From 0244c5edf737b56e5f48f5d51f4d5179979d3303 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jo=C3=A3o=20Moreno?= <joao.moreno@microsoft.com>
Date: Mon, 11 Nov 2024 21:52:05 +0100
Subject: [PATCH] move to new esrp service connection (#233591)

---
 build/azure-pipelines/cli/cli-darwin-sign.yml   | 12 ++++++------
 build/azure-pipelines/cli/cli-win32-sign.yml    | 10 +++++-----
 .../darwin/product-build-darwin-sign.yml        | 12 ++++++------
 .../linux/product-build-linux.yml               | 13 ++++++++++---
 build/azure-pipelines/product-publish.yml       | 14 +++++++-------
 .../win32/product-build-win32.yml               | 17 ++++++++++++-----
 6 files changed, 46 insertions(+), 32 deletions(-)

diff --git a/build/azure-pipelines/cli/cli-darwin-sign.yml b/build/azure-pipelines/cli/cli-darwin-sign.yml
index c79e4747522..bd04c8f72bc 100644
--- a/build/azure-pipelines/cli/cli-darwin-sign.yml
+++ b/build/azure-pipelines/cli/cli-darwin-sign.yml
@@ -5,11 +5,11 @@ parameters:
 
 steps:
   - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
     inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"
 
   - task: UseDotNet@2
     inputs:
@@ -32,10 +32,10 @@ steps:
         archiveFilePatterns: $(Build.ArtifactStagingDirectory)/pkg/${{ target }}/*.zip
         destinationFolder: $(Build.ArtifactStagingDirectory)/sign/${{ target }}
 
-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
     displayName: Codesign
 
-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/pkg "*.zip"
     displayName: Notarize
 
   - ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:
diff --git a/build/azure-pipelines/cli/cli-win32-sign.yml b/build/azure-pipelines/cli/cli-win32-sign.yml
index b5af28fd080..81f1a001489 100644
--- a/build/azure-pipelines/cli/cli-win32-sign.yml
+++ b/build/azure-pipelines/cli/cli-win32-sign.yml
@@ -5,11 +5,11 @@ parameters:
 
 steps:
   - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
     inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"
 
   - task: UseDotNet@2
     inputs:
@@ -42,7 +42,7 @@ steps:
       echo "##vso[task.setvariable variable=EsrpCliDllPath]$EsrpCliDllPath"
     displayName: Find ESRP CLI
 
-  - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/sign "*.exe"
+  - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Build.ArtifactStagingDirectory)/sign "*.exe"
     displayName: Codesign
 
   - ${{ each target in parameters.VSCODE_CLI_ARTIFACTS }}:
diff --git a/build/azure-pipelines/darwin/product-build-darwin-sign.yml b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
index cc0cc06d740..ccfbf58aa0b 100644
--- a/build/azure-pipelines/darwin/product-build-darwin-sign.yml
+++ b/build/azure-pipelines/darwin/product-build-darwin-sign.yml
@@ -14,20 +14,20 @@ steps:
     displayName: Download ESRPClient
 
   - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
     inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-secrets
-      SecretsFilter: "ESRP-PKI,esrp-aad-username,esrp-aad-password"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"
 
   - download: current
     artifact: unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive
     displayName: Download $(VSCODE_ARCH) artifact
 
-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Codesign
 
-  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
+  - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll notarize-darwin $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive VSCode-darwin-$(VSCODE_ARCH).zip
     displayName: Notarize
 
   - script: unzip $(Pipeline.Workspace)/unsigned_vscode_client_darwin_$(VSCODE_ARCH)_archive/VSCode-darwin-$(VSCODE_ARCH).zip -d $(Agent.BuildDirectory)/VSCode-darwin-$(VSCODE_ARCH)
diff --git a/build/azure-pipelines/linux/product-build-linux.yml b/build/azure-pipelines/linux/product-build-linux.yml
index 1ff4f300597..8d93d7d8adf 100644
--- a/build/azure-pipelines/linux/product-build-linux.yml
+++ b/build/azure-pipelines/linux/product-build-linux.yml
@@ -32,7 +32,14 @@ steps:
       inputs:
         azureSubscription: vscode
         KeyVaultName: vscode-build-secrets
-        SecretsFilter: "github-distro-mixin-password,ESRP-PKI,esrp-aad-username,esrp-aad-password"
+        SecretsFilter: "github-distro-mixin-password"
+
+    - task: AzureKeyVault@2
+      displayName: "Azure Key Vault: Get ESRP Secrets"
+      inputs:
+        azureSubscription: vscode-esrp
+        KeyVaultName: vscode-esrp
+        SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"
 
     - task: DownloadPipelineArtifact@2
       inputs:
@@ -353,10 +360,10 @@ steps:
       continueOnError: true
       displayName: Download ESRPClient
 
-    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) .build/linux/deb '*.deb'
+    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) .build/linux/deb '*.deb'
       displayName: Codesign deb
 
-    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) .build/linux/rpm '*.rpm'
+    - script: node build/azure-pipelines/common/sign $(Agent.ToolsDirectory)/esrpclient/*/*/net6.0/esrpcli.dll sign-pgp $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) .build/linux/rpm '*.rpm'
       displayName: Codesign rpm
 
