Pipeline Moved to new Certification (#5017)

SonarSource · Nov 10, 2023 · af16f6b · af16f6b
1 parent 4283a16
commit af16f6b
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 28 deletions.
diff --git a/pipeline/azure-pipelines.yml b/pipeline/azure-pipelines.yml
@@ -1,5 +1,6 @@
 variables:
 - group: sonarsource-build-variables
+- group: digicert-keylocker
 - name: BuildParameters.solution
   value: SonarLint.VisualStudio.Integration.sln
 
@@ -68,12 +69,6 @@ jobs:
       targetType: filePath
       filePath: $(System.DefaultWorkingDirectory)\pipeline\scripts\read-versions.props.ps1
 
-  - task: PowerShell@2
-    displayName: Locate signtool.exe
-    inputs:
-      targetType: filePath
-      filePath: $(System.DefaultWorkingDirectory)\pipeline\scripts\locate-signtool.ps1
-
   - task: PowerShell@2
     displayName: (VS2022 only) Set VsixVersion as a build property for the release pipeline to use
     env:
@@ -104,11 +99,32 @@ jobs:
       retryCount: 5
 
   - task: DownloadSecureFile@1
-    name: pfx
-    displayName: Download pfx file
+    name: SM_CLIENT_CERT
+    displayName: Download p12 file
     inputs:
-      secureFile: SonarSource-2021-2023.pfx
+      secureFile: digicert_authentication_certificate.p12
       retryCount: 5
+
+  - task: SSMClientToolsSetup@1
+    displayName: Client Tools Setup
+    condition: eq(variables['SHOULD_SIGN'], 'true')
+
+  - task: SSMSigningToolsSetup@1
+    displayName: Signing Tools Setup
+    condition: eq(variables['SHOULD_SIGN'], 'true')
+
+  - task: PowerShell@2
+    displayName: Syncs certificates to local Windows store
+    inputs:
+      targetType: 'inline'
+      script: |
+            Write-Output "smctl healthcheck:"
+            smctl healthcheck 
+            Write-Output "smctl sync:"
+            smctl windows certsync
+    env:
+      SM_API_KEY: $(SM_API_KEY)
+    condition: eq(variables['SHOULD_SIGN'], 'true')
 
   # Specify the version of Java to use.
   # See https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/java-tool-installer-v0?view=azure-pipelines
@@ -154,12 +170,25 @@ jobs:
     inputs:
       solution: $(BuildParameters.solution)
       vsVersion: 17.0
-      msbuildArgs: /p:VsTargetVersion=$(vsTargetVersion) /p:DeployExtension=false /p:SignArtifacts=$(SHOULD_SIGN) /p:AssemblyOriginatorKeyFile="$(snk.secureFilePath)" /p:pfxCertificatePath="$(pfx.secureFilePath)" /p:pfxPassword="$(pfxPassword2021-2023)" /p:pfxSha1=$(pfxSha1-2021-2023) /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId)  $(AdditionalMSBuildArgs)
+      msbuildArgs: /p:VsTargetVersion=$(vsTargetVersion) /p:DeployExtension=false /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId)  $(AdditionalMSBuildArgs)
       platform: $(BuildPlatform)
       configuration: $(BuildConfiguration)
       maximumCpuCount: true
       logFileVerbosity: diagnostic
 
+  - task: PowerShell@2
+    displayName: Sign Vsix file
+    env:
+      PACKAGE_PATH: '$(Build.SourcesDirectory)\binaries\SonarLint.VSIX-$(SONAR_PROJECT_VERSION).$(Build.BuildId)-$(vsTargetVersion).vsix'
+      SM_HOST: $(SM_HOST)
+      SM_API_KEY: $(SM_API_KEY)
+      SM_CLIENT_CERT_PASSWORD: $(SM_CLIENT_CERT_PASSWORD)
+      SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath)
+    inputs:
+      targetType: 'inline'
+      script: nuget sign "$env:PACKAGE_PATH" -HashAlgorithm SHA256 -CertificateFingerprint $(SM_CERT_FP) -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
+    condition: eq(variables['SHOULD_SIGN'], 'true')
+
   - task: CopyFiles@2
     displayName: 'Copy asmref files to: $(Build.ArtifactStagingDirectory) in the event of a build failure' 
     inputs:

diff --git a/pipeline/scripts/locate-signtool.ps1 b/pipeline/scripts/locate-signtool.ps1