Sign Powershell scripts for VS (#451)

* Sign Powershell scripts * Rename PublishLocation to PublishTo, as requested by Nicole. * Avoid running NuGet pack if we aren't going to publish * Explain 'signing type'. * Ensure the signed ps1s are in all standalone bundle forms. * Move scripts so that they don't need to be moved again, and publish as part of github releases. * typo * Also fix paths in arch-independent-signing.signproj. * Remove 'scripts' directory name before signing. * Create staging directory. * Reference parameters the right way. * Attempt to reference parameters the right way again. * Always make the nupkg even when test signing. Co-authored-by: Billy Robert O'Neal III <[email protected]>
microsoft · Mar 30, 2022 · 692785a · 692785a
1 parent a899dcf
commit 692785a
Show file tree

Hide file tree

Showing 6 changed files with 346 additions and 58 deletions.
diff --git a/azure-pipelines/arch-independent-signing.signproj b/azure-pipelines/arch-independent-signing.signproj
@@ -24,6 +24,15 @@
     <FilesToSign Include="$(IntermediateOutputPath)\vcpkg-init.ps1">
       <Authenticode>Microsoft400</Authenticode>
     </FilesToSign>
+    <FilesToSign Include="$(IntermediateOutputPath)\applocal.ps1">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(IntermediateOutputPath)\addPoshVcpkgToPowershellProfile.ps1">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
+    <FilesToSign Include="$(IntermediateOutputPath)\posh-vcpkg.psm1">
+      <Authenticode>Microsoft400</Authenticode>
+    </FilesToSign>
   </ItemGroup>
 
   <ImportGroup Label="ExtensionTargets">

diff --git a/azure-pipelines/signing.yml b/azure-pipelines/signing.yml
@@ -6,7 +6,7 @@ trigger: none
 
