From d1fed9e7cf9d2b7251fa59490de2fb2cc66fd1e9 Mon Sep 17 00:00:00 2001 From: Joao Moreno Date: Mon, 2 Jul 2018 11:43:03 +0200 Subject: [PATCH] wip: attempt to sign uninstaller --- build/gulpfile.hygiene.js | 1 + build/gulpfile.vscode.win32.js | 6 +- build/tfs/product-build.yml | 266 ++++++++------------- build/tfs/win32/ESRPClient/NuGet.config | 6 + build/tfs/win32/ESRPClient/packages.config | 4 + build/tfs/win32/import-esrp-auth-cert.ps1 | 14 ++ build/tfs/win32/sign.ps1 | 75 ++++++ build/win32/code.iss | 1 + 8 files changed, 208 insertions(+), 165 deletions(-) create mode 100644 build/tfs/win32/ESRPClient/NuGet.config create mode 100644 build/tfs/win32/ESRPClient/packages.config create mode 100644 build/tfs/win32/import-esrp-auth-cert.ps1 create mode 100644 build/tfs/win32/sign.ps1 diff --git a/build/gulpfile.hygiene.js b/build/gulpfile.hygiene.js index a145fe79820..6a4cd05d17f 100644 --- a/build/gulpfile.hygiene.js +++ b/build/gulpfile.hygiene.js @@ -82,6 +82,7 @@ const indentationFilter = [ '!build/{lib,tslintRules}/**/*.js', '!build/**/*.sh', '!build/tfs/**/*.js', + '!build/tfs/**/*.config', '!**/Dockerfile', '!extensions/markdown-language-features/media/*.js' ]; diff --git a/build/gulpfile.vscode.win32.js b/build/gulpfile.vscode.win32.js index 5a03f23ba7d..ca55437c3df 100644 --- a/build/gulpfile.vscode.win32.js +++ b/build/gulpfile.vscode.win32.js @@ -42,7 +42,11 @@ function packageInnoSetup(iss, options, cb) { keys.forEach(key => assert(typeof definitions[key] === 'string', `Missing value for '${key}' in Inno Setup package step`)); const defs = keys.map(key => `/d${key}=${definitions[key]}`); - const args = [iss].concat(defs); + const args = [ + iss, + '/Sesrp="powershell.exe build\tfs\win32\sign.ps1 $f"', + ...defs + ]; cp.spawn(innoSetupPath, args, { stdio: ['ignore', 'inherit', 'inherit'] }) .on('error', cb) diff --git a/build/tfs/product-build.yml b/build/tfs/product-build.yml index dec69a68a11..83f312759b1 100644 --- a/build/tfs/product-build.yml +++ b/build/tfs/product-build.yml @@ -39,177 +39,115 @@ phases: npm run gulp -- "vscode-win32-$(VSCODE_ARCH)-copy-inno-updater" name: build + # - powershell: | + # $ErrorActionPreference = "Stop" + # npm run gulp -- "electron-$(VSCODE_ARCH)" + # .\scripts\test.bat --build --tfs "Unit Tests" + # # yarn smoketest -- --build "$(agent.builddirectory)\VSCode-win32-$(VSCODE_ARCH)" + # name: test + + # - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 + # inputs: + # ConnectedServiceName: 'ESRP CodeSign' + # FolderPath: '$(agent.builddirectory)/VSCode-win32-$(VSCODE_ARCH)' + # Pattern: '*.dll,*.exe,*.node' + # signConfigType: inlineSignParams + # inlineOperation: | + # [ + # { + # "keyCode": "CP-229803", + # "operationSetCode": "SigntoolSign", + # "parameters": [ + # { + # "parameterName": "OpusName", + # "parameterValue": "VS Code" + # }, + # { + # "parameterName": "OpusInfo", + # "parameterValue": "https://code.visualstudio.com/" + # }, + # { + # "parameterName": "PageHash", + # "parameterValue": "/NPH" + # }, + # { + # "parameterName": "TimeStamp", + # "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\"" + # } + # ], + # "toolName": "sign", + # "toolVersion": "1.0" + # }, + # { + # "keyCode": "CP-230012", + # "operationSetCode": "SigntoolSign", + # "parameters": [ + # { + # "parameterName": "OpusName", + # "parameterValue": "VS Code" + # }, + # { + # "parameterName": "OpusInfo", + # "parameterValue": "https://code.visualstudio.com/" + # }, + # { + # "parameterName": "Append", + # "parameterValue": "/as" + # }, + # { + # "parameterName": "FileDigest", + # "parameterValue": "/fd \"SHA256\"" + # }, + # { + # "parameterName": "PageHash", + # "parameterValue": "/NPH" + # }, + # { + # "parameterName": "TimeStamp", + # "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" + # } + # ], + # "toolName": "sign", + # "toolVersion": "1.0" + # }, + # { + # "keyCode": "CP-230012", + # "operationSetCode": "SigntoolVerify", + # "parameters": [ + # { + # "parameterName": "VerifyAll", + # "parameterValue": "/all" + # } + # ], + # "toolName": "sign", + # "toolVersion": "1.0" + # } + # ] + # SessionTimeout: 120 + + - task: NuGetCommand@2 + displayName: Install ESRPClient.exe + inputs: + restoreSolution: 'build\tfs\win32\ESRPClient\packages.config' + feedsToUse: config + nugetConfigPath: 'build\tfs\win32\ESRPClient\NuGet.config' + externalFeedCredentials: + restoreDirectory: packages + + - task: ESRPImportCertTask@1 + displayName: Import ESRP Request Signing Certificate + inputs: + ESRP: 'ESRP CodeSign' + - powershell: | $ErrorActionPreference = "Stop" - npm run gulp -- "electron-$(VSCODE_ARCH)" - .\scripts\test.bat --build --tfs "Unit Tests" - # yarn smoketest -- --build "$(agent.builddirectory)\VSCode-win32-$(VSCODE_ARCH)" - name: test - - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - inputs: - ConnectedServiceName: 'ESRP CodeSign' - FolderPath: '$(agent.builddirectory)/VSCode-win32-$(VSCODE_ARCH)' - Pattern: '*.dll,*.exe,*.node' - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-229803", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "VS Code" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "https://code.visualstudio.com/" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\"" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "VS Code" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "https://code.visualstudio.com/" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 120 + .\build\tfs\win32\import-esrp-auth-cert.ps1 -AuthCertificateBase64 $(ESRP_AUTH_CERTIFICATE) -AuthCertificateKey $(ESRP_AUTH_CERTIFICATE_KEY) + displayName: Import ESRP Auth Certificate - powershell: | $ErrorActionPreference = "Stop" npm run gulp -- "vscode-win32-$(VSCODE_ARCH)-archive" "vscode-win32-$(VSCODE_ARCH)-system-setup" "vscode-win32-$(VSCODE_ARCH)-user-setup" - - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1 - inputs: - ConnectedServiceName: 'ESRP CodeSign' - FolderPath: '$(agent.builddirectory)' - Pattern: VSCodeSetup.exe - signConfigType: inlineSignParams - inlineOperation: | - [ - { - "keyCode": "CP-229803", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "VS Code" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "https://code.visualstudio.com/" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/t \"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS\"" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolSign", - "parameters": [ - { - "parameterName": "OpusName", - "parameterValue": "VS Code" - }, - { - "parameterName": "OpusInfo", - "parameterValue": "https://code.visualstudio.com/" - }, - { - "parameterName": "Append", - "parameterValue": "/as" - }, - { - "parameterName": "FileDigest", - "parameterValue": "/fd \"SHA256\"" - }, - { - "parameterName": "PageHash", - "parameterValue": "/NPH" - }, - { - "parameterName": "TimeStamp", - "parameterValue": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - }, - { - "keyCode": "CP-230012", - "operationSetCode": "SigntoolVerify", - "parameters": [ - { - "parameterName": "VerifyAll", - "parameterValue": "/all" - } - ], - "toolName": "sign", - "toolVersion": "1.0" - } - ] - SessionTimeout: 120 - - - powershell: | - $ErrorActionPreference = "Stop" $Repo = "$(pwd)" $Root = "$Repo\.." $SystemExe = "$Repo\.build\win32-$(VSCODE_ARCH)\system-setup\VSCodeSetup.exe" diff --git