From 6b71c7d352ed5afe58f2315ff21f673e9496ed5e Mon Sep 17 00:00:00 2001
From: Lessley Dennington <lessleydennington@gmail.com>
Date: Mon, 27 Jun 2022 14:41:32 -0700
Subject: [PATCH] fixup! release: add signing step for .deb package

---
 .github/scripts/sign-debian-packages.py    | 118 ---------------------
 .github/workflows/build-git-installers.yml |  34 +++---
 2 files changed, 19 insertions(+), 133 deletions(-)
 delete mode 100644 .github/scripts/sign-debian-packages.py

diff --git a/.github/scripts/sign-debian-packages.py b/.github/scripts/sign-debian-packages.py
deleted file mode 100644
index d0025fb14b9a7a..00000000000000
--- a/.github/scripts/sign-debian-packages.py
+++ /dev/null
@@ -1,118 +0,0 @@
-import json
-import os
-import glob
-import pprint
-import subprocess
-import sys
-
-esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
-
-AAD_ID  = os.environ['AZURE_AAD_ID'].strip()
-AAD_ID_TEMP = os.environ['AZURE_AAD_ID_TEMP'].strip()
-WORKSPACE = os.environ['GITHUB_WORKSPACE'].strip()
-ARTIFACTS_DIR = os.environ['ARTIFACTS_DIR'].strip()
-
-def main():
-    source_root_location = os.path.join(WORKSPACE, ARTIFACTS_DIR, "unsigned")
-    destination_location = os.path.join(WORKSPACE, ARTIFACTS_DIR)
-
-    files = glob.glob(os.path.join(source_root_location, "*.deb"))
-
-    print("Found files:")
-    pprint.pp(files)
-
-    if len(files) < 1 or not files[0].endswith(".deb"):
-        print("Error: cannot find .deb to sign")
-        exit(1)
-
-    file_to_sign = os.path.basename(files[0])
-
-    auth_json = {
-        "Version": "1.0.0",
-        "AuthenticationType": "AAD_CERT",
-        "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
-        "ClientId": AAD_ID,
-        "AuthCert": {
-            "SubjectName": f"CN={AAD_ID_TEMP}.microsoft.com",
-            "StoreLocation": "LocalMachine",
-            "StoreName": "My",
-        },
-        "RequestSigningCert": {
-            "SubjectName": f"CN={AAD_ID}",
-            "StoreLocation": "LocalMachine",
-            "StoreName": "My",
-        }
-    }
-
-    input_json = {
-        "Version": "1.0.0",
-        "SignBatches": [
-            {
-                "SourceLocationType": "UNC",
-                "SourceRootDirectory": source_root_location,
-                "DestinationLocationType": "UNC",
-                "DestinationRootDirectory": destination_location,
-                "SignRequestFiles": [
-                    {
-                        "CustomerCorrelationId": "01A7F55F-6CDD-4123-B255-77E6F212CDAD",
-                        "SourceLocation": file_to_sign,
-                        "DestinationLocation": os.path.join("signed", file_to_sign),
-                    }
-                ],
-                "SigningInfo": {
-                    "Operations": [
-                        {
-                            "KeyCode": "CP-450779-Pgp",
-                            "OperationCode": "LinuxSign",
-                            "Parameters": {},
-                            "ToolName": "sign",
-                            "ToolVersion": "1.0",
-                        }
-                    ]
-                }
-            }
-        ]
-    }
-
-    policy_json = {
-        "Version": "1.0.0",
-        "Intent": "production release",
-        "ContentType": "Debian package",
-    }
-
-    configs = [
-        ("auth.json", auth_json),
-        ("input.json", input_json),
-        ("policy.json", policy_json),
-    ]
-
-    for filename, data in configs:
-        with open(filename, 'w') as fp:
-            json.dump(data, fp)
-
-    # Run ESRP Client
-    esrp_out = "esrp_out.json"
-    result = subprocess.run(
-        [esrp_tool, "sign",
-        "-a", "auth.json",
-        "-i", "input.json",
-        "-p", "policy.json",
-        "-o", esrp_out,
-        "-l", "Verbose"],
-        cwd=WORKSPACE)
-
-    if result.returncode != 0:
-        print("Failed to run ESRPClient.exe")
-        sys.exit(1)
-
-    if os.path.isfile(esrp_out):
-        print("ESRP output json:")
-        with open(esrp_out, 'r') as fp:
-            pprint.pp(json.load(fp))
-
-    signed_file = os.path.join(destination_location, "signed", file_to_sign)
-    if os.path.isfile(signed_file):
-        print(f"Success!\nSigned {signed_file}")
-
-if __name__ == "__main__":
-    main()
\ No newline at end of file
diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
index afc431e61f4997..3405cf02d06462 100644
--- a/.github/workflows/build-git-installers.yml
+++ b/.github/workflows/build-git-installers.yml
@@ -641,38 +641,42 @@ jobs:
     steps:
       - name: Clone repository
         uses: actions/checkout@v2
+        with:
+          path: 'git'
       - name: Download unsigned packages
         uses: actions/download-artifact@v2
         with:
           name: deb-package-unsigned
-          path: ${{ env.ARTIFACTS_DIR }}/unsigned
+          path: unsigned
       - uses: azure/login@v1
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
-      - name: Download ESRP client
-        run: |
-          az storage blob download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --account-name msftgitesrp -c microsoft-esrp-client -n microsoft.esrpclient.1.2.76.nupkg -f esrp.zip
-          Expand-Archive -Path esrp.zip -DestinationPath .\esrp
-      - name: Install ESRP certificates
+      - name: Set up ESRP client
+        shell: pwsh
+        env:
+          AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
+          AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+          AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
+          REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
         run: |
-          az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "msft-git-esrp" --name "microsoft-git-esrp-auth-cert" -f auth_cert.pfx
-          Import-PfxCertificate auth_cert.pfx -CertStoreLocation Cert:\LocalMachine\My
-          az keyvault secret download --subscription "${{ secrets.AZURE_SUBSCRIPTION }}" --vault-name "msft-git-esrp" --name "microsoft-git-request-signing-cert" -f request_signing_cert.pfx
-          Import-PfxCertificate request_signing_cert.pfx -CertStoreLocation Cert:\LocalMachine\My
-      - uses: actions/setup-python@v2
-      - name: Run ESRP client
+          git\.github\scripts\set-up-esrp.ps1
+      - name: Sign package
+        shell: pwsh
         env:
           AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
           # We temporarily need two AAD IDs, as we're using an SSL certificate associated
           # with an older App Registration until we have the required hardware to approve
           # the new certificate in SSL Admin.
-          AZURE_AAD_ID_TEMP: ${{ secrets.AAD_ID_TEMP }}
-        run: python .github/scripts/sign-debian-packages.py
+          AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }}
+          LINUX_KEY_CODE: ${{ secrets.LINUX_KEY_CODE }}
+          LINUX_OP_CODE: ${{ secrets.LINUX_OPERATION_CODE }}
+        run: |
+          python git\.github\scripts\run-esrp-signing.py unsigned $env:LINUX_KEY_CODE $env:LINUX_OP_CODE
       - name: Upload signed artifact
         uses: actions/upload-artifact@v2
         with:
           name: deb-package-signed
-          path: ${{ env.ARTIFACTS_DIR }}/signed
+          path: signed
   # End build & sign Ubuntu package
 
   create-github-release: