diff --git a/build/gulpfile.hygiene.js b/build/gulpfile.hygiene.js
index a145fe79820..6a4cd05d17f 100644
--- a/build/gulpfile.hygiene.js
+++ b/build/gulpfile.hygiene.js
@@ -82,6 +82,7 @@ const indentationFilter = [
'!build/{lib,tslintRules}/**/*.js',
'!build/**/*.sh',
'!build/tfs/**/*.js',
+ '!build/tfs/**/*.config',
'!**/Dockerfile',
'!extensions/markdown-language-features/media/*.js'
];
diff --git a/build/gulpfile.vscode.win32.js b/build/gulpfile.vscode.win32.js
index 5a03f23ba7d..ca55437c3df 100644
--- a/build/gulpfile.vscode.win32.js
+++ b/build/gulpfile.vscode.win32.js
@@ -42,7 +42,11 @@ function packageInnoSetup(iss, options, cb) {
keys.forEach(key => assert(typeof definitions[key] === 'string', `Missing value for '${key}' in Inno Setup package step`));
const defs = keys.map(key => `/d${key}=${definitions[key]}`);
- const args = [iss].concat(defs);
+ const args = [
+ iss,
+ '/Sesrp="powershell.exe build\tfs\win32\sign.ps1 $f"',
+ ...defs
+ ];
cp.spawn(innoSetupPath, args, { stdio: ['ignore', 'inherit', 'inherit'] })
.on('error', cb)
diff --git a/build/tfs/product-build.yml b/build/tfs/product-build.yml
index dec69a68a11..83f312759b1 100644
--- a/build/tfs/product-build.yml
+++ b/build/tfs/product-build.yml
@@ -39,177 +39,115 @@ phases:
npm run gulp -- "vscode-win32-$(VSCODE_ARCH)-copy-inno-updater"
name: build
+ # - powershell: |
+ # $ErrorActionPreference = "Stop"
+ # npm run gulp -- "electron-$(VSCODE_ARCH)"
+ # .\scripts\test.bat --build --tfs "Unit Tests"
+ # # yarn smoketest -- --build "$(agent.builddirectory)\VSCode-win32-$(VSCODE_ARCH)"
+ # name: test
+
+ # - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+ # inputs:
+ # ConnectedServiceName: 'ESRP CodeSign'
+ # FolderPath: '$(agent.builddirectory)/VSCode-win32-$(VSCODE_ARCH)'
+ # Pattern: '*.dll,*.exe,*.node'
+ # signConfigType: inlineSignParams
+ # inlineOperation: |
+ # [
+ # {
+ # "keyCode": "CP-229803",
+ # "operationSetCode": "SigntoolSign",
+ # "parameters": [
+ # {
+ # "parameterName": "OpusName",
+ # "parameterValue": "VS Code"
+ # },
+ # {
+ # "parameterName": "OpusInfo",
+ # "parameterValue": "https://code.visualstudio.com/"
+ # },
+ # {
+ # "parameterName": "PageHash",
+ # "parameterValue": "/NPH"
+ # },
+ # {
+ # "parameterName": "TimeStamp",
+ # "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\""
+ # }
+ # ],
+ # "toolName": "sign",
+ # "toolVersion": "1.0"
+ # },
+ # {
+ # "keyCode": "CP-230012",
+ # "operationSetCode": "SigntoolSign",
+ # "parameters": [
+ # {
+ # "parameterName": "OpusName",
+ # "parameterValue": "VS Code"
+ # },
+ # {
+ # "parameterName": "OpusInfo",
+ # "parameterValue": "https://code.visualstudio.com/"
+ # },
+ # {
+ # "parameterName": "Append",
+ # "parameterValue": "/as"
+ # },
+ # {
+ # "parameterName": "FileDigest",
+ # "parameterValue": "/fd \"SHA256\""
+ # },
+ # {
+ # "parameterName": "PageHash",
+ # "parameterValue": "/NPH"
+ # },
+ # {
+ # "parameterName": "TimeStamp",
+ # "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
+ # }
+ # ],
+ # "toolName": "sign",
+ # "toolVersion": "1.0"
+ # },
+ # {
+ # "keyCode": "CP-230012",
+ # "operationSetCode": "SigntoolVerify",
+ # "parameters": [
+ # {
+ # "parameterName": "VerifyAll",
+ # "parameterValue": "/all"
+ # }
+ # ],
+ # "toolName": "sign",
+ # "toolVersion": "1.0"
+ # }
+ # ]
+ # SessionTimeout: 120
+
+ - task: NuGetCommand@2
+ displayName: Install ESRPClient.exe
+ inputs:
+ restoreSolution: 'build\tfs\win32\ESRPClient\packages.config'
+ feedsToUse: config
+ nugetConfigPath: 'build\tfs\win32\ESRPClient\NuGet.config'
+ externalFeedCredentials:
+ restoreDirectory: packages
+
+ - task: ESRPImportCertTask@1
+ displayName: Import ESRP Request Signing Certificate
+ inputs:
+ ESRP: 'ESRP CodeSign'
+
- powershell: |
$ErrorActionPreference = "Stop"
