Adopt vsix sign in the release pipeline (#1039)

testforstephen · web-flow · commit 727a70844ac7 · 2024-07-29T12:47:20.000+08:00
diff --git a/.azure-pipelines/nightly.yml b/.azure-pipelines/nightly.yml
@@ -78,7 +78,7 @@ extends:
               - bash: |
                   npx json@latest -I -f package.json -e "this.version=this.version.substring(0, this.version.lastIndexOf('.'))+\".$(date -u +'%Y%m%d%H')\""
                 displayName: Update patch version in package.json
-              - script: 'npx @vscode/vsce@latest package --pre-release'
+              - script: 'npx @vscode/vsce@latest package --pre-release -o extension.vsix'
                 displayName: 'package vsix'
               ### Copy files for APIScan
               - task: CopyFiles@2
@@ -99,8 +99,41 @@ extends:
                 condition: and(succeeded(), ne(variables['DisableAPIScan'], 'true'))
                 env:
                   AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+              - script: npx @vscode/vsce@latest generate-manifest -i extension.vsix -o extension.manifest
+                displayName: 'Generate extension manifest'
+              - script: cp extension.manifest extension.signature.p7s
+                displayName: 'Prepare manifest for signing'
+              - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
+                inputs:
+                  ConnectedServiceName: $(EsrpConnectionServiceName)
+                  AppRegistrationClientId: $(AppRegistrationClientId)
+                  AppRegistrationTenantId: $(AppRegistrationTenantId)
+                  AuthAKVName: $(AuthAKVName)
+                  AuthCertName: $(AuthCertName)
+                  AuthSignCertName: $(AuthSignCertName)
+                  FolderPath: '.'
+                  Pattern: 'extension.signature.p7s'
+                  signConfigType: inlineSignParams
+                  inlineOperation: |
+                    [
+                      {
+                        "keyCode": "CP-401405",
+                        "operationSetCode": "VSCodePublisherSign",
+                        "parameters" : [],
+                        "toolName": "sign",
+                        "toolVersion": "1.0"
+                      }
+                    ]
+                  SessionTimeout: 90
+                  MaxConcurrency: 25
+                  MaxRetryAttempts: 5
+                  PendingAnalysisWaitTimeoutMinutes: 5
+                displayName: 'Sign extension'
               - task: CopyFiles@2
                 displayName: 'Copy Files to: $(Build.ArtifactStagingDirectory)'
                 inputs:
-                  Contents: '*.vsix'
+                  Contents: |
+                    extension.vsix
+                    extension.manifest
+                    extension.signature.p7s
                   TargetFolder: '$(Build.ArtifactStagingDirectory)'
diff --git a/.azure-pipelines/rc.yml b/.azure-pipelines/rc.yml
@@ -75,7 +75,7 @@ extends:
               - bash: |
                   npx json@latest -I -f package.json -e "this.aiKey=\"$(AI_KEY)\""
                 displayName: Replace AI Key
-              - script: 'npx @vscode/vsce@latest package'
+              - script: 'npx @vscode/vsce@latest package -o extension.vsix'
                 displayName: 'package vsix'
               ### Copy files for APIScan
               - task: CopyFiles@2
@@ -96,8 +96,41 @@ extends:
                 condition: and(succeeded(), ne(variables['DisableAPIScan'], 'true'))
                 env:
                   AzureServicesAuthConnectionString: runAs=App;AppId=$(ApiScanClientId);TenantId=$(ApiScanTenant);AppKey=$(ApiScanSecret)
+              - script: npx @vscode/vsce@latest generate-manifest -i extension.vsix -o extension.manifest
+                displayName: 'Generate extension manifest'
+              - script: cp extension.manifest extension.signature.p7s
+                displayName: 'Prepare manifest for signing'
+              - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@5
+                inputs:
+                  ConnectedServiceName: $(EsrpConnectionServiceName)
+                  AppRegistrationClientId: $(AppRegistrationClientId)
+                  AppRegistrationTenantId: $(AppRegistrationTenantId)
+                  AuthAKVName: $(AuthAKVName)
+                  AuthCertName: $(AuthCertName)
+                  AuthSignCertName: $(AuthSignCertName)
+                  FolderPath: '.'
+                  Pattern: 'extension.signature.p7s'
+                  signConfigType: inlineSignParams
+                  inlineOperation: |
+                    [
+                      {
+                        "keyCode": "CP-401405",
+                        "operationSetCode": "VSCodePublisherSign",
+                        "parameters" : [],
+                        "toolName": "sign",
+                        "toolVersion": "1.0"
+                      }
+                    ]
+                  SessionTimeout: 90
+                  MaxConcurrency: 25
+                  MaxRetryAttempts: 5
+                  PendingAnalysisWaitTimeoutMinutes: 5
+                displayName: 'Sign extension'
               - task: CopyFiles@2
                 displayName: 'Copy Files to: $(Build.ArtifactStagingDirectory)'
                 inputs:
-                  Contents: '*.vsix'
+                  Contents: |
+                    extension.vsix
+                    extension.manifest
+                    extension.signature.p7s
                   TargetFolder: '$(Build.ArtifactStagingDirectory)'
