From 2b69c763dec2b10449c72df5cacda160613b4f54 Mon Sep 17 00:00:00 2001
From: MSLukeWest <42553283+MSLukeWest@users.noreply.github.com>
Date: Mon, 7 Oct 2024 12:38:10 -0700
Subject: [PATCH] Enabling Code Sign Validation through 1ES template (#274)

* Enabling Code Sign Validation

* Adding codesign parameters to 1ES template, removing call to MicroBuild task

* Adding back explicit call to MicroBuildCodesignVerify@3

* Fixing CodeSign validation td1 parameter name

* Adding codeSignValidationEnabled false to some outputs

* Removing td1 parameter

* Removed global enabled = true for codesign validation

---------

Co-authored-by: Luke Westendorf <lukewest@microsoft.com>
---
 build/stages/build.yml | 4 ++++
 pipeline.yml           | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/build/stages/build.yml b/build/stages/build.yml
index efcfd00..d2b7890 100644
--- a/build/stages/build.yml
+++ b/build/stages/build.yml
@@ -20,24 +20,28 @@ stages:
         targetPath: '$(Build.SourcesDirectory)\src\Tests\bin\$(Configuration)'
         artifactName: unit-tests
         sbomEnabled: false
+        codeSignValidationEnabled: false
       - output: pipelineArtifact
         displayName: 'Publish Artifact: integration-tests'
         condition: always()
         targetPath: '$(Build.SourcesDirectory)\src\IntegrationTests\bin\$(Configuration)'
         artifactName: integration-tests
         sbomEnabled: false
+        codeSignValidationEnabled: false
       - output: pipelineArtifact
         displayName: 'Publish Artifact: logs'
         condition: always()
         targetPath: '$(Build.ArtifactStagingDirectory)\binlogs'
         artifactName: logs
         sbomEnabled: false
+        codeSignValidationEnabled: false
       - output: pipelineArtifact
         displayName: 'Publish Artifact: symbols'
         condition: always()
         targetPath: '$(Build.ArtifactStagingDirectory)/Symbols'
         artifactName: symbols
         sbomEnabled: false
+        codeSignValidationEnabled: false
     steps:
     - checkout: self
       clean: true
diff --git a/pipeline.yml b/pipeline.yml
index a9b9ed3..ec5208d 100644
--- a/pipeline.yml
+++ b/pipeline.yml
@@ -36,6 +36,11 @@ extends:
       policheck:
         enabled: true
         exclusionsFile: $(Build.SourcesDirectory)\build\PoliCheckExclusions.xml
+      codeSignValidation:
+        break: true
+        targetPathExclusionPattern: \"**\*.xml\"
+        ${{ if not(and(eq(variables['Build.Reason'], 'IndividualCI'), eq(variables['Build.SourceBranch'], 'refs/heads/main'))) }}:
+          policyFile: $(MBSIGN_APPFOLDER)\CSVTestSignPolicy.xml
       sourceAnalysisPool: VSEngSS-MicroBuild2022-1ES
     pool:
       name: AzurePipelines-EO