 parameters:
 - name: SignTypeOverride
-  displayName: Signing Type Override
+  displayName: Signing Type (default is real for the main branch and test otherwise)
   type: string
   default: default
   values:
@@ -17,7 +17,13 @@ parameters:
   displayName: vcpkg Base Version (default is today's date in ISO 8601)
   type: string
   default: default
-
+- name: PublishTo
+  displayName: 'Publish To'
+  type: string
+  default: 'GitHub and NuGet'
+  values:
+  - 'GitHub and NuGet'
+  - 'NuGet Only'
 variables:
   - name: TeamName
     value: vcpkg
@@ -93,6 +99,9 @@ jobs:
     - script: mkdir "$(Build.BinariesDirectory)\ce" && rush deploy -t "$(Build.BinariesDirectory)\ce"
       displayName: Collect vcpkg-ce Dependencies
       workingDirectory: ce
+    - script: |
+        xcopy /F "$(Build.SourcesDirectory)/scripts" "$(Build.BinariesDirectory)"
+      displayName: Collect PowerShell scripts
     - task: ComponentGovernanceComponentDetection@0
       displayName: Detect Components
       inputs:
@@ -123,7 +132,7 @@ jobs:
       inputs:
         solution: 'azure-pipelines\arch-independent-signing.signproj'
         msbuildArguments: '/p:OutDir=$(Build.BinariesDirectory)\ /p:IntermediateOutputPath=$(Build.BinariesDirectory)\'
-      # Note that signing must happen before packing step because the packs contain files that are themselves signed.
+      # Note that signing must happen before packing steps because the packs contain files that are themselves signed.
     - script: |
         copy "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.BinariesDirectory)\vcpkg-init.cmd"
       displayName: 'Duplicate Install Scripts'
@@ -132,7 +141,7 @@ jobs:
       inputs:
         pwsh: true
         filePath: vcpkg-init/mint-standalone-bundle.ps1
-        arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp "$(Build.BinariesDirectory)\vcpkg-init.cmd" "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.BinariesDirectory)\vcpkg-init"'
+        arguments: '-DestinationTarball "$(Build.BinariesDirectory)\vcpkg-standalone-bundle.tar.gz" -TempDir standalone-temp -SignedFilesRoot "$(Build.BinariesDirectory)"'
     - script: npm pack
       displayName: Create vcpkg-ce Pack
       workingDirectory: $(Build.BinariesDirectory)/ce
@@ -143,6 +152,9 @@ jobs:
         move "$(Build.BinariesDirectory)\vcpkg-init" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init"
         move "$(Build.BinariesDirectory)\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1"
         move "$(Build.BinariesDirectory)\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd"
+        move "$(Build.BinariesDirectory)\applocal.ps1" "$(Build.ArtifactStagingDirectory)\staging\applocal.ps1"
+        move "$(Build.BinariesDirectory)\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\staging\addPoshVcpkgToPowershellProfile.ps1"
+        move "$(Build.BinariesDirectory)\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\staging\posh-vcpkg.psm1"
       displayName: 'Arrange Architecture-independent Files for Staging'
     - task: Powershell@2
       displayName: Generate Arch-independent SHA512s
@@ -325,7 +337,7 @@ jobs:
       inputs:
         pwsh: true
         filePath: vcpkg-init/mint-standalone-bundle.ps1
-        arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -readonly -TempDir standalone-temp'
+        arguments: '-DestinationDir "$(Build.ArtifactStagingDirectory)/vs-insertion/staging" -readonly -TempDir standalone-temp -SignedFilesRoot "$(Build.ArtifactStagingDirectory)\staging"'
     - task: CmdLine@2
       displayName: 'Arrange Drop'
       inputs:
@@ -336,6 +348,9 @@ jobs:
           move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init"
           move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.cmd" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.cmd"
           move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-init.ps1" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-init.ps1"
+          move "$(Build.ArtifactStagingDirectory)\staging\applocal.ps1" "$(Build.ArtifactStagingDirectory)\drop\applocal.ps1"
+          move "$(Build.ArtifactStagingDirectory)\staging\addPoshVcpkgToPowershellProfile.ps1" "$(Build.ArtifactStagingDirectory)\drop\addPoshVcpkgToPowershellProfile.ps1"
+          move "$(Build.ArtifactStagingDirectory)\staging\posh-vcpkg.psm1" "$(Build.ArtifactStagingDirectory)\drop\posh-vcpkg.psm1"
           move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-ce.tgz" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-ce.tgz"
           move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-glibc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-glibc"
           move "$(Build.ArtifactStagingDirectory)\staging\vcpkg-muslc" "$(Build.ArtifactStagingDirectory)\drop\vcpkg-muslc"
@@ -372,6 +387,12 @@ jobs:
       inputs:
         command: custom
         arguments: 'pack $(Build.ArtifactStagingDirectory)/vs-insertion/staging/vcpkg.nuspec -NoDefaultExcludes -OutputDirectory "$(Build.ArtifactStagingDirectory)/vs-insertion/drop" -Properties version=$(VCPKG_BASE_VERSION)'
+    - task: PublishBuildArtifacts@1
+      displayName: 'Publish nupkg as Artifact'
+      inputs:
+        PathtoPublish: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop'
+        ArtifactName: 'vs-insertion'
+        publishLocation: 'Container'
     # Do compliance checks.
     - task: BinSkim@3
       inputs:
@@ -433,40 +454,41 @@ jobs:
         packagesToPush: '$(Build.ArtifactStagingDirectory)/vs-insertion/drop/VS.Redist.Vcpkg.x86.1.0.0-$(VCPKG_BASE_VERSION).nupkg'
         publishVstsFeed: '97a41293-2972-4f48-8c0e-05493ae82010'
     # Publish everything to a GitHub Release
-    - task: DownloadSecureFile@1
-      displayName: Download Deploy Key
-      name: githubDeployKey
