diff --git a/azure-pipelines.yml b/azure-pipelines.yml index d04a2c94..29f5a9bd 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -28,6 +28,8 @@ resources: jobs: - job: Windows pool: Hosted Windows 2019 with VS2019 + variables: + - group: dotnetfoundation code signing steps: - checkout: self clean: true @@ -118,6 +120,22 @@ jobs: TargetFolder: $(Build.ArtifactStagingDirectory)/deployables flattenFolders: true displayName: Collecting deployable artifacts + + - pwsh: > + dotnet tool install --tool-path obj SignClient + + obj/SignClient sign + --baseDirectory '$(Build.ArtifactStagingDirectory)/deployables' + --input '**/*' + --config '$(System.DefaultWorkingDirectory)/azure-pipelines/SignClient.json' + --filelist '$(System.DefaultWorkingDirectory)/azure-pipelines/signfiles.txt' + --user '$(codesign_username)' + --secret '$(codesign_secret)' + --name 'Nerdbank.GitVersioning' + --descriptionUrl 'https://github.com/dotnet/Nerdbank.GitVersioning' + displayName: Code sign + condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest')) + - task: PublishBuildArtifacts@1 inputs: PathtoPublish: $(Build.ArtifactStagingDirectory)/deployables diff --git a/azure-pipelines/SignClient.json b/azure-pipelines/SignClient.json new file mode 100644 index 00000000..e940588c --- /dev/null +++ b/azure-pipelines/SignClient.json @@ -0,0 +1,13 @@ +{ + "SignClient": { + "AzureAd": { + "AADInstance": "https://login.microsoftonline.com/", + "ClientId": "c248d68a-ba6f-4aa9-8a68-71fe872063f8", + "TenantId": "16076fdc-fcc1-4a15-b1ca-32c9a255900e" + }, + "Service": { + "Url": "https://codesign.dotnetfoundation.org/", + "ResourceId": "https://SignService/3c30251f-36f3-490b-a955-520addb85001" + } + } + } diff --git a/azure-pipelines/signfiles.txt b/azure-pipelines/signfiles.txt new file mode 100644 index 00000000..687c3f0e --- /dev/null +++ b/azure-pipelines/signfiles.txt @@ -0,0 +1,4 @@ +**/Cake.GitVersioning.dll +**/Nerdbank*.dll +**/nbgv.dll +**/*.ps1