[ci] Enable MicroBuild code signing

xamarin · Jun 27, 2022 · 6dc80d0 · 6dc80d0
1 parent 83e1f8e
commit 6dc80d0
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 1 deletion.
diff --git a/build/sign-verify-ignore.txt b/build/sign-verify-ignore.txt
@@ -0,0 +1 @@
+**\*.xml,ignore unsigned xml
diff --git a/build/stages/build.yml b/build/stages/build.yml
@@ -22,6 +22,32 @@ stages:
       displayName: 'Create Logs Dir'
       condition: always()
 
+    - powershell: |
+        $branch = '$(Build.SourceBranch)'
+        $codeSignOverride = if ($env:XAMARIN_CODESIGNOVERRIDE) { $env:XAMARIN_CODESIGNOVERRIDE } else { '' }
+      
+        if($branch -eq '$(MainBranch)' -or $codeSignOverride -eq 'true') {
+          $codeSignOverride = 'true'
+        }
+
+        Write-Host "Code Sign Override: $codeSignOverride"
+        Write-Host "##vso[task.setvariable variable=Xamarin.CodeSignOverride]$codeSignOverride"
+      name: 'SetCodeSignOnMain'
+      displayName: 'Evaluate CodeSign for Main Branch'
+
+    # Compute (set) Xamarin.IsRelease and Xamarin.SignType needed in subsequent conditions
+    - template: jenkins-codesign/signType.v1.yml@templates
+      parameters:
+        CodeSignOverride: $(Xamarin.CodeSignOverride)
+
+    - task: MicroBuildSigningPlugin@3
+      displayName: "Prepare Signing Tools (MicroBuild)"
+      inputs:
+        signType: '$(Xamarin.SignType)'
+        feedSource: 'https://devdiv.pkgs.visualstudio.com/DefaultCollection/_packaging/MicroBuildToolset/nuget/v3/index.json'
+      env:
+        TeamName: Xamarin
+
     # Ensure we clear bot-provided feeds, for reliability
     - powershell: |
         $configPath = "$(Build.SourcesDirectory)\NuGet.Config"
@@ -43,7 +69,7 @@ stages:
       displayName: 'Build Solution'
       inputs:
         solution: '$(Build.SourcesDirectory)/src/Hermes.sln'
-        msbuildArguments: /t:Build /noautoresponse /bl:"$(Build.ArtifactStagingDirectory)\binlogs\build.binlog" 
+        msbuildArguments: /t:Build /p:_SignFiles=true /noautoresponse /bl:"$(Build.ArtifactStagingDirectory)\binlogs\build.binlog" 
       condition: always()
 
     - task: PublishBuildArtifacts@1
@@ -54,6 +80,13 @@ stages:
       continueOnError: true
       condition: always()
 
+    - task: MicroBuildCodesignVerify@3
+      displayName: 'Verify Signed Files'
+      inputs:
+        TargetFolders: $(System.DefaultWorkingDirectory)\pack
+        ExcludeSNVerify: true
+        ApprovalListPathForCerts: $(Build.SourcesDirectory)\build\sign-verify-ignore.txt
+
     - task: PublishBuildArtifacts@1
       displayName: 'Publish Artifact: unit-tests'
       inputs:

diff --git a/build/variables.yml b/build/variables.yml
@@ -22,3 +22,9 @@ variables:
   value: Release
 - name: MainBranch
   value: refs/heads/main
+- name: Xamarin.CodeSignOverride
+  value: ''
+- name: Xamarin.IsRelease                 # Variable set by the jenkins-codesign template
+  value: ''
+- name: Xamarin.SignType                  # Variable set by the jenkins-codesign template
+  value: ''
diff --git a/src/Client/Client.csproj b/src/Client/Client.csproj
@@ -6,6 +6,26 @@
     <DocumentationFile>$(IntermediateOutputPath)\$(TargetFramework)\$(AssemblyName).xml</DocumentationFile>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
+  </ItemGroup>
+
+  <Target Name="GetFilesToSign" BeforeTargets="SignFiles" Condition=" '$(_SignFiles)' == 'True'">
+    <ItemGroup>
+      <FilesToSign Include="$(OutDir)$(AssemblyName).dll">
+        <Authenticode>Microsoft400</Authenticode>
+      </FilesToSign>
+    </ItemGroup>
+  </Target>
+
+  <Target Name="SignNupkg" BeforeTargets="SignNuGetPackage" Condition=" '$(_SignFiles)' == 'True'">
+    <ItemGroup>
+      <SignNuGetPackFiles Include="$(PackageOutputPath)\*.nupkg">
+        <Authenticode>NuGet</Authenticode>
+      </SignNuGetPackFiles>
+    </ItemGroup>
+  </Target>
+
   <PropertyGroup Label="NuGet">
     <PackageId>$(AssemblyName)</PackageId>
     <Description>A lightweight and simple MQTT client implementation written entirely in C#.</Description>

diff --git a/src/Server/Server.csproj b/src/Server/Server.csproj
@@ -6,6 +6,26 @@
     <DocumentationFile>$(IntermediateOutputPath)\$(TargetFramework)\$(AssemblyName).xml</DocumentationFile>
   </PropertyGroup>
 
+  <ItemGroup>
+    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0" />
+  </ItemGroup>
+
+  <Target Name="GetFilesToSign" BeforeTargets="SignFiles" Condition=" '$(_SignFiles)' == 'True'">
+    <ItemGroup>
+      <FilesToSign Include="$(OutDir)$(AssemblyName).dll">
+        <Authenticode>Microsoft400</Authenticode>
+      </FilesToSign>
+    </ItemGroup>
+  </Target>
+
+  <Target Name="SignNupkg" BeforeTargets="SignNuGetPackage" Condition=" '$(_SignFiles)' == 'True'">
+    <ItemGroup>
+      <SignNuGetPackFiles Include="$(PackageOutputPath)\*.nupkg">
+        <Authenticode>NuGet</Authenticode>
+      </SignNuGetPackFiles>
+    </ItemGroup>
+  </Target>
+
   <PropertyGroup Label="NuGet">
     <PackageId>$(AssemblyName)</PackageId>
     <Description>A lightweight and simple MQTT Server implementation written entirely in C#.</Description>