a/build/tfs/win32/ESRPClient/NuGet.config b/build/tfs/win32/ESRPClient/NuGet.config new file mode 100644 index 00000000000..6d6da347fd2 --- /dev/null +++ b/build/tfs/win32/ESRPClient/NuGet.config @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/build/tfs/win32/ESRPClient/packages.config b/build/tfs/win32/ESRPClient/packages.config new file mode 100644 index 00000000000..d7a6f144f47 --- /dev/null +++ b/build/tfs/win32/ESRPClient/packages.config @@ -0,0 +1,4 @@ + + + + diff --git a/build/tfs/win32/import-esrp-auth-cert.ps1 b/build/tfs/win32/import-esrp-auth-cert.ps1 new file mode 100644 index 00000000000..c345c780231 --- /dev/null +++ b/build/tfs/win32/import-esrp-auth-cert.ps1 @@ -0,0 +1,14 @@ +Param( + [string]$AuthCertificateBase64, + [string]$AuthCertificateKey +) + +# Import auth certificate +$AuthCertificateFileName = [System.IO.Path]::GetTempFileName() +$AuthCertificateBytes = [Convert]::FromBase64String($AuthCertificateBase64) +[IO.File]::WriteAllBytes($AuthCertificateFileName, $AuthCertificateBytes) +$AuthCertificate = Import-PfxCertificate -FilePath $AuthCertificateFileName -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString $AuthCertificateKey -AsPlainText -Force) +rm $AuthCertificateFileName +$ESRPAuthCertificateSubjectName = $AuthCertificate.Subject + +Write-Output ("##vso[task.setvariable variable=ESRPAuthCertificateSubjectName;]$ESRPAuthCertificateSubjectName") \ No newline at end of file diff --git a/build/tfs/win32/sign.ps1 b/build/tfs/win32/sign.ps1 new file mode 100644 index 00000000000..e28482ba915 --- /dev/null +++ b/build/tfs/win32/sign.ps1 @@ -0,0 +1,75 @@ +$Auth = Create-TmpJson @{ + Version = "1.0.0" + AuthenticationType = "AAD_CERT" + ClientId = $env:ESRPClientId + AuthCert = @{ + SubjectName = $env:ESRPAuthCertificateSubjectName + StoreLocation = "LocalMachine" + StoreName = "My" + } + RequestSigningCert = @{ + SubjectName = $env:ESRPCertificateSubjectName + StoreLocation = "LocalMachine" + StoreName = "My" + } +} + +$Policy = Create-TmpJson @{ + Version = "1.0.0" +} + +$Input = Create-TmpJson @{ + Version = "1.0.0" + SignBatches = @( + @{ + SourceLocationType = "UNC" + SignRequestFiles = @( + @{ + SourceLocation = $args[0] + } + ) + SigningInfo = @{ + Operations = @( + @{ + KeyCode = "CP-229803" + OperationCode = "SigntoolSign" + Parameters = @{ + OpusName = "VS Code" + OpusInfo = "https://code.visualstudio.com/" + PageHash = "/NPH" + TimeStamp = "/t `"http://ts4096.gtm.microsoft.com/TSS/AuthenticodeTS`"" + } + ToolName = "sign" + ToolVersion = "1.0" + }, + @{ + KeyCode = "CP-230012" + OperationCode = "SigntoolSign" + Parameters = @{ + OpusName = "VS Code" + OpusInfo = "https://code.visualstudio.com/" + Append = "/as" + FileDigest = "/fd `"SHA256`"" + PageHash = "/NPH" + TimeStamp = "/tr `"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer`" /td sha256" + } + ToolName = "sign" + ToolVersion = "1.0" + }, + @{ + KeyCode = "CP-230012" + OperationCode = "SigntoolVerify" + Parameters = @{ + VerifyAll = "/all" + } + ToolName = "sign" + ToolVersion = "1.0" + } + ) + } + } + ) +} + +$Output = [System.IO.Path]::GetTempFileName() +build\tfs\win32\ESRPClient\packages\EsrpClient.1.0.27\tools\ESRPClient.exe Sign -a $Auth -p $Policy -i $Input -o $Output \ No newline at end of file diff --git a/build/win32/code.iss b/build/win32/code.iss index 846455906af..80fcbf70820 100644 --- a/build/win32/code.iss +++ b/build/win32/code.iss @@ -32,6 +32,7 @@ VersionInfoVersion={#RawVersion} ShowLanguageDialog=auto ArchitecturesAllowed={#ArchitecturesAllowed} ArchitecturesInstallIn64BitMode={#ArchitecturesInstallIn64BitMode} +SignTool=esrp #if "user" == InstallTarget DefaultDirName={userpf}\{#DirName}