azure-pipelines: Add steps to sign extensions with MSBuild

azure-pipelines/1esmain.yml

@@ -15,11 +15,11 @@ resources:
   repositories:
     - repository: 1esPipelines
       type: git
-      name: 1ESPipelineTemplates/1ESPipelineTemplates
+      name: 1ESPipelineTemplates/MicroBuildTemplate
       ref: refs/tags/release
 
 extends:
-  template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
+  template: azure-pipelines/MicroBuild.1ES.Official.yml@1esPipelines
   parameters:
     sdl:
       credscan:

azure-pipelines/1esstages.yml

@@ -17,6 +17,11 @@ stages:
       - ${{ each job in parameters.jobs }}:
           - job: ${{ job.name }}
             templateContext:
+              mb: # Enable the MicroBuild Signing toolset
+                signing:
+                  enabled: true
+                  signType: real # options are 'real' & 'test'
+                  zipSources: false
               outputs:
                 - output: pipelineArtifact
                   targetPath: $(build.artifactstagingdirectory)/build/${{ job.name }}
@@ -27,6 +32,8 @@ stages:
                   additionalSetupSteps: ${{ parameters.additionalSetupSteps }}
               - template: ./templates/build.yml
               - template: ./templates/1espackage.yml
+              - template: ./templates/sign.yml
+              - template: ./templates/stage-artifacts.yml
               - template: ./templates/test.yml
                 parameters:
                   useAzureFederatedCredentials: ${{ parameters.useAzureFederatedCredentials }}

azure-pipelines/README.md

@@ -44,9 +44,56 @@ resources:
       ref: main
       endpoint: GitHub-AzureTools # The service connection to use when accessing this repository
 
+parameters:
+  - name: enableLongRunningTests
+    displayName: Enable Long Running Tests
+    type: boolean
+    default: true
+
+variables:
+  # Required by MicroBuild template
+  - name: TeamName
+    value: "Azure Tools for VS Code"
+
 # Use those templates
 extends:
   template: azure-pipelines/1esmain.yml@azExtTemplates
+  parameters:
+    useAzureFederatedCredentials: ${{ parameters.enableLongRunningTests }}
+```
+
+6. To enable extension signing, add a `SignExtension.signproj` file in the `.azure-pipelines` folder with the following contents:
+
+```xml
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" Sdk="Microsoft.Build.NoTargets/3.7.56">
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+  </PropertyGroup>
+  <ItemGroup>
+    <!-- FilesToSign needs to be inside $(OutDir) hence we copy it into
+    $(OutDir) before (from CWD) and move it back outside after the signing -->
+    <FilesToSign Include="$(OutDir)\extension.signature.p7s">
+      <!-- Add the certificate friendly name below -->
+      <Authenticode>VSCodePublisher</Authenticode>
+    </FilesToSign>
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.VisualStudioEng.MicroBuild.Core" Version="1.0.0">
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+      <PrivateAssets>all</PrivateAssets>
+    </PackageReference>
+  </ItemGroup>
+
+  <Target Name="CopySignatureFile" BeforeTargets="SignFiles">
+    <Copy SourceFiles="$(ProjectDir)\..\extension.manifest" DestinationFiles="$(OutDir)\extension.signature.p7s" />
+  </Target>
+
+  <Target Name="CopyBackSignatureFile" AfterTargets="SignFiles">
+    <Copy SourceFiles="$(OutDir)\extension.signature.p7s" DestinationFiles="$(ProjectDir)\..\extension.signature.p7s" />
+  </Target>
+</Project>
 ```
 
 ### (DEPRECATED) Primary pipelines

azure-pipelines/templates/1espackage.yml

@@ -6,13 +6,3 @@ steps:
       customCommand: run package
       workingDir: $(working_directory)
     condition: succeeded()
-
-  - task: CopyFiles@2
-    displayName: "\U0001F449 Copy packages and vsix to staging directory"
-    inputs:
-      Contents: |
-        **/*.vsix
-        **/*.tar.gz
-        **/*.tgz
-      TargetFolder: "$(build.artifactstagingdirectory)/build/$(artifact_name)"
-    condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True'))

azure-pipelines/templates/sign.yml

@@ -0,0 +1,32 @@
+steps:
+  # Check if the SignExtension.signproj file exists and set a variable using PowerShell
+  # All other steps in this template will only run if the file exists
+  - powershell: |
+      $fileExists = Test-Path -Path "$(Build.SourcesDirectory)/.azure-pipelines/SignExtension.signproj"
+      Write-Output "##vso[task.setvariable variable=signprojExists]$fileExists"
+
+      if ($fileExists) {
+          Write-Output "SignExtension.signproj file found. Signing extension."
+      } else {
+          Write-Output "SignExtension.signproj file not found. Skipping signing."
+      }
+    displayName: "\U0001F449 Check for SignExtension.signproj File"
+
+  # put the extension name and version from the package.json into variables to use later. Variables can be used in later steps as $(package.name) and $(package.version)
+  - pwsh: | 
+      Write-Output "##vso[task.setvariable variable=name;isOutput=true]$((Get-Content -Raw -Path package.json | ConvertFrom-Json).name)"
+      Write-Output "##vso[task.setvariable variable=version;isOutput=true]$((Get-Content -Raw -Path package.json | ConvertFrom-Json).version)"
+    condition: eq(variables['signprojExists'], True)
+    name: package
+    displayName: "\U0001F449 Get extension info from package.json"
+
+  - script: npx @vscode/vsce@latest generate-manifest -i $(package.name)-$(package.version).vsix -o $(Build.SourcesDirectory)/extension.manifest
+    condition: eq(variables['signprojExists'], True)
+    displayName: "\U0001F449 Generate extension manifest"
+
+  - task: DotNetCoreCLI@2
+    condition: eq(variables['signprojExists'], True)
+    displayName: "\U0001F449 Sign with MSBuild"
+    inputs:
+      command: 'build'
+      projects: $(Build.SourcesDirectory)/.azure-pipelines/SignExtension.signproj

azure-pipelines/templates/stage-artifacts.yml

@@ -0,0 +1,17 @@
+steps:
+  - task: CopyFiles@2
+    displayName: "\U0001F449 Copy packages and vsix to staging directory"
+    inputs:
+      # Uploading the package.json so we can publish later without cloning the source
+      # Files related to signing:
+      #   extension.manifest is the signature file
+      #   extension.signature.p7s is the extension manifest generated by vsce
+      Contents: |
+        **/*.vsix
+        package.json
+        extension.manifest
+        extension.signature.p7s
+        **/*.tar.gz
+        **/*.tgz
+      TargetFolder: "$(build.artifactstagingdirectory)/build/$(artifact_name)"
+    condition: and(succeeded(), ne(variables['System.PullRequest.IsFork'], 'True'))