Skip to content

Commit 44992e5

Browse files
authored
Merge branch 'vfs-2.55.0' into kk/commit-reach-find-all-fix
2 parents ae68032 + 0612d2e commit 44992e5

847 files changed

Lines changed: 63893 additions & 16952 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.azure-pipelines/esrp/sign.yml

Lines changed: 106 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,106 @@
1+
# Reusable step template for ESRP code signing via EsrpCodeSigning@6.
2+
#
3+
# For macOS, ESRP requires files to be submitted as a zip archive.
4+
# Set 'useArchive: true' to automatically handle the
5+
# copy → zip → sign → extract cycle. For Windows/Linux where ESRP
6+
# can sign files directly in a folder, leave it as false (default).
7+
#
8+
parameters:
9+
- name: displayName
10+
type: string
11+
- name: folderPath
12+
type: string
13+
- name: pattern
14+
type: string
15+
- name: inlineOperation
16+
type: string
17+
# When true, matching files are copied to a staging dir, zipped,
18+
# signed, and extracted back to folderPath.
19+
- name: useArchive
20+
type: boolean
21+
default: false
22+
# ESRP connection parameters (defaults use pipeline variables)
23+
- name: connectedServiceName
24+
type: string
25+
default: $(esrpAppConnectionName)
26+
- name: appRegistrationClientId
27+
type: string
28+
default: $(esrpClientId)
29+
- name: appRegistrationTenantId
30+
type: string
31+
default: $(esrpTenantId)
32+
- name: authAkvName
33+
type: string
34+
default: $(esrpKeyVaultName)
35+
- name: authSignCertName
36+
type: string
37+
default: $(esrpSignReqCertName)
38+
- name: serviceEndpointUrl
39+
type: string
40+
default: $(esrpEndpointUrl)
41+
42+
steps:
43+
- ${{ if eq(parameters.useArchive, true) }}:
44+
- task: DeleteFiles@1
45+
displayName: 'Clean staging dir for ${{ parameters.displayName }}'
46+
inputs:
47+
SourceFolder: '$(Agent.TempDirectory)/esrp-staging'
48+
Contents: '*'
49+
RemoveSourceFolder: true
50+
- task: CopyFiles@2
51+
displayName: 'Collect files for ${{ parameters.displayName }}'
52+
inputs:
53+
SourceFolder: '${{ parameters.folderPath }}'
54+
Contents: '${{ parameters.pattern }}'
55+
TargetFolder: '$(Agent.TempDirectory)/esrp-staging/contents'
56+
- task: ArchiveFiles@2
57+
displayName: 'Archive files for ${{ parameters.displayName }}'
58+
inputs:
59+
rootFolderOrFile: '$(Agent.TempDirectory)/esrp-staging/contents'
60+
includeRootFolder: false
61+
archiveType: zip
62+
archiveFile: '$(Agent.TempDirectory)/esrp-staging/archive.zip'
63+
- task: EsrpCodeSigning@6
64+
displayName: '${{ parameters.displayName }}'
65+
inputs:
66+
connectedServiceName: '${{ parameters.connectedServiceName }}'
67+
useMSIAuthentication: true
68+
appRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
69+
appRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
70+
authAkvName: '${{ parameters.authAkvName }}'
71+
authSignCertName: '${{ parameters.authSignCertName }}'
72+
serviceEndpointUrl: '${{ parameters.serviceEndpointUrl }}'
73+
folderPath: '$(Agent.TempDirectory)/esrp-staging'
74+
pattern: 'archive.zip'
75+
useMinimatch: true
76+
signConfigType: inlineSignParams
77+
inlineOperation: ${{ parameters.inlineOperation }}
78+
- task: ExtractFiles@1
79+
