From 8740a08d8d76c0efb9d97cd49fb2aad45ed396c5 Mon Sep 17 00:00:00 2001 From: Damon Barry Date: Mon, 20 Nov 2023 13:24:20 -0800 Subject: [PATCH] Update ESRP Codesign (#7153) Cherry-pick 239bf48e13ee54b24a8200995b2002f60f762dc7. Also, this change: - updates the signing task for the metrics collector release pipeline, which only exists in the main branch - removes the pipeline template that forces .NET to version 2.1 for the code signing step. Since we upgraded the version of the code signing task we use in the pipeline, this step is no longer required To test, I ran the "Build Executables" stage of the "IoT Edge Core - Stage Images" pipeline and confirmed the signing job succeeds. I also ran the "Metrics Collector - Stage Images" pipeline and confirmed the signing job succeeds and the tests pass. --- builds/misc/images-release.yaml | 289 ++++++------------ .../metrics-collector-images-release.yaml | 76 ++--- builds/release/refresh-core-images.yaml | 11 +- .../refresh-metrics-collector-images.yaml | 8 - .../release/templates/dotnet-code-sign.yaml | 60 ++-- builds/templates/force-dotnet21.yaml | 7 - builds/templates/restore-default-dotnet.yaml | 7 - 7 files changed, 137 insertions(+), 321 deletions(-) delete mode 100644 builds/templates/force-dotnet21.yaml delete mode 100644 builds/templates/restore-default-dotnet.yaml diff --git a/builds/misc/images-release.yaml b/builds/misc/images-release.yaml index d1e97feb251..8c3b638b295 100644 --- a/builds/misc/images-release.yaml +++ b/builds/misc/images-release.yaml @@ -35,234 +35,135 @@ stages: packagesToPack: "**/Microsoft.Azure.WebJobs.Extensions.EdgeHub.csproj" versionEnvVar: version versioningScheme: byEnvVar - # The code sign task requires .NET Core 2.1. - # TODO: Investigate why we have to toggle primary installs on linux, when we didn't have to do this on windows (now removed). - - template: ../templates/force-dotnet21.yaml # Code Sign - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: "Edge Agent Code Sign" inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish/Microsoft.Azure.Devices.Edge.Agent.Service Pattern: Microsoft.Azure.Devices.Edge.*.dll SessionTimeout: 20 inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + [ + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "https://www.microsoft.com", + "FileDigest": "/fd SHA256", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" } - ] + }, + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] signConfigType: inlineSignParams - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: "Edge Hub Code Sign" inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish/Microsoft.Azure.Devices.Edge.Hub.Service Pattern: "Microsoft.Azure.Devices.Edge.*.dll,Microsoft.Azure.Devices.Routing.*.dll" SessionTimeout: 20 inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + [ + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "https://www.microsoft.com", + "FileDigest": "/fd SHA256", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" } - ] + }, + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] signConfigType: inlineSignParams - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: "Temp Sensor Code Sign" inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish/SimulatedTemperatureSensor Pattern: "Microsoft.Azure.Devices.Edge.*.dll,SimulatedTemperatureSensor.dll" SessionTimeout: 20 inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + [ + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "https://www.microsoft.com", + "FileDigest": "/fd SHA256", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" } - ] + }, + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] signConfigType: inlineSignParams - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: "Functions Binding Code Sign" inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish/Microsoft.Azure.WebJobs.Extensions.EdgeHub Pattern: Microsoft.Azure.WebJobs.Extensions*.dll SessionTimeout: 20 inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + [ + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "https://www.microsoft.com", + "FileDigest": "/fd SHA256", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" } - ] + }, + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] signConfigType: inlineSignParams - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: "Functions Binding nuget package Sign" inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish Pattern: Microsoft.Azure.WebJobs.Extensions*.nupkg inlineOperation: | @@ -283,8 +184,6 @@ stages: } ] signConfigType: inlineSignParams - # We're done with code signing, so remove dotnet version override - - template: ../templates/restore-default-dotnet.yaml - bash: | mkdir $(Build.ArtifactStagingDirectory)/publish-linux && \ mv $(Build.BinariesDirectory)/publish/{CACertificates,scripts,*.nupkg} \ diff --git a/builds/release/metrics-collector-images-release.yaml b/builds/release/metrics-collector-images-release.yaml index 34cf1a8adeb..0ba987d2a6e 100755 --- a/builds/release/metrics-collector-images-release.yaml +++ b/builds/release/metrics-collector-images-release.yaml @@ -28,67 +28,37 @@ jobs: -c Release displayName: Build - # The code sign task requires .NET Core 2.1. - # TODO: Investigate why we have to toggle primary installs on linux, when we didn't have to do this on windows (now removed). - - template: ../templates/force-dotnet21.yaml - # Code Sign - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: "Metrics Collector Code Sign" inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish/Microsoft.Azure.Devices.Edge.Azure.Monitor