true
diff --git a/src/WinGet.RestSource.sln b/src/WinGet.RestSource.sln
@@ -33,6 +33,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Templates", "Templates", "{
 		..\pipelines\templates\restore-build-publish-test.yml = ..\pipelines\templates\restore-build-publish-test.yml
 		..\pipelines\templates\run-integrationtests.yml = ..\pipelines\templates\run-integrationtests.yml
 		..\pipelines\templates\run-unittests.yml = ..\pipelines\templates\run-unittests.yml
+		..\pipelines\templates\sign-azure-function.yml = ..\pipelines\templates\sign-azure-function.yml
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "scripts", "scripts", "{E49C6A16-7E44-4318-8F1B-8B17EBFD5189}"
