Merge pull request #99 from unoplatform/dev/jela/update-signing

ci: Move to sign client

Author: jeromelaban

.vsts-ci.yml

@@ -28,7 +28,9 @@ jobs:
     vmImage: 'windows-2022'
 
   variables:
-    NUGET_PACKAGES: $(Agent.WorkFolder)\.nuget
+    - name: NUGET_PACKAGES
+      value: $(Agent.WorkFolder)\.nuget
+    - group: uno-codesign-vault
 
   steps:
   - checkout: self
@@ -76,12 +78,15 @@ jobs:
     inputs:
       filePath: build/Sign-Package.ps1
     env:
-      SignClientUser: $(SignClientUser)
-      SignClientSecret: $(SignClientSecret)
+      VaultSignTenantId: $(VaultSignTenantId)
+      VaultSignClientId: $(VaultSignClientId)
+      VaultSignClientSecret: $(VaultSignClientSecret)
+      VaultSignCertificate: $(VaultSignCertificate)
+      VaultSignUrl: $(VaultSignUrl)
       SignPackageName: "Uno.PackageDiff"
       SignPackageDescription: "Uno.PackageDiff"
       ArtifactDirectory: $(build.artifactstagingdirectory)
-    condition: and(succeeded(), not(eq(variables['build.reason'], 'PullRequest')), not(eq(variables['SignClientSecret'], '')), not(eq(variables['SignClientUser'], '')))
+    condition: and(succeeded(), not(eq(variables['build.reason'], 'PullRequest')), not(eq(variables['VaultSignClientSecret'], '')), not(eq(variables['VaultSignClientId'], '')))
 
   - task: PublishBuildArtifacts@1
     condition: always()

build/SignClient.json

@@ -1,22 +1,35 @@
 $currentDirectory = split-path $MyInvocation.MyCommand.Definition
 
 # See if we have the ClientSecret available
-if ([string]::IsNullOrEmpty($env:SignClientSecret)) {
+if ([string]::IsNullOrEmpty($env:VaultSignClientSecret)) {
     Write-Host "Client Secret not found, not signing packages"
     return;
 }
 
-dotnet tool install --tool-path . SignClient
+dotnet tool install --tool-path . sign --version 0.9.1-beta.25278.1
 
-# Setup Variables we need to pass into the sign client tool
-$appSettings = "$currentDirectory\SignClient.json"
+$filesToSign = Get-ChildItem -Recurse $Env:ArtifactDirectory\* -Include *.nupkg | Select-Object -ExpandProperty FullName
 
-$filesToSign = Get-ChildItem -Recurse $Env:ArtifactDirectory\* -Include *.nupkg,*.vsix | Select-Object -ExpandProperty FullName
-
-foreach ($fileToSign in $filesToSign) {
+foreach ($fileToSign in $filesToSign)
+{
     Write-Host "Submitting $fileToSign for signing"
-    .\SignClient 'sign' -c $appSettings -i $fileToSign -r $env:SignClientUser -s $env:SignClientSecret -n "$env:SignPackageName" -d "$env:SignPackageDescription" -u "$env:build_repository_uri"
-    Write-Host "Finished signing $fileToSign"
-}
 
-Write-Host "Sign-package complete"
+    .\sign code azure-key-vault `
+        $fileToSign `
+        --publisher-name "$env:SignPackageName" `
+        --description "$env:SignPackageDescription" `
+        --description-url "$env:build_repository_uri" `
+        --azure-key-vault-tenant-id "$env:VaultSignTenantId" `
+        --azure-key-vault-client-id "$env:VaultSignClientId" `
+        --azure-key-vault-client-secret "$env:VaultSignClientSecret" `
+        --azure-key-vault-certificate "$env:VaultSignCertificate" `
+        --azure-key-vault-url "$env:VaultSignUrl" `
+        --verbosity information
+
+    if ($LASTEXITCODE -ne 0) {
+		Write-Error "Failed to sign $fileToSign"
+		exit $LASTEXITCODE
+	}
+
+    Write-Host "Finished signing $fileToSign"
+}