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-      inputs:
-        secureFile: id_vcpkg_tool
-    # GitHub has a large, regularly changing set of IP address, so ignore the
-    # hostname and allow anything with the right key.
-    # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses
-    # This public key should have the well-known fingerprint documented below.
-    # SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
-    # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
-    - script: mkdir %USERPROFILE%\.ssh && echo * ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==>>%USERPROFILE%\.ssh\known_hosts
-      displayName: Store GitHub Public Key
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-    - script: git -c [email protected] -c user.name="Embedded Bot" push [email protected]:microsoft/vcpkg-tool HEAD:refs/tags/%VCPKG_BASE_VERSION%
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-      env:
-        GIT_SSH_COMMAND: ssh -i "$(githubDeployKey.secureFilePath)"
-      displayName: Push Release Tag
-    - task: GitHubRelease@0
-      displayName: Publish GitHub Release
-      condition: and(eq(variables.SignType, 'real'), succeeded())
-      inputs:
-        gitHubConnection: embeddedbot
-        repositoryName: microsoft/vcpkg-tool
-        isPreRelease: true
-        isDraft: true
-        title: $(VCPKG_BASE_VERSION) Release
-        tagSource: manual
-        tag: $(VCPKG_BASE_VERSION)
-        assets: "$(Build.ArtifactStagingDirectory)\\drop\\*"
-        addChangeLog: true
-        compareWith: 'lastFullRelease'
+    - ${{ if eq(parameters.PublishTo, 'GitHub and NuGet') }}:
+      - task: DownloadSecureFile@1
+        displayName: Download Deploy Key
+        name: githubDeployKey
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+        inputs:
+          secureFile: id_vcpkg_tool
+      # GitHub has a large, regularly changing set of IP address, so ignore the
+      # hostname and allow anything with the right key.
+      # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/about-githubs-ip-addresses
+      # This public key should have the well-known fingerprint documented below.
+      # SHA256:nThbg6kXUpJWGl7E1IGOCspRomTxdCARLviKw6E5SY8
+      # https://docs.github.com/en/github/authenticating-to-github/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+      - script: mkdir %USERPROFILE%\.ssh && echo * ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==>>%USERPROFILE%\.ssh\known_hosts
+        displayName: Store GitHub Public Key
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+      - script: git -c [email protected] -c user.name="Embedded Bot" push [email protected]:microsoft/vcpkg-tool HEAD:refs/tags/%VCPKG_BASE_VERSION%
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+        env:
+          GIT_SSH_COMMAND: ssh -i "$(githubDeployKey.secureFilePath)"
+        displayName: Push Release Tag
+      - task: GitHubRelease@0
+        displayName: Publish GitHub Release
+        condition: and(eq(variables.SignType, 'real'), succeeded())
+        inputs:
+          gitHubConnection: embeddedbot
+          repositoryName: microsoft/vcpkg-tool
+          isPreRelease: true
+          isDraft: true
+          title: $(VCPKG_BASE_VERSION) Release
+          tagSource: manual
+          tag: $(VCPKG_BASE_VERSION)
+          assets: "$(Build.ArtifactStagingDirectory)\\drop\\*"
+          addChangeLog: true
+          compareWith: 'lastFullRelease'
     - task: MicroBuildCleanup@1
       condition: succeededOrFailed()
       displayName: MicroBuild Cleanup
diff --git a/scripts/addPoshVcpkgToPowershellProfile.ps1 b/scripts/addPoshVcpkgToPowershellProfile.ps1
@@ -0,0 +1,56 @@
+[CmdletBinding()]
+param()
+
+function findExistingImportModuleDirectives([Parameter(Mandatory=$true)][string]$path)
+{
+    if (!(Test-Path $path))
+    {
+        return
+    }
+
+    $fileContents = Get-Content $path
+    $fileContents -match 'Import-Module.+?(?=posh-vcpkg)'
+    return
+}
+
+$scriptsDir = split-path -parent $script:MyInvocation.MyCommand.Definition
+
+$profileEntry = "Import-Module '$scriptsDir\posh-vcpkg'"
+$profilePath = $PROFILE # Implicit PowerShell variable
+$profileDir = Split-Path $profilePath -Parent
+if (!(Test-Path $profileDir))
+{
+    New-Item -ItemType Directory -Path $profileDir | Out-Null
+}
+
+Write-Host "`nAdding the following line to ${profilePath}:"
+Write-Host "    $profileEntry"
+
+# @() Needed to force Array in PowerShell 2.0
+[Array]$existingImports = @(findExistingImportModuleDirectives $profilePath)
+if ($existingImports.Count -gt 0)
+{
+    $existingImportsOut = $existingImports -join "`n    "
+    Write-Host "`nposh-vcpkg is already imported to your PowerShell profile. The following entries were found:"
+    Write-Host "    $existingImportsOut"
+    Write-Host "`nPlease make sure you have started a new PowerShell window for the changes to take effect."
+    return
+}
+
+# Modifying the profile will invalidate any signatures.
+# Posh-git does the following check, so we should too.
+# https://github.com/dahlbyk/posh-git/blob/master/src/Utils.ps1
+# If the profile script exists and is signed, then we should not modify it
+if (Test-Path $profilePath)
+{
+    $sig = Get-AuthenticodeSignature $profilePath
+    if ($null -ne $sig.SignerCertificate)
+    {
+        Write-Warning "Skipping add of posh-vcpkg import to profile; '$profilePath' appears to be signed."
+        Write-Warning "Please manually add the line '$profileEntry' to your profile and resign it."
+        return
+    }
+}
+
+Add-Content $profilePath -Value "`n$profileEntry" -Encoding UTF8
+Write-Host "`nSuccessfully added posh-vcpkg to your PowerShell profile. Please start a new PowerShell window for the changes to take effect."