Updated pipeline for new sign mechanism.

Author: SteveIves

CodeGen.sln

@@ -142,6 +142,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		Documentation\Release Procedure.txt = Documentation\Release Procedure.txt
 		SendMsiToDownloads.bat = SendMsiToDownloads.bat
 		SignFile.bat = SignFile.bat
+		signfile.ps1 = signfile.ps1
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "SampleRepository", "SampleRepository", "{240CAFC0-11EF-4040-82ED-17B3B7870810}"

SignFile.bat

@@ -1,37 +1,25 @@
-rem @echo off
-setlocal
-pushd %~dp0
-
-if "%1"=="" goto usage
-
-set FILE_TO_SIGN=%1
-
-if not exist "%FILE_TO_SIGN%" (
-  echo ERROR: File %FILE_TO_SIGN% was not found!
-  goto done
-)
-
-set TIMESTAMP_URL=http://timestamp.entrust.net/TSS/RFC3161sha2TS
-
-echo.
-for %%F in ("%FILE_TO_SIGN%") do echo Signing %%~nxF
-
-rem Should be able to use %WindowsSdkDir% but it looks like Visual Studio clears it for some reason!
-
-rem This is the command used with the certificate on the physical USB device.
-"C:\Program Files (x86)\Windows Kits\10\bin\x86\signtool.exe" sign /fd SHA256 /a /tr "%TIMESTAMP_URL%" "%FILE_TO_SIGN%"
-
-if "%ERRORLEVEL%"=="0" (
-  echo SUCCESS!
-)
-
-goto done
-
-:usage
-echo.
-echo Usage: SignFile <fileSpec>
-echo.
-
-:done
-popd
-endlocal
+@echo off
+setlocal
+
+set SignTarget=%~1
+set CertFile=%~2
+set Secret=%~3
+set Description=%~4
+set AzureAppId=%~5
+set AzureDirId=%~6
+
+if NOT DEFINED SignTarget goto usage
+if NOT DEFINED CertFile goto usage
+if NOT DEFINED Secret goto usage
+
+powershell -NoLogo -NoProfile -Command "Import-Module %SYNERGY%\bat\signfile.ps1; Azure-Signfile -CertFile \"%CertFile%\" -SignSecret \"%Secret%\" -Description \"%Description%\" -TargetFile \"%SignTarget%\" -AzureAppId \"%AzureAppId%\" -AzureDirId \"%AzureDirId%\""
+endlocal
+goto exit
+
+:usage
+echo *** usage: signfile filename certificate_name password description
+echo *** example: signfile dbr.exe SomeCert MySecret "Synergy/DE Runtime"
+endlocal
+
+:exit
+

azure-pipelines.yml

@@ -63,16 +63,11 @@ jobs:
       platform: '$(buildPlatform)'
       configuration: '$(buildConfiguration)'
 
-  - task: DownloadSecureFile@1
-    displayName: 'Doanload AuthentiCode certificate'
-    name: cert
-    inputs:
-      secureFile: dbd7ae8f-724a-49a3-a66a-662e9d6fe82b
 
   - task: CmdLine@2
     displayName: 'Sign MSI file'
     inputs:
-      script: '"C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe" sign /v /td sha256 /tr http://timestamp.digicert.com /fd sha256 /f $(cert.secureFilePath) /p "$(SigPass)" /d "CodeGen" /du "www.synergex.com" bin\release\CodeGen_$(currentVersion).msi'
+      script: 'signfile.bat bin\release\CodeGen_$(currentVersion).msi "$(SigDrive)" "$(SigPass)" "CodeGen" "$(AzureAppId)" "$(AzureDirId)"'
 
   - task: PublishBuildArtifacts@1
     displayName: 'Save MSI file as artifact'

signfile.ps1

@@ -0,0 +1,98 @@
+<#
+.SYNOPSIS
+Signs a file using AzureSignTool.
+
+.DESCRIPTION
+This function wraps AzureSignTool to sign files using Azure Key Vault. It supports different verbosity levels and allows for application authentication.
+More information for AzureSignTool can be found here: https://github.com/vcsjones/AzureSignTool
+Examples for using AzureSignTool directly for pipelines can be found here: https://github.com/vcsjones/AzureSignTool/blob/main/WALKTHROUGH.md
+
+.PARAMETER Description
+The description to be embedded in the signed file.
+
+.PARAMETER TargetFile
+The path of one or more files to be signed.
+
+.PARAMETER CertFile
+The name of the certificate in Azure Key Vault to use for signing.
+
+.PARAMETER SignSecret
+The secret associated with the Azure Key Vault.
+
+.PARAMETER Verbosity
+Controls the verbosity level of the output. Valid values are 0, 1, or 2.
+
+.PARAMETER ApplicationId
+The GUID of the Azure application to be authenticated. Default value is the ID of rg-devops-prod
+
+.PARAMETER DirectoryId
+The GUID of the Azure directory for the application. Default value is the directory of rg-devops-prod
+
+.EXAMPLE
+Azure-SignFile -Description "My Application" -TargetFile "path\to\file.exe" -CertFile "myCert" -SignSecret "secret" -Verbosity 1
+#>
+
+function Azure-SignFile
+{
+    param (
+        [Parameter(Mandatory)]
+        [string] $CertFile,
+        [Parameter(Mandatory)]
+        [string] $SignSecret,
+        [Parameter(Mandatory)]
+        [string] $Description,
+        [Parameter(Mandatory)]
+        [string[]] $TargetFile,
+        [Parameter()]
+        [int] $Verbosity,
+        [Parameter()]
+        [string] $ApplicationId,
+        [Parameter()]
+        [string] $DirectoryId
+    )
+
+    $signtool = "$env:userprofile\.dotnet\tools\AzureSignTool.exe"
+    if (!(Test-Path "$signtool" -PathType leaf))
+    {
+        $toolInstall = Start-Process -FilePath "dotnet.exe" -ArgumentList "tool install --global azuresigntool" -Wait -NoNewWindow -PassThru
+        if ($toolInstall.ExitCode -ne 0)
+        {
+            Write-Host "Failed to install azuresigntool"
+            return;
+        }
+    }
+
+    $sVerbosity = "-q"
+    if ($Verbosity -eq 1)
+    {
+        $sVerbosity = ""
+    }
+    elseif ($Verbosity -eq 2)
+    {
+        $sVerbosity = "-v"  
+    }
+
+    if ($Verbosity -eq 2)
+    {
+        Write-Host "Signing $TargetFile"
+    }
+    $arguments = "sign
+        $sVerbosity
+        -tr `"http://timestamp.digicert.com`"
+        -td sha256
+        -fd sha256
+        -d `"$Description`"
+        -du `"https://www.synergex.com`"
+        -kvu `"https://kv-synergex-premium-prod.vault.azure.net`"
+        -kvs `"$SignSecret`"
+        -kvi `"$ApplicationId`"
+        -kvt `"$DirectoryId`"
+        -kvc `"$CertFile`"
+        $TargetFile" -replace "`n","" -replace "`r","";
+
+    $signResult = Start-Process -FilePath "$signtool" -Wait -NoNewWindow -PassThru -ArgumentList $arguments
+    if ($signResult.ExitCode -ne 0)
+    {
+        Write-Error "Failed to sign files";
+    }
+}