Merge pull request #1408 from PowerShell/andschwa/esrp

Rewrite release signing pipeline
PowerShell · Feb 3, 2021 · 29e44b6 · 29e44b6
2 parents 2936b4b + dd83921
commit 29e44b6
Show file tree

Hide file tree

Showing 6 changed files with 88 additions and 207 deletions.
diff --git a/.vsts-ci/azure-pipelines-release.yml b/.vsts-ci/azure-pipelines-release.yml
@@ -32,6 +32,13 @@ trigger:
       - /LICENSE
       - /CODE_OF_CONDUCT.md
 
+resources:
+  repositories:
+  - repository: ComplianceRepo
+    type: github
+    endpoint: ComplianceGHRepo
+    name: PowerShell/compliance
+
 jobs:
 
 - job: 'ReleaseBuild'
@@ -45,7 +52,9 @@ jobs:
   displayName: Signing Build
   dependsOn: 'ReleaseBuild'
   pool:
-    name: 'Package ES CodeHub Lab E'
+    name: 'Package ES Standard Build'
     demands: DotNetFramework
+  variables:
+  - group: ESRP
   steps:
   - template: templates/release-general.yml
diff --git a/.vsts-ci/templates/release-general.yml b/.vsts-ci/templates/release-general.yml
@@ -1,149 +1,71 @@
 steps:
-- powershell: |
-    Write-Host "Installing pwsh..."
-    if (Get-Command pwsh -ErrorAction Ignore)
-    {
-        Write-Host "pwsh already installed, skipping"
-        return
-    }
-    $powerShellPath = Join-Path -Path $env:AGENT_TEMPDIRECTORY -ChildPath 'powershell'
-    Invoke-WebRequest -Uri https://raw.githubusercontent.com/PowerShell/PowerShell/master/tools/install-powershell.ps1 -outfile ./install-powershell.ps1
-    ./install-powershell.ps1 -Destination $powerShellPath
-    $vstsCommandString = "vso[task.setvariable variable=PATH]$powerShellPath;$env:PATH"
-    Write-Host "sending " + $vstsCommandString
-    Write-Host "##$vstsCommandString"
-  displayName: Install PowerShell Core
-
-- pwsh: |
-    Get-ChildItem -Path env:
-  displayName: Capture environment
-  condition: succeededOrFailed()
-
-- task: PkgESSetupBuild@10
-  displayName: 'Package ES - Setup Build'
-  inputs:
-    productName: PowerShellEditorServices
-    useDfs: false
 
 - task: DownloadBuildArtifacts@0
   displayName: 'Download Build Artifacts'
   inputs:
     downloadType: specific
 
