Migrate to New Code Sign Mechanism (#615)

* Update devskim-cli-release.yml * Update devskim-visualstudio-release.yml * Update devskim-vscode-release.yml * Update Changelog.md
microsoft · May 9, 2024 · ba39d7a · ba39d7a
1 parent 6091cf6
commit ba39d7a
Show file tree

Hide file tree

Showing 4 changed files with 82 additions and 23 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -4,6 +4,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.0.35] - 2024-5-8
+### Pipeline
+Pipeline only changes
+
 ## [1.0.34] - 2024-3-18
 ### Pipeline
 Pipeline only changes

diff --git a/Pipelines/cli/devskim-cli-release.yml b/Pipelines/cli/devskim-cli-release.yml
@@ -133,10 +133,15 @@ stages:
         packageType: 'sdk'
         version: '6.x'
     # First party code signing
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: First Party Code Sign - Linux
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/linux/DevSkim_CLI_linux_$(ReleaseVersion)'
         Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll'
         signConfigType: 'inlineSignParams'
@@ -166,10 +171,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: First Party Code Sign - MacOS
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/macos/DevSkim_CLI_macos_$(ReleaseVersion)'
         Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll'
         signConfigType: 'inlineSignParams'
@@ -199,10 +209,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: First Party Code Sign - Windows
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/win/DevSkim_CLI_win_$(ReleaseVersion)'
         Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll'
         signConfigType: 'inlineSignParams'
@@ -232,10 +247,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: First Party Code Sign - .NET Core App
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/netcoreapp/DevSkim_CLI_netcoreapp_$(ReleaseVersion)'
         Pattern: 'ApplicationInspector.*.dll, devskim.dll, devskim.exe, Microsoft.DevSkim.dll, OAT.dll, RecursiveExtractor.dll'
         signConfigType: 'inlineSignParams'
@@ -266,10 +286,15 @@ stages:
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
     # Third party code signing
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Third Party Code Sign - Linux
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/linux/DevSkim_CLI_linux_$(ReleaseVersion)'
         Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll'
         signConfigType: 'inlineSignParams'
@@ -299,10 +324,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Third Party Code Sign - MacOS
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/macos/DevSkim_CLI_macos_$(ReleaseVersion)'
         Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll'
         signConfigType: 'inlineSignParams'
@@ -332,10 +362,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Third Party Code Sign - Windows
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/win/DevSkim_CLI_win_$(ReleaseVersion)'
         Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll'
         signConfigType: 'inlineSignParams'
@@ -365,10 +400,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Third Party Code Sign - .NET Core App
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)/netcoreapp/DevSkim_CLI_netcoreapp_$(ReleaseVersion)'
         Pattern: 'CommandLine.dll, DiscUtils.*.dll, gfs.*.dll, git2-*.dll, Glob.dll, ICSharpCode.*.dll, JsonCons.*.dll, KellermanSoftware.*.dll, LibGit2Sharp.dll, lzo.*.dll, Newtonsoft.*.dll, NLog.dll, Serilog.*.dll, SharpCompress.dll, YamlDotNet.dll'
         signConfigType: 'inlineSignParams'
@@ -398,10 +438,15 @@ stages:
         SessionTimeout: '60'
         MaxConcurrency: '50'
         MaxRetryAttempts: '5'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Code Sign Nuget Packages
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)'
         Pattern: '*.nupkg, *.snupkg'
         signConfigType: 'inlineSignParams'
@@ -550,4 +595,4 @@ stages:
           $(Build.StagingDirectory)/*.zip
           $(Build.StagingDirectory)/HASHES.txt
         changeLogCompareToRelease: 'lastNonDraftRelease'
-        changeLogType: 'commitBased'
+        changeLogType: 'commitBased'
diff --git a/Pipelines/vs/devskim-visualstudio-release.yml b/Pipelines/vs/devskim-visualstudio-release.yml
@@ -98,10 +98,15 @@ stages:
         TreatSignatureUpdateFailureAs: 'Warning'
         SignatureFreshness: 'UpToDate'
         TreatStaleSignatureAs: 'Warning'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Code Sign VS Extension
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)\Unsigned_Extension'
         Pattern: '*.vsix'
         signConfigType: 'inlineSignParams'

diff --git a/Pipelines/vscode/devskim-vscode-release.yml b/Pipelines/vscode/devskim-vscode-release.yml
@@ -155,10 +155,15 @@ stages:
         TreatSignatureUpdateFailureAs: 'Warning'
         SignatureFreshness: 'UpToDate'
         TreatStaleSignatureAs: 'Warning'
-    - task: EsrpCodeSigning@3
+    - task: EsrpCodeSigning@5
       displayName: Code Sign VSCode Plugin
       inputs:
-        ConnectedServiceName: 'Devskim_CodeSign'
+        ConnectedServiceName: 'CodeSignConnection'
+        AppRegistrationClientId: '20c4d859-e6d2-4527-a52d-ca6756291e99'
+        AppRegistrationTenantId: '72f988bf-86f1-41af-91ab-2d7cd011db47'
+        AuthAKVName: 'prss-scanx'
+        AuthCertName: 'buildtask-1fdauth1'
+        AuthSignCertName: 'buildtask-1fdsign'
         FolderPath: '$(Build.BinariesDirectory)\Unsigned_Plugin'
         Pattern: '*.vsix'
         signConfigType: 'inlineSignParams'