From 3e34a25a7a5c9ea2c46f2daeeb60f072faa5aaa1 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Mon, 12 Aug 2019 14:09:36 -0700 Subject: [PATCH] bpo-37354: Sign Activate.ps1 for release (GH-15235) --- .azure-pipelines/windows-release/msi-steps.yml | 4 ++++ .azure-pipelines/windows-release/stage-build.yml | 2 +- .../windows-release/stage-layout-full.yml | 4 ++++ .../windows-release/stage-layout-msix.yml | 4 ++++ .../windows-release/stage-layout-nuget.yml | 4 ++++ .azure-pipelines/windows-release/stage-sign.yml | 15 ++++++++++++--- 6 files changed, 29 insertions(+), 4 deletions(-) diff --git a/.azure-pipelines/windows-release/msi-steps.yml b/.azure-pipelines/windows-release/msi-steps.yml index c55fa534eae..f7bff162f8e 100644 --- a/.azure-pipelines/windows-release/msi-steps.yml +++ b/.azure-pipelines/windows-release/msi-steps.yml @@ -51,6 +51,10 @@ steps: artifactName: tcltk_lib_amd64 targetPath: $(Build.BinariesDirectory)\tcltk_lib_amd64 + - powershell: | + copy $(Build.BinariesDirectory)\amd64\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' + - script: | call Tools\msi\get_externals.bat call PCbuild\find_python.bat diff --git a/.azure-pipelines/windows-release/stage-build.yml b/.azure-pipelines/windows-release/stage-build.yml index ce7b3817693..c98576ef970 100644 --- a/.azure-pipelines/windows-release/stage-build.yml +++ b/.azure-pipelines/windows-release/stage-build.yml @@ -122,7 +122,7 @@ jobs: displayName: Publish Tcl/Tk Library pool: - vmName: win2016-vs2017 + vmName: windows-latest workspace: clean: all diff --git a/.azure-pipelines/windows-release/stage-layout-full.yml b/.azure-pipelines/windows-release/stage-layout-full.yml index 8b412dffcc8..12c34723901 100644 --- a/.azure-pipelines/windows-release/stage-layout-full.yml +++ b/.azure-pipelines/windows-release/stage-layout-full.yml @@ -47,6 +47,10 @@ jobs: artifactName: tcltk_lib_$(Name) targetPath: $(Build.BinariesDirectory)\tcltk_lib + - powershell: | + copy $(Build.BinariesDirectory)\bin\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' + - template: ./layout-command.yml - powershell: | diff --git a/.azure-pipelines/windows-release/stage-layout-msix.yml b/.azure-pipelines/windows-release/stage-layout-msix.yml index 7d66e8f9821..ba86392f3ec 100644 --- a/.azure-pipelines/windows-release/stage-layout-msix.yml +++ b/.azure-pipelines/windows-release/stage-layout-msix.yml @@ -40,6 +40,10 @@ jobs: artifactName: tcltk_lib_$(Name) targetPath: $(Build.BinariesDirectory)\tcltk_lib + - powershell: | + copy $(Build.BinariesDirectory)\bin\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' + - template: ./layout-command.yml - powershell: | diff --git a/.azure-pipelines/windows-release/stage-layout-nuget.yml b/.azure-pipelines/windows-release/stage-layout-nuget.yml index 01512975e9d..7954c4547f5 100644 --- a/.azure-pipelines/windows-release/stage-layout-nuget.yml +++ b/.azure-pipelines/windows-release/stage-layout-nuget.yml @@ -29,6 +29,10 @@ jobs: artifactName: bin_$(Name) targetPath: $(Build.BinariesDirectory)\bin + - powershell: | + copy $(Build.BinariesDirectory)\bin\Activate.ps1 Lib\venv\scripts\common\Activate.ps1 -Force + displayName: 'Copy signed files into sources' + - template: ./layout-command.yml - powershell: | diff --git a/.azure-pipelines/windows-release/stage-sign.yml b/.azure-pipelines/windows-release/stage-sign.yml index d6984a0a137..2307c6c9c8f 100644 --- a/.azure-pipelines/windows-release/stage-sign.yml +++ b/.azure-pipelines/windows-release/stage-sign.yml @@ -1,3 +1,7 @@ +parameters: + Include: '*.exe, *.dll, *.pyd, *.cat, *.ps1' + Exclude: 'vcruntime*, libffi*, libcrypto*, libssl*' + jobs: - job: Sign_Python displayName: Sign Python binaries @@ -17,7 +21,7 @@ jobs: Name: amd64 steps: - - checkout: none + - template: ./checkout.yml - template: ./find-sdk.yml - powershell: | @@ -31,13 +35,18 @@ jobs: targetPath: $(Build.BinariesDirectory)\bin - powershell: | - $files = (gi *.exe, *.dll, *.pyd, *.cat -Exclude vcruntime*, libffi*, libcrypto*, libssl*) + copy "$(Build.SourcesDirectory)\Lib\venv\scripts\common\Activate.ps1" . + displayName: 'Copy files from source' + workingDirectory: $(Build.BinariesDirectory)\bin + + - powershell: | + $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }}) signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" $files displayName: 'Sign binaries' workingDirectory: $(Build.BinariesDirectory)\bin - powershell: | - $files = (gi *.exe, *.dll, *.pyd, *.cat -Exclude vcruntime*, libffi*, libcrypto*, libssl*) + $files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }}) $failed = $true foreach ($retry in 1..10) { signtool timestamp /t http://timestamp.verisign.com/scripts/timestamp.dll $files