-- task: PowerShell@1
-  displayName: 'Extract build zip'
-  inputs:
-    scriptType: inlineScript
-    inlineScript: |
-      $dest = New-Item -ItemType Directory $env:BUILD_ARTIFACTSTAGINGDIRECTORY/release/out/PowerShellEditorServices
-      $psesZip = Get-ChildItem $env:BUILD_ARTIFACTSTAGINGDIRECTORY/PowerShellEditorServices-CI/PowerShellEditorServices*.zip -ErrorAction Stop
-      $psesZip | Expand-Archive -DestinationPath $dest -Force -Verbose
-      $psesZip | Remove-Item -Recurse -Force
-
-- task: PkgESCodeSign@10
-  displayName: 'CodeSign tools/releaseBuild/signing.xml'
-  env:
-    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  inputs:
-    signConfigXml: tools/releaseBuild/signing.xml
-    inPathRoot: '$(Build.ArtifactStagingDirectory)'
-    outPathRoot: '$(Build.ArtifactStagingDirectory)\Signed'
-
-- task: PowerShell@1
-  displayName: 'Copy signed items into output'
-  inputs:
-    scriptType: inlineScript
-    inlineScript: |
-     $signed="$(Build.ArtifactStagingDirectory)\Signed\PowerShellEditorServices\*"
-     $notSigned="$(Build.ArtifactStagingDirectory)\release\out\PowerShellEditorServices"
-     Copy-Item $signed $notSigned -Recurse -Force
-
-- task: PowerShell@1
-  displayName: 'Create catalog files'
-  inputs:
-    scriptType: inlineScript
-    inlineScript: |
-     $dir = "$(Build.ArtifactStagingDirectory)\release\out\PowerShellEditorServices\PowerShellEditorServices"
-     New-FileCatalog -CatalogFilePath "$(Build.ArtifactStagingDirectory)\PowerShellEditorServices.cat" -Path $dir
-
-     $dir = "$(Build.ArtifactStagingDirectory)\release\out\PowerShellEditorServices\PowerShellEditorServices.VSCode"
-     New-FileCatalog -CatalogFilePath "$(Build.ArtifactStagingDirectory)\PowerShellEditorServices.VSCode.cat" -Path $dir
-
-- task: PkgESCodeSign@10
-  displayName: 'CodeSign tools/releaseBuild/FileCatalogSigning.xml'
-  env:
-    SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-  inputs:
-    signConfigXml: tools/releaseBuild/FileCatalogSigning.xml
-    inPathRoot: '$(Build.ArtifactStagingDirectory)'
-    outPathRoot: '$(Build.ArtifactStagingDirectory)'
-
-- task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
-  displayName: 'Component Detection'
-
-- task: AntiMalware@3
-  inputs:
-    InputType: 'Basic'
-    ScanType: 'CustomScan'
-    FileDirPath: '$(Build.ArtifactStagingDirectory)'
-    EnableServices: false
-    SupportLogOnError: false
-    TreatSignatureUpdateFailureAs: 'Warning'
-    SignatureFreshness: 'UpToDate'
-    TreatStaleSignatureAs: 'Error'
-
-- task: PoliCheck@1
-  condition: succeededOrFailed()
-  inputs:
-    targetType: F
-    optionsFC: 0
-    optionsXS: 0
-    optionsPE: '1|2|3|4'
-    optionsHMENABLE: 0
-    optionsFTPATH: '$(Build.SourcesDirectory)\tools\terms\FileTypeSet.xml'
-    # toolVersion: 5.8.2.1
-
-- task: CredScan@2
-  condition: succeededOrFailed()
-
-# - task: BinSkim@3
-#   condition: succeededOrFailed()
-#   inputs:
-#     InputType: 'Basic'
-#     Function: 'analyze'
-#     AnalyzeRecurse: true
-#     AnalyzeTarget: '$(Build.ArtifactStagingDirectory)\release;$(Build.ArtifactStagingDirectory)\OutGridView*.dll'
-
-# Publish results as artifacts
-- task: PublishSecurityAnalysisLogs@3
-  condition: succeededOrFailed()
-  inputs:
-    ArtifactName: 'CodeAnalysisLogs'
-    ArtifactType: 'Container'
-
-# Publish to TSA server
-- task: TSAUpload@1
-  condition: succeededOrFailed()
-  continueOnError: true
-  inputs:
-    tsaVersion: 'TsaV2'
-    codebase: 'Existing'
-    tsaEnvironment: 'PROD'
-    codeBaseName: 'PowerShell_PowerShellEditorServices_20190917'
-    uploadAPIScan: false
-    uploadBinSkim: false
-    uploadCredScan: true
-    uploadFortifySCA: false
-    uploadFxCop: false
-    uploadModernCop: false
-    uploadPoliCheck: true
-    uploadPREfast: false
-    uploadRoslyn: false
-    uploadTSLint: false
-    uploadAsync: true
-
-- task: PowerShell@1
-  displayName: 'Upload artifacts'
+- task: ExtractFiles@1
+  displayName: 'Extract Build Zip'
   inputs:
-    scriptType: inlineScript
-    inlineScript: 'Write-Host "##vso[artifact.upload containerfolder=PowerShellEditorServices;artifactname=PowerShellEditorServices]$(Build.ArtifactStagingDirectory)\release\out\PowerShellEditorServices"'
+    archiveFilePatterns: '$(Build.ArtifactStagingDirectory)/PowerShellEditorServices-CI/PowerShellEditorServices*.zip'
+    destinationFolder: '$(Build.ArtifactStagingDirectory)/PowerShellEditorServices'
+
+- checkout: ComplianceRepo
+  displayName: 'Checkout the ComplianceRepo'
+
+- template: EsrpSign.yml@ComplianceRepo
+  parameters:
+    buildOutputPath: '$(Build.ArtifactStagingDirectory)/PowerShellEditorServices'
+    signOutputPath: '$(Build.ArtifactStagingDirectory)/FirstPartySigned'
+    certificateId: 'CP-230012' # Authenticode certificate
+    useMinimatch: true # This enables the use of globbing
+    pattern: |
+      # PowerShellEditorServices Script
+      PowerShellEditorServices/*.{ps1,psd1,psm1,ps1xml}
+      PowerShellEditorServices/Commands/**/*.{ps1,psd1,psm1,ps1xml}
+      # PowerShellEditorServices Binaries
+      PowerShellEditorServices/**/Microsoft.PowerShell.EditorServices*.dll
+      # PowerShellEditorServices.VSCode Script
+      PowerShellEditorServices.VSCode/PowerShellEditorServices.VSCode.psd1
+      # PowerShellEditorServices.VSCode Binary
+      PowerShellEditorServices.VSCode/bin/Microsoft.PowerShell.EditorServices.VSCode.dll
+
+- template: EsrpSign.yml@ComplianceRepo
+  parameters:
+    buildOutputPath: '$(Build.ArtifactStagingDirectory)/FirstPartySigned'
+    signOutputPath: '$(Build.ArtifactStagingDirectory)/ThirdPartySigned'
+    certificateId: 'CP-231522' # Third-party certificate
+    useMinimatch: true # This enables the use of globbing
+    pattern: |
+      **/MediatR.dll
+      **/Nerdbank.Streams.dll
+      **/Newtonsoft.Json.dll
+      **/OmniSharp*.dll
+      **/Serilog*.dll
+      **/UnixConsoleEcho.dll
+
+- publish: $(Build.ArtifactStagingDirectory)/ThirdPartySigned
+  artifact: PowerShellEditorServices
+  displayName: 'Publish signed (and unsigned) artifacts'
+
+- checkout: self
+
+- template: assembly-module-compliance.yml@ComplianceRepo
+  parameters:
+    # binskim
+    AnalyzeTarget: '$(Build.ArtifactStagingDirectory)/*.dll'
+    AnalyzeSymPath: 'SRV*'
+    # component-governance
+    sourceScanPath: '$(Build.SourcesDirectory)/PowerShellEditorServices'
+    # credscan
+    suppressionsFile: ''
+    # TermCheck AKA PoliCheck
+    targetArgument: '$(Build.SourcesDirectory)/PowerShellEditorServices'
+    optionsUEPATH: '$(Build.SourcesDirectory)/PowerShellEditorServices/tools/terms/UserExclusions.xml'
+    optionsRulesDBPath: ''
+    optionsFTPath: '$(Build.SourcesDirectory)/PowerShellEditorServices/tools/terms/FileTypeSet.xml'
+    # tsa-upload
+    codeBaseName: 'PowerShell_PowerShellEditorServices_20210201'
+    # selections
+    APIScan: false
diff --git a/src/PowerShellEditorServices/Services/PowerShellContext/PowerShellContextService.cs b/src/PowerShellEditorServices/Services/PowerShellContext/PowerShellContextService.cs
@@ -635,7 +635,7 @@ public Task<RunspaceHandle> GetRunspaceHandleAsync(CancellationToken cancellatio
 