displayName: 'Extract signed files for ${{ parameters.displayName }}'
80+
inputs:
81+
archiveFilePatterns: '$(Agent.TempDirectory)/esrp-staging/archive.zip'
82+
destinationFolder: '${{ parameters.folderPath }}'
83+
overwriteExistingFiles: true
84+
- task: DeleteFiles@1
85+
displayName: 'Clean up staging dir for ${{ parameters.displayName }}'
86+
condition: always()
87+
inputs:
88+
SourceFolder: '$(Agent.TempDirectory)/esrp-staging'
89+
Contents: '*'
90+
RemoveSourceFolder: true
91+
- ${{ else }}:
92+
- task: EsrpCodeSigning@6
93+
displayName: '${{ parameters.displayName }}'
94+
inputs:
95+
connectedServiceName: '${{ parameters.connectedServiceName }}'
96+
useMSIAuthentication: true
97+
appRegistrationClientId: '${{ parameters.appRegistrationClientId }}'
98+
appRegistrationTenantId: '${{ parameters.appRegistrationTenantId }}'
99+
authAkvName: '${{ parameters.authAkvName }}'
100+
authSignCertName: '${{ parameters.authSignCertName }}'
101+
serviceEndpointUrl: '${{ parameters.serviceEndpointUrl }}'
102+
folderPath: '${{ parameters.folderPath }}'
103+
pattern: '${{ parameters.pattern }}'
104+
useMinimatch: true
105+
signConfigType: inlineSignParams
106+
inlineOperation: ${{ parameters.inlineOperation }}
Lines changed: 173 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,173 @@
1+
#!/bin/bash
2+
#
3+
# Sign Windows files using the ESRP client (Authenticode).
4+
# Usage: esrpsign.sh <file1> [file2 ...]
5+
#
6+
# Required environment variables:
7+
# ESRP_TOOL - Path to ESRPClient.exe
8+
# ESRP_AUTH - Path to the ESRP auth JSON file
9+
# SYSTEM_ACCESSTOKEN - ADO system access token (OAuth bearer)
10+
#
11+
# Optional environment variables:
12+
# ESRP_KEYCODE - Signing key code (default: CP-231522)
13+
#
14+
# The script generates the auth and input JSON files and sets the
15+
# following ESRP client environment variables automatically:
16+
# ESRP_AUTH_CONFIG - Path to the auth JSON file
17+
# ESRP_POLICY_CONFIG - Path to the policy JSON file
18+
# ESRP_SESSION_CONFIG - Not set; ESRP client defaults are used
19+
#
20+
set -euo pipefail
21+
22+
if [ $# -lt 1 ]; then
23+
echo "usage: esrpsign.sh <file> [file ...]" >&2
24+
exit 1
25+
fi
26+
27+
if [ -z "${ESRP_TOOL:-}" ]; then
28+
echo "error: ESRP_TOOL environment variable must be set" >&2
29+
exit 1
30+
fi
31+
if [ -z "${ESRP_AUTH:-}" ]; then
32+
echo "error: ESRP_AUTH environment variable must be set" >&2
33+
exit 1
34+
fi
35+
if [ -z "${SYSTEM_ACCESSTOKEN:-}" ]; then
36+
echo "error: SYSTEM_ACCESSTOKEN environment variable must be set" >&2
37+
exit 1
38+
fi
39+
40+
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
41+
. "$SCRIPT_DIR/../../scripts/windows/utils.sh"
42+
43+
# Check for overriden key code, otherwise use default (Microsoft Third-Party/OSS)
44+
ESRP_KEYCODE="${ESRP_KEYCODE:-CP-231522}"
45+
46+
# Create work dir and resolve its Windows path by cd-ing into it.
47+
WORK_DIR="$(mktemp -d)"
48+
WORK_DIR_WIN="$(cd "$WORK_DIR" && pwd -W | sed 's|/|\\|g')"
49+
50+
echo "==> ESRP signing tool: $ESRP_TOOL"
51+
echo "==> Working directory: $WORK_DIR"
52+
53+
if [ ! -f "$ESRP_TOOL" ]; then
54+
echo "error: ESRPClient.exe not found at $ESRP_TOOL" >&2
55+
exit 1
56+
fi
57+
58+
# Build the SignRequestFiles JSON array
59+
