From e39f4e921aa6d64304e7d8d84e9225e819499449 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 3 Nov 2020 17:43:59 +0000 Subject: [PATCH 1/3] Enable signing of nuget.org packages and update to supported timestamp server --- .azure-pipelines/windows-release/stage-pack-msix.yml | 11 ++++++++--- .azure-pipelines/windows-release/stage-pack-nuget.yml | 10 +++++++++- .azure-pipelines/windows-release/stage-sign.yml | 2 +- 3 files changed, 18 insertions(+), 5 deletions(-) diff --git a/.azure-pipelines/windows-release/stage-pack-msix.yml b/.azure-pipelines/windows-release/stage-pack-msix.yml index 26a5712e845ca9..8a7876099e7c14 100644 --- a/.azure-pipelines/windows-release/stage-pack-msix.yml +++ b/.azure-pipelines/windows-release/stage-pack-msix.yml @@ -120,10 +120,15 @@ jobs: artifactName: unsigned_msix downloadPath: $(Build.BinariesDirectory) + - powershell: | + signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" (gi *.msix) + displayName: 'Sign MSIX' + workingDirectory: $(Build.BinariesDirectory)\unsigned_msix + - powershell: | $failed = $true foreach ($retry in 1..3) { - signtool sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "$(SigningDescription)" (gi *.msix) + signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 (gi *.msix) if ($?) { $failed = $false break @@ -131,9 +136,9 @@ jobs: sleep 1 } if ($failed) { - throw "Failed to sign MSIX" + throw "Failed to timestamp MSIX" } - displayName: 'Sign MSIX' + displayName: 'Timestamp MSIX' workingDirectory: $(Build.BinariesDirectory)\unsigned_msix - task: PublishBuildArtifacts@1 diff --git a/.azure-pipelines/windows-release/stage-pack-nuget.yml b/.azure-pipelines/windows-release/stage-pack-nuget.yml index b100364820d95b..8dfea382c35622 100644 --- a/.azure-pipelines/windows-release/stage-pack-nuget.yml +++ b/.azure-pipelines/windows-release/stage-pack-nuget.yml @@ -4,7 +4,7 @@ jobs: condition: and(succeeded(), eq(variables['DoNuget'], 'true')) pool: - vmImage: windows-2019 + name: 'Windows Release' workspace: clean: all @@ -36,6 +36,14 @@ jobs: nuget pack "$(Build.BinariesDirectory)\layout\python.nuspec" -OutputDirectory $(Build.ArtifactStagingDirectory) -NoPackageAnalysis -NonInteractive displayName: 'Create nuget package' + - powershell: | + gci *.nupkg | %{ + nuget sign "$_" -CertificateSubjectName "$(SigningCertificate)" -Timestamper http://timestamp.digicert.com/ -Overwrite + } + displayName: 'Sign nuget package' + workingDirectory: $(Build.ArtifactStagingDirectory) + condition: and(succeeded(), variables['SigningCertificate']) + - task: PublishBuildArtifacts@1 displayName: 'Publish Artifact: nuget' inputs: diff --git a/.azure-pipelines/windows-release/stage-sign.yml b/.azure-pipelines/windows-release/stage-sign.yml index 584772af8b428e..c21e1c9f2b0f9b 100644 --- a/.azure-pipelines/windows-release/stage-sign.yml +++ b/.azure-pipelines/windows-release/stage-sign.yml @@ -57,7 +57,7 @@ jobs: $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }}) $failed = $true foreach ($retry in 1..10) { - signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files + signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files if ($?) { $failed = $false break From 83b4820e2d2f6b356379f5dd5522ee04612655f6 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 3 Nov 2020 20:15:46 +0000 Subject: [PATCH 2/3] Sign and timestamp MSIX together --- .azure-pipelines/windows-release/stage-pack-msix.yml | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/.azure-pipelines/windows-release/stage-pack-msix.yml b/.azure-pipelines/windows-release/stage-pack-msix.yml index 8a7876099e7c14..f967cfdbe326f8 100644 --- a/.azure-pipelines/windows-release/stage-pack-msix.yml +++ b/.azure-pipelines/windows-release/stage-pack-msix.yml @@ -120,15 +120,11 @@ jobs: artifactName: unsigned_msix downloadPath: $(Build.BinariesDirectory) - - powershell: | - signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" (gi *.msix) - displayName: 'Sign MSIX' - workingDirectory: $(Build.BinariesDirectory)\unsigned_msix - + # MSIX must be signed and timestamped simultaneously - powershell: | $failed = $true foreach ($retry in 1..3) { - signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 (gi *.msix) + signtool sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "$(SigningDescription)" (gi *.msix) if ($?) { $failed = $false break @@ -136,9 +132,9 @@ jobs: sleep 1 } if ($failed) { - throw "Failed to timestamp MSIX" + throw "Failed to sign MSIX" } - displayName: 'Timestamp MSIX' + displayName: 'Sign MSIX' workingDirectory: $(Build.BinariesDirectory)\unsigned_msix - task: PublishBuildArtifacts@1 From 55e6c088f323af5e118e423e189b298ce65ed681 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Tue, 3 Nov 2020 20:42:04 +0000 Subject: [PATCH 3/3] Fix MSI signing step --- PCbuild/pyproject.props | 4 ++-- Tools/msi/sdktools.psm1 | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/PCbuild/pyproject.props b/PCbuild/pyproject.props index c659d14ff8dc93..d7762ca1bc685f 100644 --- a/PCbuild/pyproject.props +++ b/PCbuild/pyproject.props @@ -176,8 +176,8 @@ public override bool Execute() { $(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot81)\bin\x86 $(registry:HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Kits\Installed Roots@KitsRoot)\bin\x86 $(registry:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SDKs\Windows\v7.1A@InstallationFolder)\Bin\ - <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)" - <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d "Python $(PythonVersion)" + <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificate)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /n "$(SigningCertificate)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)" + <_SignCommand Condition="Exists($(SdkBinPath)) and '$(SigningCertificateSha1)' != '' and $(SupportSigning)">"$(SdkBinPath)\signtool.exe" sign /a /sha1 "$(SigningCertificateSha1)" /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d "Python $(PythonVersion)" <_MakeCatCommand Condition="Exists($(SdkBinPath))">"$(SdkBinPath)\makecat.exe" diff --git a/Tools/msi/sdktools.psm1 b/Tools/msi/sdktools.psm1 index 8081b104d85a7f..c5973f9abc6abf 100644 --- a/Tools/msi/sdktools.psm1 +++ b/Tools/msi/sdktools.psm1 @@ -37,11 +37,11 @@ function Sign-File { foreach ($a in $files) { if ($certsha1) { - SignTool sign /sha1 $certsha1 /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a + SignTool sign /sha1 $certsha1 /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a } elseif ($certname) { - SignTool sign /a /n $certname /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a + SignTool sign /a /n $certname /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a } elseif ($certfile) { - SignTool sign /f $certfile /fd sha256 /t http://timestamp.verisign.com/scripts/timestamp.dll /d $description $a + SignTool sign /f $certfile /fd sha256 /tr http://timestamp.digicert.com/ /td sha256 /d $description $a } } }