Add code signing azure pipeline (#145)

* Add signing azure pipeline

* Add tag azure variable

* Update azure variable declarations

* Remove automatic pipeline trigger

* Split pipeline into multiple stages

* Update pipeline

* Update stage name

* Update invalid stage names

* Fix job dependency

* Change download jobs to sequential

* Disable source repository checkout

* Use single stage

* Use artifacts to persist files

* Update artifacts

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Remove unused github action

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Remove unused variable

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

* Update pipeline

Author: calebkiage

.azure-pipelines/sign-binary.yaml

@@ -0,0 +1,224 @@
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License.
+
+name: $(BuildDefinitionName)_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r)
+
+trigger: none
+
+pool:
+  name: Azure Pipelines
+  vmImage: windows-latest
+
+variables:
+  - name: sourceRepository
+    value: 'microsoftgraph/msgraph-cli'
+  - name: repositoryConnection
+    value: 'GitHub - calebkiage'
+  - name: zipTemplate
+    value: msgraph-cli-win-x64-{0}.zip
+  - name: defaultTag
+    value: ${{parameters.tag}}
+parameters:
+  - name: tag
+    displayName: Tag
+    type: string
+    default: latest
+
+
+# download -> scan -> zip -> upload
+#          -> sign
+#
+
+stages:
+- stage: download
+  variables:
+    currentTag: $[ coalesce(variables.tag, variables.defaultTag) ]
+  jobs:
+    - job: version
+      dependsOn: []
+      pool:
+        vmImage: ubuntu-latest
+      steps:
+      - checkout: none
+      - script: |
+          VERSION_VAR=$(echo $CURRENTTAG | cut -c 2-)
+          echo "##vso[task.setvariable variable=cliVersionVar]$VERSION_VAR"
+        condition: startsWith(variables.currentTag, 'v')
+      - script: echo "##vso[task.setvariable variable=cliVersionVar]$CURRENTTAG"
+        condition: not(startsWith(variables.currentTag, 'v'))
+      - script: echo "##vso[task.setvariable variable=cliVersion;isOutput=true]$(cliVersionVar)"
+        name: setCliVersionStep
+    - job: download
+      dependsOn: version
+      variables:
+        cliVersionVar: $[ dependencies.version.outputs['setCliVersionStep.cliVersion'] ]
+        cliArchiveNameVar: $[format(variables.zipTemplate, variables.cliVersionVar)]
+      pool:
+        vmImage: ubuntu-latest
+      steps:
+      - checkout: none
+      # Download GitHub Release
+      # Downloads a GitHub Release from a repository
+      - script: echo "##vso[task.setvariable variable=cliArchiveName;isOutput=true]$(cliArchiveNameVar)"
+        name: setArchiveNameStep
+      - task: DownloadGitHubRelease@0
+        inputs:
+          connection: $(repositoryConnection)
+          userRepository: $(sourceRepository)
+          defaultVersionType: 'specificTag' # Options: latest, specificVersion, specificTag
+          version: $(currentTag) # Required when defaultVersionType != Latest
+          itemPattern: '*-win-x64-*' # Optional
+          downloadPath: '$(Pipeline.Workspace)'
+      - script: unzip -j "$(Pipeline.Workspace)/$(setArchiveNameStep.cliArchiveName)" -d $(Pipeline.Workspace)/unzipped
+      - publish: $(Pipeline.Workspace)/unzipped
+        artifact: unzipped
+
+
+- stage: scan
+  dependsOn: download
+  variables:
+    cliArchiveNameVar: $[ stageDependencies.download.download.outputs['setArchiveNameStep.cliArchiveName'] ]
+  jobs:
+    - job: scan
+      steps:
+      - checkout: none
+      - download: current
+        artifact: unzipped
+      - task: AntiMalware@4
+        displayName: 'Run MpCmdRun.exe - CLI Executable'
+        inputs:
+          FileDirPath: '$(Pipeline.Workspace)/unzipped'
+      - task: BinSkim@4
+        displayName: 'Run BinSkim - Product Binaries'
+        inputs:
+          InputType: Basic
+          AnalyzeTargetGlob: '$(Pipeline.Workspace)\unzipped\*.exe'
+          AnalyzeVerbose: true
+          AnalyzeHashes: true
+          AnalyzeEnvironment: false
+      - task: PublishSecurityAnalysisLogs@3
+        displayName: 'Publish Security Analysis Logs'
+        inputs:
+          ArtifactName: SecurityLogs
+
+      - task: PostAnalysis@1
+        displayName: 'Post Analysis'
+        inputs:
+          BinSkim: true
+      - pwsh: echo "##vso[task.setvariable variable=cliArchiveName;isOutput=true]$(cliArchiveNameVar)"
+        name: setArchiveNameStep
+
+- stage: sign
+  dependsOn: download
+  jobs:
+    - job: esrpSign
+      steps:
+      - checkout: none
+      - download: current
+        artifact: unzipped
+      - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+        displayName: 'ESRP CodeSigning'
+        inputs:
+          ConnectedServiceName: 'microsoftgraph ESRP CodeSign DLL and NuGet (AKV)'
+          FolderPath: '$(Pipeline.Workspace)\unzipped'
+          signConfigType: inlineSignParams
+          inlineOperation: |
+            [
+                {
+                    "keyCode": "CP-230012",
+                    "operationSetCode": "SigntoolSign",
+                    "parameters": [
+                    {
+                        "parameterName": "OpusName",
+                        "parameterValue": "Microsoft"
+                    },
+                    {
+                        "parameterName": "OpusInfo",
+                        "parameterValue": "http://www.microsoft.com"
+                    },
+                    {
+                        "parameterName": "FileDigest",
+                        "parameterValue": "/fd \"SHA256\""
+                    },
+                    {
+                        "parameterName": "PageHash",
+                        "parameterValue": "/NPH"
+                    },
+                    {
+                        "parameterName": "TimeStamp",
+                        "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+                    }
+                    ],
+                    "toolName": "sign",
+                    "toolVersion": "1.0"
+                },
+                {
+                    "keyCode": "CP-230012",
+                    "operationSetCode": "SigntoolVerify",
+                    "parameters": [ ],
+                    "toolName": "sign",
+                    "toolVersion": "1.0"
+                }
+            ]
+          SessionTimeout: 20
+      - pwsh: |
+          $env:NewDir = '$(Pipeline.Workspace)\sign-summary'
+          New-Item -Path $env:NewDir -ItemType Directory -Force
+          Get-ChildItem '$(Pipeline.Workspace)\unzipped\*.md' | Foreach-Object { Move-Item -Path $_.FullName -Destination $env:NewDir\$($_.Name) }
+      - publish: $(Pipeline.Workspace)\sign-summary
+        artifact: sign-summary
+      - publish: $(Pipeline.Workspace)\unzipped
+        artifact: signed-executable
+
+- stage: zip
+  dependsOn: [scan, sign]
+  variables:
+    cliArchiveNameVar: $[ stageDependencies.scan.scan.outputs['setArchiveNameStep.cliArchiveName'] ]
+  jobs:
+    - job: zip
+      pool:
+        vmImage: ubuntu-latest
+      steps:
+      - checkout: none
+      - download: current
+        artifact: signed-executable
+      - task: ArchiveFiles@2
+        inputs:
+          rootFolderOrFile: '$(Pipeline.Workspace)/signed-executable'
+          includeRootFolder: false
+          archiveType: 'zip' # Options: zip, 7z, tar, wim
+          #tarCompression: 'gz' # Optional. Options: gz, bz2, xz, none
+          archiveFile: '$(Pipeline.Workspace)/signed-executable/$(cliArchiveNameVar)'
+          replaceExistingArchive: true
+          verbose: true
+          quiet: false
+      - publish: $(Pipeline.Workspace)/signed-executable/$(cliArchiveNameVar)
+        artifact: zipped
+      - script: echo "##vso[task.setvariable variable=cliArchiveName;isOutput=true]$(cliArchiveNameVar)"
+        name: setArchiveNameStep
+
+- stage: upload
+  dependsOn: zip
+  variables:
+    cliArchiveName: $[ stageDependencies.zip.zip.outputs['setArchiveNameStep.cliArchiveName'] ]
+    currentTag: $[ coalesce(variables.tag, variables.defaultTag) ]
+    isPreRelease: $[ contains(variables.currentTag, 'preview') ]
+  jobs:
+    - job: upload
+      steps:
+      - checkout: none
+      - download: current
+        artifact: zipped
+      - task: GithubRelease@1
+        displayName: 'Edit GitHub Release'
+        inputs:
+          gitHubConnection: $(repositoryConnection)
+          repositoryName: $(sourceRepository)
+          action: edit
+          isDraft: false
+          addChangeLog: false
+          assetUploadMode: replace
+          releaseNotesSource: inline
+          assets: $(Pipeline.Workspace)/zipped/**/$(cliArchiveName)
+          isPreRelease: $(isPreRelease)
+          tag: $(currentTag)