- npm run gulp -- "electron-$(VSCODE_ARCH)"
- .\scripts\test.bat --build --tfs "Unit Tests"
- # yarn smoketest -- --build "$(agent.builddirectory)\VSCode-win32-$(VSCODE_ARCH)"
- name: test
-
- - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
- inputs:
- ConnectedServiceName: 'ESRP CodeSign'
- FolderPath: '$(agent.builddirectory)/VSCode-win32-$(VSCODE_ARCH)'
- Pattern: '*.dll,*.exe,*.node'
- signConfigType: inlineSignParams
- inlineOperation: |
- [
- {
- "keyCode": "CP-229803",
- "operationSetCode": "SigntoolSign",
- "parameters": [
- {
- "parameterName": "OpusName",
- "parameterValue": "VS Code"
- },
- {
- "parameterName": "OpusInfo",
- "parameterValue": "https://code.visualstudio.com/"
- },
- {
- "parameterName": "PageHash",
- "parameterValue": "/NPH"
- },
- {
- "parameterName": "TimeStamp",
- "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\""
- }
- ],
- "toolName": "sign",
- "toolVersion": "1.0"
- },
- {
- "keyCode": "CP-230012",
- "operationSetCode": "SigntoolSign",
- "parameters": [
- {
- "parameterName": "OpusName",
- "parameterValue": "VS Code"
- },
- {
- "parameterName": "OpusInfo",
- "parameterValue": "https://code.visualstudio.com/"
- },
- {
- "parameterName": "Append",
- "parameterValue": "/as"
- },
- {
- "parameterName": "FileDigest",
- "parameterValue": "/fd \"SHA256\""
- },
- {
- "parameterName": "PageHash",
- "parameterValue": "/NPH"
- },
- {
- "parameterName": "TimeStamp",
- "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
- }
- ],
- "toolName": "sign",
- "toolVersion": "1.0"
- },
- {
- "keyCode": "CP-230012",
- "operationSetCode": "SigntoolVerify",
- "parameters": [
- {
- "parameterName": "VerifyAll",
- "parameterValue": "/all"
- }
- ],
- "toolName": "sign",
- "toolVersion": "1.0"
- }
- ]
- SessionTimeout: 120
+ .\build\tfs\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(ESRP_AUTH_CERTIFICATE) -AuthCertificateKey $(ESRP_AUTH_CERTIFICATE_KEY)
+ displayName: Import ESRP Auth Certificate
- powershell: |
$ErrorActionPreference = "Stop"
npm run gulp -- "vscode-win32-$(VSCODE_ARCH)-archive" "vscode-win32-$(VSCODE_ARCH)-system-setup" "vscode-win32-$(VSCODE_ARCH)-user-setup"
- - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
- inputs:
- ConnectedServiceName: 'ESRP CodeSign'
- FolderPath: '$(agent.builddirectory)'
- Pattern: VSCodeSetup.exe
- signConfigType: inlineSignParams
- inlineOperation: |
- [
- {
- "keyCode": "CP-229803",
- "operationSetCode": "SigntoolSign",
- "parameters": [
- {
- "parameterName": "OpusName",
- "parameterValue": "VS Code"
- },
- {
- "parameterName": "OpusInfo",
- "parameterValue": "https://code.visualstudio.com/"
- },
- {
- "parameterName": "PageHash",
- "parameterValue": "/NPH"
- },
- {
- "parameterName": "TimeStamp",
- "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\""
- }
- ],
- "toolName": "sign",
- "toolVersion": "1.0"
- },
- {
- "keyCode": "CP-230012",
- "operationSetCode": "SigntoolSign",
- "parameters": [
- {
- "parameterName": "OpusName",
- "parameterValue": "VS Code"
- },
- {
- "parameterName": "OpusInfo",
- "parameterValue": "https://code.visualstudio.com/"
- },
- {
- "parameterName": "Append",
- "parameterValue": "/as"
- },
- {
- "parameterName": "FileDigest",
- "parameterValue": "/fd \"SHA256\""
- },
- {
- "parameterName": "PageHash",
- "parameterValue": "/NPH"
- },
- {
- "parameterName": "TimeStamp",
- "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
- }
- ],
- "toolName": "sign",
- "toolVersion": "1.0"
- },
- {
- "keyCode": "CP-230012",
- "operationSetCode": "SigntoolVerify",
- "parameters": [
- {
- "parameterName": "VerifyAll",
- "parameterValue": "/all"
- }
- ],
- "toolName": "sign",
- "toolVersion": "1.0"
- }
- ]
- SessionTimeout: 120
-
- - powershell: |
- $ErrorActionPreference = "Stop"
$Repo = "$(pwd)"
$Root = "$Repo\.."