Pattern: Microsoft.Azure.Devices.Edge.Azure.Monitor*.dll SessionTimeout: 20 inlineOperation: | - [ - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + [ + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "https://www.microsoft.com", + "FileDigest": "/fd SHA256", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" } - ] + }, + { + "KeyCode": "CP-230012", + "OperationCode": "SigntoolVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} + } + ] signConfigType: inlineSignParams - # We're done with code signing, so remove dotnet version override - - template: ../templates/restore-default-dotnet.yaml - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: Generate SBOM diff --git a/builds/release/refresh-core-images.yaml b/builds/release/refresh-core-images.yaml index c056cb7453b..619a473613f 100644 --- a/builds/release/refresh-core-images.yaml +++ b/builds/release/refresh-core-images.yaml @@ -244,10 +244,6 @@ stages: versionEnvVar: version versioningScheme: byEnvVar - # The code sign task requires .NET Core 2.1. - # TODO: Investigate why we have to toggle primary installs on linux, when we didn't have to do this on windows (now removed). - - template: ../templates/force-dotnet21.yaml - # Code Sign - template: templates/dotnet-code-sign.yaml parameters: @@ -273,10 +269,10 @@ stages: path: $(Build.BinariesDirectory)/publish/Microsoft.Azure.WebJobs.Extensions.EdgeHub pattern: Microsoft.Azure.WebJobs.Extensions*.dll - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: Sign Functions Binding nuget package inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: $(Build.BinariesDirectory)/publish Pattern: Microsoft.Azure.WebJobs.Extensions*.nupkg inlineOperation: | @@ -298,9 +294,6 @@ stages: ] signConfigType: inlineSignParams - # We're done with code signing, so remove dotnet version override - - template: ../templates/restore-default-dotnet.yaml - - task: PublishBuildArtifacts@1 displayName: Publish .NET Artifacts inputs: diff --git a/builds/release/refresh-metrics-collector-images.yaml b/builds/release/refresh-metrics-collector-images.yaml index 030d9ce718a..10a0c9ad3f8 100644 --- a/builds/release/refresh-metrics-collector-images.yaml +++ b/builds/release/refresh-metrics-collector-images.yaml @@ -223,20 +223,12 @@ stages: -c Release displayName: Build - # The code sign task requires .NET Core 2.1. - # TODO: Investigate why we have to toggle primary installs on linux, when we didn't have to do this on windows (now removed). - - template: ../templates/force-dotnet21.yaml - - # Code Sign - template: templates/dotnet-code-sign.yaml parameters: name: Sign Metrics Collector path: $(Build.BinariesDirectory)/publish/Microsoft.Azure.Devices.Edge.Azure.Monitor pattern: Microsoft.Azure.Devices.Edge.Azure.Monitor*.dll - # We're done with code signing, so remove dotnet version override - - template: ../templates/restore-default-dotnet.yaml - - task: AzureArtifacts.manifest-generator-task.manifest-generator-task.ManifestGeneratorTask@0 displayName: Generate SBOM inputs: diff --git a/builds/release/templates/dotnet-code-sign.yaml b/builds/release/templates/dotnet-code-sign.yaml index 2f4e51821cf..0e846b6f3b9 100644 --- a/builds/release/templates/dotnet-code-sign.yaml +++ b/builds/release/templates/dotnet-code-sign.yaml @@ -10,58 +10,34 @@ parameters: default: '' steps: -- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 +- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@3 displayName: ${{ parameters.name }} inputs: - ConnectedServiceName: "Azure IoT Edge Code Sign 2" + ConnectedServiceName: "aziotedge-pmc-v4-prod" FolderPath: ${{ parameters.path }} Pattern: ${{ parameters.pattern }} SessionTimeout: 20 inlineOperation: | [ { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "Microsoft" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "http://www.microsoft.com" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + "KeyCode": "CP-230012", + "OperationCode": "SigntoolSign", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": { + "OpusName": "Microsoft", + "OpusInfo": "https://www.microsoft.com", + "FileDigest": "/fd SHA256", + "PageHash": "/NPH", + "TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + } }, { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" + "KeyCode": "CP-230012", + "OperationCode": "SigntoolVerify", + "ToolName": "sign", + "ToolVersion": "1.0", + "Parameters": {} } ] signConfigType: inlineSignParams diff --git a/builds/templates/force-dotnet21.yaml b/builds/templates/force-dotnet21.yaml deleted file mode 100644 index 0825262ed47..00000000000 --- a/builds/templates/force-dotnet21.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# Add a global.json file to the root of the source code directory. This will override .NET's -# default behavior when determining which version of the runtime to use. Instead, .NET will -# use the version we specify here. -steps: - - bash: | - dotnet new globaljson --force --sdk-version 2.1 - displayName: Use .NET Core 2.1 \ No newline at end of file diff --git a/builds/templates/restore-default-dotnet.yaml b/builds/templates/restore-default-dotnet.yaml deleted file mode 100644 index f470c40281d..00000000000 --- a/builds/templates/restore-default-dotnet.yaml +++ /dev/null @@ -1,7 +0,0 @@ -# Remove the global.json file from the root of the source code directory, if it exists. This will -# remove any overrides, allowing .NET to use its default behavior (use latest) when determining -# which version of the runtime to use. -steps: - - bash: | - rm -f -v global.json - displayName: Restore default .NET version