cpython/.azure-pipelines/windows-release/stage-sign.yml

131 lines
3.7 KiB
YAML

parameters:
Include: '*.exe, *.dll, *.pyd, *.cat, *.ps1'
Exclude: 'vcruntime*, libffi*, libcrypto*, libssl*'
jobs:
- job: Sign_Python
displayName: Sign Python binaries
condition: and(succeeded(), variables['SigningCertificate'])
pool:
name: 'Windows Release'
workspace:
clean: all
strategy:
matrix:
win32:
Name: win32
amd64:
Name: amd64
arm64:
Name: arm64
steps:
- template: ./checkout.yml
- template: ./find-sdk.yml
- powershell: |
$d = (.\PCbuild\build.bat -V) | %{ if($_ -match '\s+(\w+):\s*(.+)\s*$') { @{$Matches[1] = $Matches[2];} }};
Write-Host "##vso[task.setvariable variable=SigningDescription]Python $($d.PythonVersion)"
displayName: 'Update signing description'
condition: and(succeeded(), not(variables['SigningDescription']))
- powershell: |
Write-Host "##vso[build.addbuildtag]signed"
displayName: 'Add build tags'
- task: DownloadPipelineArtifact@1
displayName: 'Download artifact: unsigned_bin_$(Name)'
inputs:
artifactName: unsigned_bin_$(Name)
targetPath: $(Build.BinariesDirectory)\bin
- powershell: |
copy "$(Build.SourcesDirectory)\Lib\venv\scripts\common\Activate.ps1" .
displayName: 'Copy files from source'
workingDirectory: $(Build.BinariesDirectory)\bin
- powershell: |
$files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
signtool sign /a /n "$(SigningCertificate)" /fd sha256 /d "$(SigningDescription)" $files
displayName: 'Sign binaries'
workingDirectory: $(Build.BinariesDirectory)\bin
- powershell: |
$files = (gi ${{ parameters.Include }} -Exclude ${{ parameters.Exclude }})
$failed = $true
foreach ($retry in 1..10) {
signtool timestamp /tr http://timestamp.digicert.com/ /td sha256 $files
if ($?) {
$failed = $false
break
}
sleep 5
}
if ($failed) {
Write-Host "##vso[task.logissue type=error]Failed to timestamp files"
}
displayName: 'Timestamp binaries'
workingDirectory: $(Build.BinariesDirectory)\bin
continueOnError: true
- task: PublishPipelineArtifact@0
displayName: 'Publish artifact: bin_$(Name)'
inputs:
targetPath: '$(Build.BinariesDirectory)\bin'
artifactName: bin_$(Name)
- job: Dump_CertInfo
displayName: Capture certificate info
condition: and(succeeded(), variables['SigningCertificate'])
pool:
name: 'Windows Release'
steps:
- checkout: none
- powershell: |
$m = 'CN=$(SigningCertificate)'
$c = ((gci Cert:\CurrentUser\My), (gci Cert:\LocalMachine\My)) | %{ $_ } | `
?{ $_.Subject -match $m } | `
select -First 1
if (-not $c) {
Write-Host "Failed to find certificate for $(SigningCertificate)"
exit
}
$d = mkdir "$(Build.BinariesDirectory)\tmp" -Force
$cf = "$d\cert.cer"
[IO.File]::WriteAllBytes($cf, $c.Export("Cer"))
$csha = (certutil -dump $cf | sls "Cert Hash\(sha256\): (.+)").Matches.Groups[1].Value
$info = @{ Subject=$c.Subject; SHA256=$csha; }
$d = mkdir "$(Build.BinariesDirectory)\cert" -Force
$info | ConvertTo-JSON -Compress | Out-File -Encoding utf8 "$d\certinfo.json"
displayName: "Extract certificate info"
- task: PublishPipelineArtifact@0
displayName: 'Publish artifact: cert'
inputs:
targetPath: '$(Build.BinariesDirectory)\cert'
artifactName: cert
- job: Mark_Unsigned
displayName: Tag unsigned build
condition: and(succeeded(), not(variables['SigningCertificate']))
pool:
vmImage: windows-2019
steps:
- checkout: none
- powershell: |
Write-Host "##vso[build.addbuildtag]unsigned"
displayName: 'Add build tag'