|
| 1 | +name: PSReadLine-ModuleBuild-$(Build.BuildId) |
| 2 | +trigger: |
| 3 | + branches: |
| 4 | + include: |
| 5 | + - master |
| 6 | + - release* |
| 7 | + |
| 8 | +variables: |
| 9 | + DOTNET_CLI_TELEMETRY_OPTOUT: 1 |
| 10 | + POWERSHELL_TELEMETRY_OPTOUT: 1 |
| 11 | + DOTNET_SKIP_FIRST_TIME_EXPERIENCE: 1 |
| 12 | + |
| 13 | +# Set AzDevOps Agent to clean the machine after the end of the build |
| 14 | +resources: |
| 15 | +- repo: self |
| 16 | + clean: true |
| 17 | + |
| 18 | +jobs: |
| 19 | +- job: build_windows |
| 20 | + pool: Package ES Lab A |
| 21 | + |
| 22 | + steps: |
| 23 | + |
| 24 | + - checkout: self |
| 25 | + clean: true |
| 26 | + persistCredentials: true |
| 27 | + |
| 28 | + - task: PkgESSetupBuild@10 |
| 29 | + displayName: 'Initialize build' |
| 30 | + inputs: |
| 31 | + # Do not create a release share. |
| 32 | + # Enabling this will cause failures! |
| 33 | + useDfs: false |
| 34 | + productName: PSReadLine |
| 35 | + # Add branch name to build name (only for non-master) |
| 36 | + branchVersion: true |
| 37 | + disableWorkspace: true |
| 38 | + disableBuildTools: true |
| 39 | + disableNugetPack: true |
| 40 | + |
| 41 | + - pwsh: | |
| 42 | + $(Build.SourcesDirectory)\build.ps1 -Bootstrap |
| 43 | + $(Build.SourcesDirectory)\build.ps1 -Configuration Release -Framework net461 |
| 44 | + # Set target folder paths |
| 45 | + $vstsCommandString = "vso[task.setvariable variable=PSReadLine]$(Build.SourcesDirectory)\bin\Release\PSReadLine" |
| 46 | + Write-Host "sending " + $vstsCommandString |
| 47 | + Write-Host "##$vstsCommandString" |
| 48 | + $vstsCommandString = "vso[task.setvariable variable=Signed]$(Build.SourcesDirectory)\bin\Release\Signed" |
| 49 | + Write-Host "sending " + $vstsCommandString |
| 50 | + Write-Host "##$vstsCommandString" |
| 51 | + displayName: Bootstrap & Build |
| 52 | +
|
| 53 | + # Sign the module files |
| 54 | + - task: PkgESCodeSign@10 |
| 55 | + displayName: 'CodeSign - module artifacts' |
| 56 | + env: |
| 57 | + SYSTEM_ACCESSTOKEN: $(System.AccessToken) |
| 58 | + inputs: |
| 59 | + signConfigXml: '$(Build.SourcesDirectory)\.vsts-ci\sign-module-files.xml' |
| 60 | + inPathRoot: '$(PSReadLine)' |
| 61 | + outPathRoot: '$(Signed)' |
| 62 | + binVersion: Production |
| 63 | + binVersionOverride: '' |
| 64 | + |
| 65 | + # Replace the *.psm1, *.ps1, *.psd1, *.dll files with the signed ones |
| 66 | + - pwsh: | |
| 67 | + # Show the signed files |
| 68 | + Get-ChildItem -Path $(Signed) |
| 69 | + Copy-Item -Path $(Signed)\* -Destination $(PSReadLine) -Force |
| 70 | + displayName: 'Replace unsigned files with signed ones' |
| 71 | +
|
| 72 | + # Create catalog file from the signed modules files |
| 73 | + - pwsh: | |
| 74 | + New-FileCatalog -CatalogFilePath $(PSReadLine)\PSReadLine.cat -Path $(PSReadLine) -CatalogVersion 2.0 | ` |
| 75 | + ForEach-Object -MemberName FullName |
| 76 | + displayName: 'Create catalog file' |
| 77 | +
|
| 78 | + # Sign the catalog file |
| 79 | + - task: PkgESCodeSign@10 |
| 80 | + displayName: 'CodeSign - catalog file' |
| 81 | + env: |
| 82 | + SYSTEM_ACCESSTOKEN: $(System.AccessToken) |
| 83 | + inputs: |
| 84 | + signConfigXml: '$(Build.SourcesDirectory)\.vsts-ci\sign-catalog.xml' |
| 85 | + inPathRoot: '$(PSReadLine)' |
| 86 | + outPathRoot: '$(Signed)' |
| 87 | + binVersion: Production |
| 88 | + binVersionOverride: '' |
| 89 | + |
| 90 | + # Copy the signed catalog file over |
| 91 | + - pwsh: | |
| 92 | + # Show the signed files |
| 93 | + Get-ChildItem -Path $(Signed) |
| 94 | + Copy-Item -Path $(Signed)\PSReadLine.cat -Destination $(PSReadLine) -Force |
| 95 | + displayName: 'Replace catalog file with the signed one' |
| 96 | +
|
| 97 | + # Verify the signatures |
| 98 | + - pwsh: | |
| 99 | + $HasInvalidFiles = $false |
| 100 | + $WrongCert = @{} |
| 101 | + Get-ChildItem -Path $(PSReadLine) -Recurse -Include "*.dll","*.ps*1*","*.cat" | ` |
| 102 | + Get-AuthenticodeSignature | ForEach-Object { |
| 103 | + $_ | Select-Object Path, Status |
| 104 | + if ($_.Status -ne 'Valid') { $HasInvalidFiles = $true } |
| 105 | + if ($_.SignerCertificate.Subject -notmatch 'CN=Microsoft Corporation.*') { |
| 106 | + $WrongCert.Add($_.Path, $_.SignerCertificate.Subject) |
| 107 | + } |
| 108 | + } |
| 109 | +
|
| 110 | + if ($HasInvalidFiles) { throw "Authenticode verification failed. There is one or more invalid files." } |
| 111 | + if ($WrongCert.Count -gt 0) { |
| 112 | + $WrongCert |
| 113 | + throw "Certificate should have the subject starts with 'Microsoft Corporation'" |
| 114 | + } |
| 115 | + displayName: 'Verify the signed files' |
| 116 | +
|
| 117 | + - pwsh: | |
| 118 | + $CatInfo = Test-FileCatalog -Path $(PSReadLine) -CatalogFilePath $(PSReadLine)\PSReadLine.cat -Detailed |
| 119 | + $CatInfo | Format-List |
| 120 | + if ($CatInfo.Status -ne "Valid") { throw "Catalog file is invalid." } |
| 121 | + displayName: 'Verify the catalog file' |
| 122 | +
|
| 123 | + - pwsh: | |
| 124 | + Get-ChildItem -Path $(PSReadLine) |
| 125 | + Write-Host "##vso[artifact.upload containerfolder=PSReadLine;artifactname=PSReadLine]$(PSReadLine)" |
| 126 | + displayName: 'Upload module artifacts' |
0 commit comments