.github/workflows/release-cli.yml

@@ -57,3 +57,7 @@ jobs:
           gh release upload ${{env.PACKAGE_VERSION}} ${{env.OUTPUT_DIR}}/${{format(env.PACKAGE_ZIP_TEMPLATE, matrix.rid, steps.get-version.outputs.version)}} --clobber
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Sign binaries
+        uses: ${{github.repository}}/.github/workflows/sign-binary.yml@${{github.event.inputs.tag || github.ref_name || 'main'}}
+        with:
+          tag: ${{github.event.inputs.tag || github.ref_name}}

.github/workflows/sign-binary.yml

@@ -0,0 +1,28 @@
+name: Sign Binary
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'The tag with binaries to sign'
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'The tag with binaries to sign'
+        required: true
+        type: string
+
+jobs:
+    build:
+        name: Call Azure Pipeline
+        runs-on: ubuntu-latest
+        steps:
+        - name: Azure Pipelines Action
+          uses: Azure/[email protected]
+          with:
+            azure-devops-project-url: https://dev.azure.com/microsoftgraph/Graph%20Developer%20Experiences
+            azure-pipeline-name: 'Code Signing msgraph-cli'
+            azure-devops-token: ${{ secrets.AZURE_DEVOPS_TOKEN }}
+            azure-pipeline-variables: '{"tag": "${{github.event.inputs.tag}}"}'