From 9b49e323bc5506aefe55d968f1426b72beab6426 Mon Sep 17 00:00:00 2001 From: Dan Fiedler Date: Tue, 29 Oct 2024 08:53:47 -0400 Subject: [PATCH 1/4] add release stage and signing to devskim-cli --- Pipelines/cli/devskim-cli-release.yml | 466 +++++++++++++++++++++++++- 1 file changed, 452 insertions(+), 14 deletions(-) diff --git a/Pipelines/cli/devskim-cli-release.yml b/Pipelines/cli/devskim-cli-release.yml index 06883082..3553a595 100644 --- a/Pipelines/cli/devskim-cli-release.yml +++ b/Pipelines/cli/devskim-cli-release.yml @@ -1,22 +1,12 @@ -# Azure Pipelines -# https://aka.ms/yaml - name: DevSkim_CLI_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) trigger: none - # batch: true - # branches: - # include: - # - main - # paths: - # exclude: - # - "*.md" pr: none resources: repositories: - repository: templates type: git - name: SecurityEngineering/OSS-Tools-Pipeline-Templates + name: Data/OSS-Tools-Pipeline-Templates ref: refs/tags/v2.0.0 - repository: 1esPipelines type: git @@ -26,10 +16,15 @@ resources: variables: BuildConfiguration: 'Release' DotnetVersion: '8.0.x' - + extends: template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines parameters: + sdl: + sourceRepositoriesToScan: + exclude: + - repository: 1esPipelines + - repository: templates pool: name: MSSecurity-1ES-Build-Agents-Pool image: MSSecurity-1ES-Windows-2022 @@ -52,7 +47,8 @@ extends: poolName: MSSecurity-1ES-Build-Agents-Pool poolImage: MSSecurity-1ES-Ubuntu-2204 poolOs: linux - projectPath: 'DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj' + projectPath: 'DevSkim-DotNet/Microsoft.DevSkim.Tests/Microsoft.DevSkim.Tests.csproj' + - stage: Build dependsOn: - Test @@ -95,4 +91,446 @@ extends: projectName: 'DevSkim_CLI' artifactName: 'nuget-cli-archive' preBuild: - - template: nbgv-set-version-steps.yml@templates \ No newline at end of file + - template: nbgv-set-version-steps.yml@templates + + - stage: Release + dependsOn: + - Build + condition: succeeded() + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Releases + templateContext: + outputs: + - output: pipelineArtifact + path: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)' + steps: + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: ${{ variables.DotnetVersion }} + - template: nbgv-set-version-steps.yml@templates + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download linux-mac-archive' + buildType: 'current' + artifactName: 'linux-mac-archive' + targetPath: $(System.ArtifactsDirectory)\Unsigned_Binaries\ + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download nuget-cli-archive' + buildType: 'current' + artifactName: 'nuget-cli-archive' + targetPath: $(System.ArtifactsDirectory)\Unsigned_Binaries\ + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download nuget-lib-archive' + buildType: 'current' + artifactName: 'nuget-lib-archive' + targetPath: $(System.ArtifactsDirectory)\Unsigned_Binaries\ + - task: DownloadPipelineArtifact@2 + inputs: + displayName: 'Download win-netcore-archive' + buildType: 'current' + artifactName: 'win-netcore-archive' + targetPath: $(System.ArtifactsDirectory)\Unsigned_Binaries\ + - task: ExtractFiles@1 + displayName: Extract Artifacts for Signing + inputs: + archiveFilePatterns: '$(System.ArtifactsDirectory)\Unsigned_Binaries\*.zip' + destinationFolder: '$(System.ArtifactsDirectory)' + cleanDestinationFolder: false + - task: AntiMalware@4 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(System.ArtifactsDirectory)' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: UseDotNet@2 + inputs: + packageType: 'sdk' + version: '6.x' + # First party code signing + - task: EsrpCodeSigning@5 + displayName: First Party Code Sign - Linux + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/linux/DevSkim_CLI_linux_$(ReleaseVersion)' + Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + - task: EsrpCodeSigning@5 + displayName: First Party Code Sign - MacOS + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/macos/DevSkim_CLI_macos_$(ReleaseVersion)' + Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + - task: EsrpCodeSigning@5 + displayName: First Party Code Sign - Windows + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/win/DevSkim_CLI_win_$(ReleaseVersion)' + Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + - task: EsrpCodeSigning@5 + displayName: First Party Code Sign - .NET Core App + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/netcoreapp/DevSkim_CLI_netcoreapp_$(ReleaseVersion)' + Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-230012", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + # Third party code signing + - task: EsrpCodeSigning@5 + displayName: Third Party Code Sign - Linux + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/linux/DevSkim_CLI_linux_$(ReleaseVersion)' + Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + - task: EsrpCodeSigning@5 + displayName: Third Party Code Sign - MacOS + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/macos/DevSkim_CLI_macos_$(ReleaseVersion)' + Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - task: EsrpCodeSigning@5 + displayName: Third Party Code Sign - Windows + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/win/DevSkim_CLI_win_$(ReleaseVersion)' + Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - task: EsrpCodeSigning@5 + displayName: Third Party Code Sign - .NET Core App + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)/netcoreapp/DevSkim_CLI_netcoreapp_$(ReleaseVersion)' + Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolSign", + "Parameters" : { + "OpusName" : "Microsoft", + "OpusInfo" : "http://www.microsoft.com", + "FileDigest" : "/fd \"SHA256\"", + "PageHash" : "/NPH", + "TimeStamp" : "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-231522", + "OperationCode" : "SigntoolVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + # Code Signing - NuGet Package + - task: EsrpCodeSigning@5 + displayName: Code Sign Nuget Packages + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)' + Pattern: '*.nupkg, *.snupkg' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetSign", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-401405", + "OperationCode" : "NuGetVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + - task: ArchiveFiles@2 + displayName: Archive Artifact - Linux + inputs: + rootFolderOrFile: '$(System.ArtifactsDirectory)/linux/DevSkim_CLI_linux_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/DevSkim_CLI_linux_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: ArchiveFiles@2 + displayName: Archive Artifact - MacOS + inputs: + rootFolderOrFile: '$(System.ArtifactsDirectory)/macos/DevSkim_CLI_macos_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/DevSkim_CLI_macos_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: ArchiveFiles@2 + displayName: Archive Artifact - Windows + inputs: + rootFolderOrFile: '$(System.ArtifactsDirectory)/win/DevSkim_CLI_win_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/DevSkim_CLI_win_$(ReleaseVersion).zip' + replaceExistingArchive: true + - task: ArchiveFiles@2 + displayName: Archive Artifact - .NET Core App + inputs: + rootFolderOrFile: '$(System.ArtifactsDirectory)/netcoreapp/DevSkim_CLI_netcoreapp_$(ReleaseVersion)' + includeRootFolder: true + archiveType: 'zip' + archiveFile: '$(Build.StagingDirectory)/DevSkim_CLI_netcoreapp_$(ReleaseVersion).zip' + replaceExistingArchive: true \ No newline at end of file From 3e9d71da54df9ca36a477bf27ff7af1f1c862024 Mon Sep 17 00:00:00 2001 From: Dan Fiedler Date: Tue, 29 Oct 2024 08:55:19 -0400 Subject: [PATCH 2/4] add release stage with signing for VS pipeline --- Pipelines/vs/devskim-visualstudio-release.yml | 100 ++++++++++++++++-- 1 file changed, 89 insertions(+), 11 deletions(-) diff --git a/Pipelines/vs/devskim-visualstudio-release.yml b/Pipelines/vs/devskim-visualstudio-release.yml index eb87b1ad..0a3bda82 100644 --- a/Pipelines/vs/devskim-visualstudio-release.yml +++ b/Pipelines/vs/devskim-visualstudio-release.yml @@ -1,22 +1,12 @@ -# Azure Pipelines -# https://aka.ms/yaml - name: DevSkim_VisualStudio_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) trigger: none - # batch: true - # branches: - # include: - # - main - # paths: - # exclude: - # - "*.md" pr: none resources: repositories: - repository: templates type: git - name: SecurityEngineering/OSS-Tools-Pipeline-Templates + name: Data/OSS-Tools-Pipeline-Templates ref: refs/tags/v2.0.0 - repository: 1esPipelines type: git @@ -26,6 +16,11 @@ resources: extends: template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines parameters: + sdl: + sourceRepositoriesToScan: + exclude: + - repository: 1esPipelines + - repository: templates pool: name: MSSecurity-1ES-Build-Agents-Pool image: MSSecurity-1ES-Windows-2022 @@ -70,3 +65,86 @@ extends: inputs: targetType: 'inline' script: 'mv $env:BUILD_STAGINGDIRECTORY/bin/dotnetapp/DevSkim_VS_dotnetapp_$(ReleaseVersion)/*.vsix $env:BUILD_STAGINGDIRECTORY/extension' + + - stage: Release + dependsOn: + - Build + condition: succeeded() + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Release + templateContext: + outputs: + - output: pipelineArtifact + path: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)' + steps: + - template: nbgv-set-version-steps.yml@templates + - task: DownloadPipelineArtifact@2 + displayName: Retrieve Unsigned Artifact + inputs: + buildType: 'current' + artifactName: 'Unsigned_Extension' + targetPath: '$(Build.BinariesDirectory)\Unsigned_Extension' + - task: AntiMalware@3 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(Build.BinariesDirectory)' + EnableServices: true + SupportLogOnError: false + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: EsrpCodeSigning@5 + displayName: Code Sign VS Extension + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(Build.BinariesDirectory)\Unsigned_Extension' + Pattern: '*.vsix' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-233016", + "OperationCode" : "OpcSign", + "Parameters" : { + "FileDigest" : "/fd SHA256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-233016", + "OperationCode" : "OpcVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + - powershell: 'Get-ChildItem -Path ''$(Build.BinariesDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' + displayName: 'Delete Code Sign Summaries' + - task: PowerShell@2 + displayName: Move Extension File + inputs: + targetType: 'inline' + script: 'mv $env:BUILD_BINARIESDIRECTORY/Unsigned_Extension/*.vsix $env:BUILD_STAGINGDIRECTORY/' + - task: PowerShell@2 + displayName: Generate Hashes + inputs: + targetType: 'inline' + script: | + Get-ChildItem $(Build.StagingDirectory) | Foreach-Object { + $name = $_.Name + $tmp = (Get-FileHash "$(Build.StagingDirectory)\$name").Hash + Add-Content $(Build.StagingDirectory)\HASHES.txt "$tmp`t$name" + } \ No newline at end of file From 45e96fafcf06f4f9f39e85b752929b41828d5ac6 Mon Sep 17 00:00:00 2001 From: Dan Fiedler Date: Tue, 29 Oct 2024 08:56:25 -0400 Subject: [PATCH 3/4] add release stage with signing for VSCode pipeline --- Pipelines/vscode/devskim-vscode-release.yml | 93 ++++++++++++++++++--- 1 file changed, 81 insertions(+), 12 deletions(-) diff --git a/Pipelines/vscode/devskim-vscode-release.yml b/Pipelines/vscode/devskim-vscode-release.yml index 8843551f..58fa441d 100644 --- a/Pipelines/vscode/devskim-vscode-release.yml +++ b/Pipelines/vscode/devskim-vscode-release.yml @@ -1,22 +1,12 @@ -# Azure Pipelines -# https://aka.ms/yaml - name: