diff --git a/.azure/OneBranch.Publish.yml b/.azure/OneBranch.Publish.yml index f66a1d7971..7b27d8bd9b 100644 --- a/.azure/OneBranch.Publish.yml +++ b/.azure/OneBranch.Publish.yml @@ -15,6 +15,12 @@ variables: DisableDockerDetector: true parameters: +- name: opensslrpmcblrepos + type: object + default: + - cbl-mariner-1.0-prod-Microsoft-x86_64-rpms-yum + - cbl-mariner-2.0-prod-Microsoft-x86_64-yum + - cbl-mariner-2.0-prod-Microsoft-aarch64-yum - name: opensslrpmrepos type: object default: @@ -29,9 +35,6 @@ parameters: - microsoft-rhel7.3-prod-yum - microsoft-rhel8.0-prod-yum - microsoft-rhel8.1-prod-yum - - cbl-mariner-1.0-prod-Microsoft-x86_64-rpms-yum - - cbl-mariner-2.0-prod-Microsoft-x86_64-yum - - cbl-mariner-2.0-prod-Microsoft-aarch64-yum - name: openssldebrepos type: object default: @@ -90,7 +93,7 @@ stages: inputs: secureFile: 'auth.pem' - ${{ each repo in parameters.openssldebrepos }}: - - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl -r ${{ repo }} -n "*.deb" + - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/gen -r ${{ repo }} -n "*.deb" condition: eq(${{ parameters.debug }}, false) displayName: ${{ repo }} continueOnError: true @@ -120,7 +123,37 @@ stages: inputs: secureFile: 'auth.pem' - ${{ each repo in parameters.opensslrpmrepos }}: - - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl -r ${{ repo }} -n "*.rpm" + - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/gen -r ${{ repo }} -n "*.rpm" + condition: eq(${{ parameters.debug }}, false) + displayName: ${{ repo }} + continueOnError: true + - job: UploadPackage_openssl_rpms_cbl + displayName: Upload openSSL based RPM packages to CBL repos + timeoutInMinutes: 120 + workspace: + clean: all + pool: + vmImage: 'ubuntu-latest' + variables: + - group: MsQuicAADApp + steps: + - task: DownloadPipelineArtifact@2 + inputs: + source: specific + project: $(resources.pipeline.onebranch.projectID) + pipeline: $(resources.pipeline.onebranch.pipelineID) + preferTriggeringPipeline: true + runVersion: specific + runId: $(resources.pipeline.onebranch.runID) + artifact: drop_package_linux_distribution_openssl + path: $(Build.SourcesDirectory)/artifacts/signed/openssl + - task: DownloadSecureFile@1 + name: pmcv4cert + displayName: 'Download cert for PMC v4' + inputs: + secureFile: 'auth.pem' + - ${{ each repo in parameters.opensslrpmcblrepos }}: + - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl/cbl -r ${{ repo }} -n "*.rpm" condition: eq(${{ parameters.debug }}, false) displayName: ${{ repo }} continueOnError: true @@ -150,7 +183,7 @@ stages: inputs: secureFile: 'auth.pem' - ${{ each repo in parameters.openssl3debrepos }}: - - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3 -r ${{ repo }} -n "*.deb" + - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3/gen -r ${{ repo }} -n "*.deb" condition: eq(${{ parameters.debug }}, false) displayName: ${{ repo }} continueOnError: true @@ -180,7 +213,7 @@ stages: inputs: secureFile: 'auth.pem' - ${{ each repo in parameters.openssl3rpmrepos }}: - - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3 -r ${{ repo }} -n "*.rpm" + - script: bash scripts/upload-linux-packages.sh -i $(PMCv4ClientId) -c $(pmcv4cert.secureFilePath) -f $(Build.SourcesDirectory)/artifacts/signed/openssl3/gen -r ${{ repo }} -n "*.rpm" condition: eq(${{ parameters.debug }}, false) displayName: ${{ repo }} continueOnError: true diff --git a/.azure/obtemplates/build-linux-packages.yml b/.azure/obtemplates/build-linux-packages.yml index 3625aedfb7..c5fba7c5c5 100644 --- a/.azure/obtemplates/build-linux-packages.yml +++ b/.azure/obtemplates/build-linux-packages.yml @@ -43,11 +43,23 @@ jobs: inputs: pwsh: false filePath: scripts/package-distribution.ps1 + - script: | # prepare 2 sets of packages for signing with different keys (gen = general purpose, cbl = cbl-mariner) + mkdir $(Build.SourcesDirectory)/artifacts/dist/gen + find $(Build.SourcesDirectory)/artifacts/dist -type f -exec mv -t $(Build.SourcesDirectory)/artifacts/dist/gen/ {} + + cp -r $(Build.SourcesDirectory)/artifacts/dist/gen/ $(Build.SourcesDirectory)/artifacts/dist/cbl/ - ${{ if not(eq(parameters.sign, false)) }}: - task: onebranch.pipeline.signing@1 - displayName: Sign + displayName: Sign General Purpose Packages inputs: command: 'sign' signing_profile: 'CP-450779-pgpdetached' files_to_sign: '**/*.rpm;**/*.deb' - search_root: '$(ob_outputDirectory)' + search_root: $(Build.SourcesDirectory)/artifacts/dist/gen + - ${{ if not(eq(parameters.sign, false)) }}: + - task: onebranch.pipeline.signing@1 + displayName: Sign CBL Packages + inputs: + command: 'sign' + signing_profile: 'CP-459159-pgpdetached' + files_to_sign: '**/*.rpm;**/*.deb' + search_root: $(Build.SourcesDirectory)/artifacts/dist/cbl