move to new esrp service connection (#233591)

2026-05-08 09:08:48 +01:00 · 2024-11-11 21:52:05 +01:00
parent debf919871
commit 0244c5edf7
6 changed files with 46 additions and 32 deletions
@@ -5,11 +5,11 @@ parameters:

 steps:
  - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
    inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"

  - task: UseDotNet@2
    inputs:
@@ -32,10 +32,10 @@ steps:
        archiveFilePatterns: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/*.zip
        destinationFolder: $(Build.ArtifactStagingDirectory)/sign/${{ target }}

-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
    displayName: Codesign

-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
    displayName: Notarize

  - ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:
@@ -5,11 +5,11 @@ parameters:

 steps:
  - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
    inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"

  - task: UseDotNet@2
    inputs:
@@ -42,7 +42,7 @@ steps:
      echo "##vso[task.setvariable variable=EsrpCliDllPath]$EsrpCliDllPath"
    displayName: Find ESRP CLI

-  - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/sign "*.exe"
+  - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/sign "*.exe"
    displayName: Codesign

  - ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:
@@ -14,20 +14,20 @@ steps:
    displayName: Download ESRPClient

  - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
    inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"

  - download: current
    artifact: unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive
    displayName: Download $(VSCODE_ARCH) artifact

-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
    displayName: Codesign

-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
    displayName: Notarize

  - script: unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)
@@ -32,7 +32,14 @@ steps:
      inputs:
        azureSubscription: vscode
        KeyVaultName: vscode-build-secrets
-        SecretsFilter: "github-distro-mixin-password,ESRP-PKI,esrp-aad-username,esrp-aad-password"
+        SecretsFilter: "github-distro-mixin-password"
+
+    - task: AzureKeyVault@2
+      displayName: "Azure Key Vault: Get ESRP Secrets"
+      inputs:
+        azureSubscription: vscode-esrp
+        KeyVaultName: vscode-esrp
+        SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"

    - task: DownloadPipelineArtifact@2
      inputs:
@@ -353,10 +360,10 @@ steps:
      continueOnError: true
      displayName: Download ESRPClient

-    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) .build/linux/deb '*.deb'
+    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) .build/linux/deb '*.deb'
      displayName: Codesign deb

-    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) .build/linux/rpm '*.rpm'
+    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) .build/linux/rpm '*.rpm'
      displayName: Codesign rpm

    - script: echo "##vso[task.setvariable variable=ARTIFACT_PREFIX]attempt$(System.JobAttempt)_"
@@ -13,14 +13,14 @@ steps:
    inputs:
      azureSubscription: vscode
      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "github-distro-mixin-password,esrp-aad-username,esrp-aad-password"
+      SecretsFilter: "github-distro-mixin-password"

  - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
    inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-packages
-      SecretsFilter: "vscode-esrp,c24324f7-e65f-4c45-8702-ed2d4c35df99"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-auth,esrp-sign,esrp-aad-username,esrp-aad-password"

  # allow-any-unicode-next-line
  - pwsh: Write-Host "##vso[build.addbuildtag]🚀"
@@ -67,10 +67,10 @@ steps:
  - pwsh: |
      $ErrorActionPreference = "Stop"
      $CertCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
-      $AuthCertBytes = [System.Convert]::FromBase64String("$(vscode-esrp)")
+      $AuthCertBytes = [System.Convert]::FromBase64String("$(esrp-auth)")
      $CertCollection.Import($AuthCertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet)
      $RequestSigningCertIndex = $CertCollection.Count
-      $RequestSigningCertBytes = [System.Convert]::FromBase64String("$(c24324f7-e65f-4c45-8702-ed2d4c35df99)")
+      $RequestSigningCertBytes = [System.Convert]::FromBase64String("$(esrp-sign)")
      $CertCollection.Import($RequestSigningCertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet)
      $CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
      $CertStore.Open("ReadWrite")
@@ -37,7 +37,14 @@ steps:
      inputs:
        azureSubscription: vscode
        KeyVaultName: vscode-build-secrets
-        SecretsFilter: "github-distro-mixin-password,ESRP-PKI,esrp-aad-username,esrp-aad-password"
+        SecretsFilter: "github-distro-mixin-password"
+
+    - task: AzureKeyVault@2
+      displayName: "Azure Key Vault: Get ESRP Secrets"
+      inputs:
+        azureSubscription: vscode-esrp
+        KeyVaultName: vscode-esrp
+        SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"

    - task: DownloadPipelineArtifact@2
      inputs:
@@ -220,11 +227,11 @@ steps:
          echo "##vso[task.setvariable variable=EsrpCliDllPath]$EsrpCliDllPath"
        displayName: Find ESRP CLI

-      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.dll,*.exe,*.node'
+      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.dll,*.exe,*.node'
        displayName: Codesign executables and shared libraries

    - ${{ if eq(parameters.VSCODE_QUALITY, 'insider') }}:
-      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows-appx $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.appx'
+      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows-appx $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.appx'
        displayName: Codesign context menu appx package

    - ${{ if ne(parameters.VSCODE_QUALITY, 'oss') }}:
@@ -268,7 +275,7 @@ steps:
      - powershell: |
          . build/azure-pipelines/win32/exec.ps1
          $ErrorActionPreference = "Stop"
-          $env:ESRPPKI = "$(ESRP-PKI)"
+          $env:ESRPPKI = "$(esrp-sign-legacy)"
          $env:ESRPAADUsername = "$(esrp-aad-username)"
          $env:ESRPAADPassword = "$(esrp-aad-password)"
          exec { npm run -- gulp "vscode-win32-$(VSCODE_ARCH)-system-setup" --sign }
@@ -280,7 +287,7 @@ steps:
      - powershell: |
          . build/azure-pipelines/win32/exec.ps1
          $ErrorActionPreference = "Stop"
-          $env:ESRPPKI = "$(ESRP-PKI)"
+          $env:ESRPPKI = "$(esrp-sign-legacy)"
          $env:ESRPAADUsername = "$(esrp-aad-username)"
          $env:ESRPAADPassword = "$(esrp-aad-password)"
          exec { npm run -- gulp "vscode-win32-$(VSCODE_ARCH)-user-setup" --sign }