DevSkim_VSCode_Release_$(SourceBranchName)_$(Date:yyyyMMdd)$(Rev:.r) trigger: none - # batch: true - # branches: - # include: - # - main - # paths: - # exclude: - # - "*.md" pr: none resources: repositories: - repository: templates type: git - name: SecurityEngineering/OSS-Tools-Pipeline-Templates + name: Data/OSS-Tools-Pipeline-Templates ref: refs/tags/v2.0.0 - repository: 1esPipelines type: git @@ -26,6 +16,11 @@ resources: extends: template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines parameters: + sdl: + sourceRepositoriesToScan: + exclude: + - repository: 1esPipelines + - repository: templates pool: name: MSSecurity-1ES-Build-Agents-Pool image: MSSecurity-1ES-Windows-2022 @@ -70,4 +65,78 @@ extends: displayName: Move Plugin File inputs: targetType: 'inline' - script: 'mv DevSkim-VSCode-Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY/packages/' \ No newline at end of file + script: 'mv DevSkim-VSCode-Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY/packages/' + + - stage: Release + dependsOn: + - Build + condition: succeeded() + jobs: + - job: sign_hash_release + displayName: Code Sign, Generate Hashes, Publish Public Release + templateContext: + outputs: + - output: pipelineArtifact + path: '$(Build.StagingDirectory)' + artifact: 'Signed_Binaries_$(System.JobId)_$(System.JobAttempt)' + steps: + - template: nbgv-set-version-steps.yml@templates + - task: DownloadPipelineArtifact@2 + displayName: Retrieve Unsigned Artifact + inputs: + buildType: 'current' + artifactName: 'Unsigned_Plugin' + targetPath: '$(System.ArtifactsDirectory)\Unsigned_Plugin' + - task: AntiMalware@4 + displayName: Anti-Malware Scan + inputs: + InputType: 'Basic' + ScanType: 'CustomScan' + FileDirPath: '$(System.ArtifactsDirectory)' + EnableServices: true + SupportLogOnError: true + TreatSignatureUpdateFailureAs: 'Warning' + SignatureFreshness: 'UpToDate' + TreatStaleSignatureAs: 'Warning' + - task: EsrpCodeSigning@5 + displayName: Code Sign VSCode Plugin + inputs: + ConnectedServiceName: 'oss-esrp-signing-v5-connection' + AppRegistrationClientId: '8694c10c-c89d-4231-9dca-36cb80737ad0' + AppRegistrationTenantId: '33e01921-4d64-4f8c-a055-5bdaffd5e33d' + AuthAKVName: 'oss-signing-vault' + AuthCertName: 'oss-esrp-auth-cert' + AuthSignCertName: 'oss-esrp-signing-cert' + FolderPath: '$(System.ArtifactsDirectory)\Unsigned_Plugin' + Pattern: '*.vsix' + signConfigType: 'inlineSignParams' + inlineOperation: | + [ + { + "KeyCode" : "CP-233016", + "OperationCode" : "OpcSign", + "Parameters" : { + "FileDigest" : "/fd SHA256" + }, + "ToolName" : "sign", + "ToolVersion" : "1.0" + }, + { + "KeyCode" : "CP-233016", + "OperationCode" : "OpcVerify", + "Parameters" : {}, + "ToolName" : "sign", + "ToolVersion" : "1.0" + } + ] + SessionTimeout: '60' + MaxConcurrency: '50' + MaxRetryAttempts: '5' + + - powershell: 'Get-ChildItem -Path ''$(System.ArtifactsDirectory)'' -Recurse CodeSign* | foreach { Remove-Item -Path $_.FullName }' + displayName: 'Delete Code Sign Summaries' + - task: PowerShell@2 + displayName: Move Plugin File + inputs: + targetType: 'inline' + script: 'mv $env:SYSTEM_ARTIFACTSDIRECTORY/Unsigned_Plugin/*.vsix $env:BUILD_STAGINGDIRECTORY/' From 25eb1ee135e6488f0969441777693d78b7c0bee5 Mon Sep 17 00:00:00 2001 From: Dan Fiedler Date: Tue, 29 Oct 2024 09:03:02 -0400 Subject: [PATCH 4/4] update changelog for release pipeline changes --- Changelog.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Changelog.md b/Changelog.md index 9f5066e2..b5e0c51e 100644 --- a/Changelog.md +++ b/Changelog.md @@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.0.43] - 2024-10-29 +### Pipeline +Pipeline only changes + ## [1.0.42] - 2024-08-26 ## Fix Fixes suppression command to not perturb line breaks, particularly when a file has findings which are not selected for suppression. #631