From af16f6b222efe0ade1b0c6d94f3b5ac1f4542f72 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?U=C4=9Fra=C5=9F=20Erg=C3=BCn?=
 <96827714+ugras-ergun-sonarsource@users.noreply.github.com>
Date: Fri, 10 Nov 2023 15:40:19 +0100
Subject: [PATCH] Pipeline Moved to new Certification (#5017)

---
 pipeline/azure-pipelines.yml         | 49 ++++++++++++++++++++++------
 pipeline/scripts/locate-signtool.ps1 | 18 ----------
 2 files changed, 39 insertions(+), 28 deletions(-)
 delete mode 100644 pipeline/scripts/locate-signtool.ps1

diff --git a/pipeline/azure-pipelines.yml b/pipeline/azure-pipelines.yml
index 5f45bd8473..9560db7a13 100644
--- a/pipeline/azure-pipelines.yml
+++ b/pipeline/azure-pipelines.yml
@@ -1,5 +1,6 @@
 variables:
 - group: sonarsource-build-variables
+- group: digicert-keylocker
 - name: BuildParameters.solution
   value: SonarLint.VisualStudio.Integration.sln
 
@@ -68,12 +69,6 @@ jobs:
       targetType: filePath
       filePath: $(System.DefaultWorkingDirectory)\pipeline\scripts\read-versions.props.ps1
 
-  - task: PowerShell@2
-    displayName: Locate signtool.exe
-    inputs:
-      targetType: filePath
-      filePath: $(System.DefaultWorkingDirectory)\pipeline\scripts\locate-signtool.ps1
-
   - task: PowerShell@2
     displayName: (VS2022 only) Set VsixVersion as a build property for the release pipeline to use
     env:
@@ -104,11 +99,32 @@ jobs:
       retryCount: 5
 
   - task: DownloadSecureFile@1
-    name: pfx
-    displayName: Download pfx file
+    name: SM_CLIENT_CERT
+    displayName: Download p12 file
     inputs:
-      secureFile: SonarSource-2021-2023.pfx
+      secureFile: digicert_authentication_certificate.p12
       retryCount: 5
+  
+  - task: SSMClientToolsSetup@1
+    displayName: Client Tools Setup
+    condition: eq(variables['SHOULD_SIGN'], 'true')
+  
+  - task: SSMSigningToolsSetup@1
+    displayName: Signing Tools Setup
+    condition: eq(variables['SHOULD_SIGN'], 'true')
+
+  - task: PowerShell@2
+    displayName: Syncs certificates to local Windows store
+    inputs:
+      targetType: 'inline'
+      script: |
+            Write-Output "smctl healthcheck:"
+            smctl healthcheck 
+            Write-Output "smctl sync:"
+            smctl windows certsync
+    env:
+      SM_API_KEY: $(SM_API_KEY)
+    condition: eq(variables['SHOULD_SIGN'], 'true')
 
   # Specify the version of Java to use.
   # See https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/reference/java-tool-installer-v0?view=azure-pipelines
@@ -154,12 +170,25 @@ jobs:
     inputs:
       solution: $(BuildParameters.solution)
       vsVersion: 17.0
-      msbuildArgs: /p:VsTargetVersion=$(vsTargetVersion) /p:DeployExtension=false /p:SignArtifacts=$(SHOULD_SIGN) /p:AssemblyOriginatorKeyFile="$(snk.secureFilePath)" /p:pfxCertificatePath="$(pfx.secureFilePath)" /p:pfxPassword="$(pfxPassword2021-2023)" /p:pfxSha1=$(pfxSha1-2021-2023) /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId)  $(AdditionalMSBuildArgs)
+      msbuildArgs: /p:VsTargetVersion=$(vsTargetVersion) /p:DeployExtension=false /p:Sha1=$(Build.SourceVersion) /p:BuildNumber=$(Build.BuildId)  $(AdditionalMSBuildArgs)
       platform: $(BuildPlatform)
       configuration: $(BuildConfiguration)
       maximumCpuCount: true
       logFileVerbosity: diagnostic
 
+  - task: PowerShell@2
+    displayName: Sign Vsix file
+    env:
+      PACKAGE_PATH: '$(Build.SourcesDirectory)\binaries\SonarLint.VSIX-$(SONAR_PROJECT_VERSION).$(Build.BuildId)-$(vsTargetVersion).vsix'
+      SM_HOST: $(SM_HOST)
+      SM_API_KEY: $(SM_API_KEY)
+      SM_CLIENT_CERT_PASSWORD: $(SM_CLIENT_CERT_PASSWORD)
+      SM_CLIENT_CERT_FILE: $(SM_CLIENT_CERT.secureFilePath)
+    inputs:
+      targetType: 'inline'
+      script: nuget sign "$env:PACKAGE_PATH" -HashAlgorithm SHA256 -CertificateFingerprint $(SM_CERT_FP) -Timestamper http://timestamp.digicert.com -TimestampHashAlgorithm SHA256
+    condition: eq(variables['SHOULD_SIGN'], 'true')
+
   - task: CopyFiles@2
     displayName: 'Copy asmref files to: $(Build.ArtifactStagingDirectory) in the event of a build failure' 
     inputs:
diff --git a/pipeline/scripts/locate-signtool.ps1 b/pipeline/scripts/locate-signtool.ps1
deleted file mode 100644
index 854990e87d..0000000000
--- a/pipeline/scripts/locate-signtool.ps1
+++ /dev/null
@@ -1,18 +0,0 @@
-# Search for signtool.exe
-
-$searchRoot = ${env:ProgramFiles(x86)} + '\Windows Kits\10\bin\10*'
-
-$exeName = 'signtool.exe'
-
-$signtool = Get-ChildItem -Path $searchRoot -Filter $exeName -Recurse -ErrorAction SilentlyContinue -Force | Select -Last 1
-
-
-if (!$signtool){
-	throw 'Unable to find ' + $exeName + ' under ' + $searchRoot
-}
-
-
-Write-Host 'Sign tool location: ' $signtool.FullName
-
-
-Write-Host "##vso[task.setvariable variable=SIGNTOOL_PATH;]$signtool"
\ No newline at end of file