echo "==> Preparing files for signing ($# file(s))..."
60+
files_json=""
61+
for file in "$@"; do
62+
if [ ! -f "$file" ]; then
63+
echo "error: file not found: $file" >&2
64+
exit 1
65+
fi
66+
67+
abs_path="$(cd "$(dirname "$file")" && pwd)/$(basename "$file")"
68+
win_path="$(to_windows_path "$abs_path")"
69+
# Escape backslashes for JSON
70+
win_path_escaped="${win_path//\\/\\\\}"
71+
echo " - $win_path"
72+
73+
if [ -n "$files_json" ]; then
74+
files_json+=","
75+
fi
76+
files_json+="
77+
{
78+
\"SourceLocation\": \"$win_path_escaped\",
79+
\"DestinationLocation\": \"$win_path_escaped\"
80+
}"
81+
done
82+
83+
# Generate the input JSON
84+
input_json="$WORK_DIR/input.json"
85+
output_json="$WORK_DIR/output.json"
86+
87+
echo "==> Generating input JSON: $input_json"
88+
cat > "$input_json" <<-EOF
89+
{
90+
"Version": "1.0.0",
91+
"SignBatches": [
92+
{
93+
"SourceLocationType": "UNC",
94+
"DestinationLocationType": "UNC",
95+
"SignRequestFiles": [$files_json
96+
],
97+
"SigningInfo": {
98+
"Operations": [
99+
{
100+
"KeyCode": "$ESRP_KEYCODE",
101+
"OperationCode": "SigntoolSign",
102+
"ToolName": "sign",
103+
"ToolVersion": "1.0",
104+
"Parameters": {
105+
"OpusName": "Microsoft",
106+
"OpusInfo": "https://www.microsoft.com",
107+
"FileDigest": "/fd SHA256",
108+
"PageHash": "/NPH",
109+
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
110+
}
111+
},
112+
{
113+
"KeyCode": "$ESRP_KEYCODE",
114+
"OperationCode": "SigntoolVerify",
115+
"ToolName": "sign",
116+
"ToolVersion": "1.0",
117+
"Parameters": {}
118+
}
119+
]
120+
}
121+
}
122+
]
123+
}
124+
EOF
125+
126+
# Generate policy JSON
127+
echo "==> Generating policy JSON..."
128+
policy_json="$WORK_DIR/policy.json"
129+
cat > "$policy_json" <<-EOF
130+
{
131+
"Version": "1.0.0",
132+
"Intent": "ProductRelease",
133+
"ContentType": "Binaries",
134+
"ContentOrigin": "1stParty",
135+
"ProductState": "Current",
136+
"Audience": "ExternalBroad"
137+
}
138+
EOF
139+
140+
# Use auth JSON from ESRP_AUTH
141+
export ESRP_AUTH_CONFIG="$(to_windows_path "$ESRP_AUTH")"
142+
export ESRP_POLICY_CONFIG="$WORK_DIR_WIN\\policy.json"
143+
144+
# The ADO system access token is referenced in the auth JSON via the environment
145+
# variable - export this so the ESRP client can pick it up when it runs.
146+
export SYSTEM_ACCESSTOKEN
147+
148+
# Print generated JSON files for debugging
149+
echo "==> Auth JSON:"
150+
cat "$ESRP_AUTH"
151+
echo ""
152+
echo "==> Policy JSON:"
153+
cat "$policy_json"
154+
echo ""
155+
echo "==> Input JSON:"
156+
cat "$input_json"
157+
echo ""
158+
159+
# Sign the files
160+
esrp_tool_win="$(to_windows_path "$ESRP_TOOL")"
161+
input_json_win="$WORK_DIR_WIN\\input.json"
162+
output_json_win="$WORK_DIR_WIN\\output.json"
163+
164+
echo "==> ESRP_AUTH_CONFIG=$ESRP_AUTH_CONFIG"
165+
echo "==> ESRP_POLICY_CONFIG=$ESRP_POLICY_CONFIG"
166+
echo "==> Running: $esrp_tool_win sign -i $input_json_win -o $output_json_win"
167+
"$esrp_tool_win" sign \
168+
-i "$input_json_win" \
169+
-o "$output_json_win"
170+
171+
echo "==> Signing complete."
172+
echo "==> Output JSON:"
173+
cat "$output_json"
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
parameters:
2+
- name: serviceConnectionName
3+
type: string
4+