     - script: echo "##vso[task.setvariable variable=ARTIFACT_PREFIX]attempt$(System.JobAttempt)_"
diff --git a/build/azure-pipelines/product-publish.yml b/build/azure-pipelines/product-publish.yml
index d33d3d04cf8..a175cf9571c 100644
--- a/build/azure-pipelines/product-publish.yml
+++ b/build/azure-pipelines/product-publish.yml
@@ -13,14 +13,14 @@ steps:
     inputs:
       azureSubscription: vscode
       KeyVaultName: vscode-build-secrets
-      SecretsFilter: "github-distro-mixin-password,esrp-aad-username,esrp-aad-password"
+      SecretsFilter: "github-distro-mixin-password"
 
   - task: AzureKeyVault@2
-    displayName: "Azure Key Vault: Get Secrets"
+    displayName: "Azure Key Vault: Get ESRP Secrets"
     inputs:
-      azureSubscription: vscode
-      KeyVaultName: vscode-build-packages
-      SecretsFilter: "vscode-esrp,c24324f7-e65f-4c45-8702-ed2d4c35df99"
+      azureSubscription: vscode-esrp
+      KeyVaultName: vscode-esrp
+      SecretsFilter: "esrp-auth,esrp-sign,esrp-aad-username,esrp-aad-password"
 
   # allow-any-unicode-next-line
   - pwsh: Write-Host "##vso[build.addbuildtag]🚀"
@@ -67,10 +67,10 @@ steps:
   - pwsh: |
       $ErrorActionPreference = "Stop"
       $CertCollection = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
-      $AuthCertBytes = [System.Convert]::FromBase64String("$(vscode-esrp)")
+      $AuthCertBytes = [System.Convert]::FromBase64String("$(esrp-auth)")
       $CertCollection.Import($AuthCertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet)
       $RequestSigningCertIndex = $CertCollection.Count
-      $RequestSigningCertBytes = [System.Convert]::FromBase64String("$(c24324f7-e65f-4c45-8702-ed2d4c35df99)")
+      $RequestSigningCertBytes = [System.Convert]::FromBase64String("$(esrp-sign)")
       $CertCollection.Import($RequestSigningCertBytes, $null, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::Exportable -bxor [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet)
       $CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store("My","LocalMachine")
       $CertStore.Open("ReadWrite")
diff --git a/build/azure-pipelines/win32/product-build-win32.yml b/build/azure-pipelines/win32/product-build-win32.yml
index a7d64ede336..a8be25fe7e8 100644
--- a/build/azure-pipelines/win32/product-build-win32.yml
+++ b/build/azure-pipelines/win32/product-build-win32.yml
@@ -37,7 +37,14 @@ steps:
       inputs:
         azureSubscription: vscode
         KeyVaultName: vscode-build-secrets
-        SecretsFilter: "github-distro-mixin-password,ESRP-PKI,esrp-aad-username,esrp-aad-password"
+        SecretsFilter: "github-distro-mixin-password"
+
+    - task: AzureKeyVault@2
+      displayName: "Azure Key Vault: Get ESRP Secrets"
+      inputs:
+        azureSubscription: vscode-esrp
+        KeyVaultName: vscode-esrp
+        SecretsFilter: "esrp-sign-legacy,esrp-aad-username,esrp-aad-password"
 
     - task: DownloadPipelineArtifact@2
       inputs:
@@ -220,11 +227,11 @@ steps:
           echo "##vso[task.setvariable variable=EsrpCliDllPath]$EsrpCliDllPath"
         displayName: Find ESRP CLI
 
-      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.dll,*.exe,*.node'
+      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.dll,*.exe,*.node'
         displayName: Codesign executables and shared libraries
 
     - ${{ if eq(parameters.VSCODE_QUALITY, 'insider') }}:
-      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows-appx $(ESRP-PKI) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.appx'
+      - powershell: node build\azure-pipelines\common\sign $env:EsrpCliDllPath sign-windows-appx $(esrp-sign-legacy) $(esrp-aad-username) $(esrp-aad-password) $(CodeSigningFolderPath) '*.appx'
         displayName: Codesign context menu appx package
 
     - ${{ if ne(parameters.VSCODE_QUALITY, 'oss') }}:
@@ -268,7 +275,7 @@ steps:
       - powershell: |
           . build/azure-pipelines/win32/exec.ps1
           $ErrorActionPreference = "Stop"
-          $env:ESRPPKI = "$(ESRP-PKI)"
+          $env:ESRPPKI = "$(esrp-sign-legacy)"
           $env:ESRPAADUsername = "$(esrp-aad-username)"
           $env:ESRPAADPassword = "$(esrp-aad-password)"
           exec { npm run -- gulp "vscode-win32-$(VSCODE_ARCH)-system-setup" --sign }
@@ -280,7 +287,7 @@ steps:
       - powershell: |
           . build/azure-pipelines/win32/exec.ps1
           $ErrorActionPreference = "Stop"
-          $env:ESRPPKI = "$(ESRP-PKI)"
+          $env:ESRPPKI = "$(esrp-sign-legacy)"
           $env:ESRPAADUsername = "$(esrp-aad-username)"
           $env:ESRPAADPassword = "$(esrp-aad-password)"
           exec { npm run -- gulp "vscode-win32-$(VSCODE_ARCH)-user-setup" --sign }