                 if (shouldCancelReadLine && PromptNest.IsReadLineBusy())
                 {
-                    // If a ReadLine pipeline is running in the debugger then we'll hang here
+                    // If a ReadLine pipeline is running in the debugger then we'll stop responding here
                     // if we don't cancel it. Typically we can rely on OnExecutionStatusChanged but
                     // the pipeline request won't even start without clearing the current task.
                     this.ConsoleReader?.StopCommandLoop();
@@ -1895,7 +1895,7 @@ private void PowerShellContext_RunspaceChangedAsync(object sender, RunspaceChang
 
 
         // TODO: Refactor this, RunspaceDetails, PowerShellVersion, and PowerShellVersionDetails
-        // It's crazy that this is 4 different types.
+        // It's odd that this is 4 different types.
         // P.S. MinifiedRunspaceDetails use to be called RunspaceDetails... as in, there were 2 DIFFERENT
         // RunspaceDetails types in this codebase but I've changed it to be minified since the type is
         // slightly simpler than the other RunspaceDetails.

diff --git a/test/PowerShellEditorServices.Test/Debugging/DebugServiceTests.cs b/test/PowerShellEditorServices.Test/Debugging/DebugServiceTests.cs
@@ -1,4 +1,4 @@
-// TODO: Fix these tests which cause the test runner to hang...
+// TODO: Fix these tests which cause the test runner to stop responding...
 
 // //
 // // Copyright (c) Microsoft. All rights reserved.

diff --git a/tools/releaseBuild/signing.xml b/tools/releaseBuild/signing.xml
diff --git a/tools/terms/UserExclusions.xml b/tools/terms/UserExclusions.xml
@@ -0,0 +1,12 @@
+<PoliCheckExclusions>
+  <!-- All strings must be UPPER CASE -->
+  <!--Each of these exclusions is a folder name -if \[name]\exists in the file path, it will be skipped -->
+  <!--<Exclusion Type="FolderPathFull">ABC|XYZ</Exclusion>-->
+  <Exclusion Type="FolderPathFull">.GIT</Exclusion>
+  <!--Each of these exclusions is a folder name -if any folder or file starts with "\[name]", it will be skipped -->
+  <!--<Exclusion Type="FolderPathStart">ABC|XYZ</Exclusion>-->
+  <!--Each of these file types will be completely skipped for the entire scan -->
+  <!--<Exclusion Type="FileType">.ABC|.XYZ</Exclusion>-->
+  <!--The specified file names will be skipped during the scan regardless which folder they are in -->
+  <!--<Exclusion Type="FileName">ABC.TXT|XYZ.CS</Exclusion>-->
+</PoliCheckExclusions>