- name: esrpClientId
5+
type: string
6+
- name: keyVaultName
7+
type: string
8+
- name: signCertName
9+
type: string
10+
11+
steps:
12+
- task: EsrpClientTool@5
13+
name: esrpinstall
14+
displayName: 'Install ESRP client'
15+
- task: AzureCLI@2
16+
displayName: 'Set up ESRP environment'
17+
inputs:
18+
azureSubscription: ${{ parameters.serviceConnectionName }}
19+
addSpnToEnvironment: true
20+
scriptType: ps
21+
scriptLocation: inlineScript
22+
inlineScript: |
23+
# Resolve ESRP client tool path (passed via env to avoid PS subexpression issues)
24+
$esrpTool = "$env:ESRPCLIENT_TOOLPATH\$env:ESRPCLIENT_TOOLNAME"
25+
if (-not (Test-Path $esrpTool)) { Write-Error "ESRPClient.exe not found at $esrpTool"; exit 1 }
26+
Write-Host "Found ESRP client: $esrpTool"
27+
Write-Host "##vso[task.setvariable variable=ESRP_TOOL]$esrpTool"
28+
29+
# Derive the service connection GUID from the ENDPOINT_URL_* env vars
30+
# that the agent emits for the bound connection. Filter out the
31+
# built-in SystemVssConnection which is always present.
32+
$scId = (Get-ChildItem env:ENDPOINT_URL_*).Name `
33+
-replace '^ENDPOINT_URL_','' |
34+
Where-Object { $_ -ne 'SYSTEMVSSCONNECTION' }
35+
if (-not $scId) { Write-Error "Could not derive service connection GUID"; exit 1 }
36+
Write-Host "Resolved service connection GUID: $scId"
37+
38+
# servicePrincipalId and tenantId are provided by addSpnToEnvironment
39+
$authJson = @{
40+
Version = "1.0.0"
41+
AuthenticationType = "AAD_MSI_WIF"
42+
EsrpClientId = "${{ parameters.esrpClientId }}"
43+
ClientId = $env:servicePrincipalId
44+
TenantId = $env:tenantId
45+
AADAuthorityBaseUri = "https://login.microsoftonline.com/"
46+
FederatedTokenData = @{
47+
JobId = "$(System.JobId)"
48+
PlanId = "$(System.PlanId)"
49+
ProjectId = "$(System.TeamProjectId)"
50+
Hub = "$(System.HostType)"
51+
Uri = "$(System.CollectionUri)"
52+
ServiceConnectionId = $scId
53+
SystemAccessToken = "SYSTEM_ACCESSTOKEN"
54+
}
55+
RequestSigningCert = @{
56+
GetCertFromKeyVault = $true
57+
KeyVaultName = "${{ parameters.keyVaultName }}"
58+
KeyVaultCertName = "${{ parameters.signCertName }}"
59+
}
60+
} | ConvertTo-Json -Depth 4
61+
62+
$authPath = "$(Agent.TempDirectory)\esrp-auth.json"
63+
$authJson | Set-Content -Path $authPath -Encoding UTF8
64+
Write-Host "Generated ESRP auth JSON: $authPath"
65+
Write-Host "##vso[task.setvariable variable=ESRP_AUTH]$authPath"
66+
env:
67+
SYSTEM_ACCESSTOKEN: $(System.AccessToken)
68+
ESRPCLIENT_TOOLPATH: $(esrpinstall.esrpclient.toolpath)
69+
ESRPCLIENT_TOOLNAME: $(esrpinstall.esrpclient.toolname)
Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
*.patch whitespace=-trailing-space,-blank-at-eof
Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
diff --git a/installer/install.iss b/installer/install.iss
2+
index 70787b7..137f660 100644
3+
--- a/installer/install.iss
4+
+++ b/installer/install.iss
5+
@@ -65,7 +65,7 @@ SignTool=signtool
6+
; Installer-related
7+
AllowNoIcons=yes
8+
AppName={#APP_NAME}
9+
-AppPublisher=The Git Development Community
10+
+AppPublisher=The Git Client Team at Microsoft
11+
AppPublisherURL={#APP_URL}
12+
AppSupportURL={#APP_CONTACT_URL}
13+
AppVersion={#APP_VERSION}

0 commit comments

Comments
 (0)