$SystemExe = "$Repo\.build\win32-$(VSCODE_ARCH)\system-setup\VSCodeSetup.exe"
diff --git a/build/tfs/win32/ESRPClient/NuGet.config b/build/tfs/win32/ESRPClient/NuGet.config
new file mode 100644
index 00000000000..6d6da347fd2
--- /dev/null
+++ b/build/tfs/win32/ESRPClient/NuGet.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/build/tfs/win32/ESRPClient/packages.config b/build/tfs/win32/ESRPClient/packages.config
new file mode 100644
index 00000000000..d7a6f144f47
--- /dev/null
+++ b/build/tfs/win32/ESRPClient/packages.config
@@ -0,0 +1,4 @@
+
+
+
+
diff --git a/build/tfs/win32/import-esrp-auth-cert.ps1 b/build/tfs/win32/import-esrp-auth-cert.ps1
new file mode 100644
index 00000000000..c345c780231
--- /dev/null
+++ b/build/tfs/win32/import-esrp-auth-cert.ps1
@@ -0,0 +1,14 @@
+Param(
+ [string]$AuthCertificateBase64,
+ [string]$AuthCertificateKey
+)
+
+# Import auth certificate
+$AuthCertificateFileName = [System.IO.Path]::GetTempFileName()
+$AuthCertificateBytes = [Convert]::FromBase64String($AuthCertificateBase64)
+[IO.File]::WriteAllBytes($AuthCertificateFileName, $AuthCertificateBytes)
+$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertificateFileName -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertificateKey -AsPlainText -Force)
+rm $AuthCertificateFileName
+$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject
+
+Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName")
\ No newline at end of file
diff --git a/build/tfs/win32/sign.ps1 b/build/tfs/win32/sign.ps1
new file mode 100644
index 00000000000..e28482ba915
--- /dev/null
+++ b/build/tfs/win32/sign.ps1
@@ -0,0 +1,75 @@
+$Auth = Create-TmpJson @{
+ Version = "1.0.0"
+ AuthenticationType = "AAD_CERT"
+ ClientId = $env:ESRPClientId
+ AuthCert = @{
+ SubjectName = $env:ESRPAuthCertificateSubjectName
+ StoreLocation = "LocalMachine"
+ StoreName = "My"
+ }
+ RequestSigningCert = @{
+ SubjectName = $env:ESRPCertificateSubjectName
+ StoreLocation = "LocalMachine"
+ StoreName = "My"
+ }
+}
+
+$Policy = Create-TmpJson @{
+ Version = "1.0.0"
+}
+
+$Input = Create-TmpJson @{
+ Version = "1.0.0"
+ SignBatches = @(
+ @{
+ SourceLocationType = "UNC"
+ SignRequestFiles = @(
+ @{
+ SourceLocation = $args[0]
+ }
+ )
+ SigningInfo = @{
+ Operations = @(
+ @{
+ KeyCode = "CP-229803"
+ OperationCode = "SigntoolSign"
+ Parameters = @{
+ OpusName = "VS Code"
+ OpusInfo = "https://code.visualstudio.com/"
+ PageHash = "/NPH"
+ TimeStamp = "/t `"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS`""
+ }
+ ToolName = "sign"
+ ToolVersion = "1.0"
+ },
+ @{
+ KeyCode = "CP-230012"
+ OperationCode = "SigntoolSign"
+ Parameters = @{
+ OpusName = "VS Code"
+ OpusInfo = "https://code.visualstudio.com/"
+ Append = "/as"
+ FileDigest = "/fd `"SHA256`""
+ PageHash = "/NPH"
+ TimeStamp = "/tr `"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer`" /td sha256"
+ }
+ ToolName = "sign"
+ ToolVersion = "1.0"
+ },
+ @{
+ KeyCode = "CP-230012"
+ OperationCode = "SigntoolVerify"
+ Parameters = @{
+ VerifyAll = "/all"
+ }
+ ToolName = "sign"
+ ToolVersion = "1.0"
+ }
+ )
+ }
+ }
+ )
+}
+
+$Output = [System.IO.Path]::GetTempFileName()
+build\tfs\win32\ESRPClient\packages\EsrpClient.1.0.27\tools\ESRPClient.exe Sign -a $Auth -p $Policy -i $Input -o $Output
\ No newline at end of file
diff --git a/build/win32/code.iss b/build/win32/code.iss
index 846455906af..80fcbf70820 100644
--- a/build/win32/code.iss
+++ b/build/win32/code.iss
@@ -32,6 +32,7 @@ VersionInfoVersion={#RawVersion}
ShowLanguageDialog=auto
ArchitecturesAllowed={#ArchitecturesAllowed}
ArchitecturesInstallIn64BitMode={#ArchitecturesInstallIn64BitMode}
+SignTool=esrp
#if "user" == InstallTarget
DefaultDirName={userpf}\{#DirName}