move the macOS ESRP signing steps to a separate job (#11129)

* move ESRP signing to a separate job

* rename job

* depends on

* signing

* rename task

build/azure-pipelines/darwin/sql-product-build-darwin-signing.yml

@@ -0,0 +1,82 @@
+steps:
+  - task: InstallAppleCertificate@2
+    displayName: 'Install developer certificate'
+    inputs:
+      certSecureFile: 'osx_signing_key.p12'
+    condition: eq(variables['signed'], true)
+
+  - task: DownloadBuildArtifacts@0
+    displayName: 'Download Build Artifacts'
+    inputs:
+      downloadType: specific
+      itemPattern: 'drop/darwin/archive/azuredatastudio-darwin-unsigned.zip'
+      downloadPath: '$(Build.SourcesDirectory)/.build/'
+
+  - script: |
+      pushd $(Build.SourcesDirectory)/.build/drop/darwin/archive
+      mv azuredatastudio-darwin-unsigned.zip azuredatastudio-darwin.zip
+    displayName: 'Rename the file'
+
+  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
+    displayName: 'ESRP CodeSigning'
+    inputs:
+      ConnectedServiceName: 'Code Signing'
+      FolderPath: '$(Build.SourcesDirectory)/.build/drop/darwin/archive'
+      Pattern: 'azuredatastudio-darwin.zip'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "keyCode": "CP-401337-Apple",
+            "operationCode": "MacAppDeveloperSign",
+            "parameters": {
+              "Hardening": "Enable"
+            },
+            "toolName": "sign",
+            "toolVersion": "1.0"
+          }
+        ]
+      SessionTimeout: 90
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - script: |
+      zip -d $(Build.SourcesDirectory)/.build/drop/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
+    displayName: Clean Archive
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - task: EsrpCodeSigning@1
+    displayName: 'ESRP Notarization'
+    inputs:
+      ConnectedServiceName: 'Code Signing'
+      FolderPath: '$(Build.SourcesDirectory)/.build/drop/darwin/archive'
+      Pattern: 'azuredatastudio-darwin.zip'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "KeyCode": "CP-401337-Apple",
+            "OperationCode": "MacAppNotarize",
+            "Parameters": {
+              "BundleId": "com.microsoft.azuredatastudio-$(VSCODE_QUALITY)"
+            },
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          }
+        ]
+      SessionTimeout: 120
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - task: CopyFiles@2
+    displayName: 'Copy Files to: $(Build.ArtifactStagingDirectory)/darwin/archive'
+    inputs:
+      SourceFolder: '$(Build.SourcesDirectory)/.build/drop/darwin/archive'
+      TargetFolder: '$(Build.ArtifactStagingDirectory)/darwin/archive'
+
+  - task: PublishBuildArtifacts@1
+    displayName: 'Publish Artifact: drop'
+    condition: always()
+
+  - task: ms.vss-governance-buildtask.governance-build-task-component-detection.ComponentGovernanceComponentDetection@0
+    displayName: 'Component Detection'
+    inputs:
+      failOnAlert: true

build/azure-pipelines/darwin/sql-product-build-darwin.yml

@@ -171,55 +171,16 @@ steps:
       pushd ../azuredatastudio-darwin
       ditto -c -k --keepParent *.app $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
       popd
-    displayName: 'Archive'
+    displayName: 'Archive (no signing)'
-
+    condition: and(succeeded(), eq(variables['signed'], false))
-  - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
-    displayName: 'ESRP CodeSigning'
-    inputs:
-      ConnectedServiceName: 'Code Signing'
-      FolderPath: '$(Build.SourcesDirectory)/.build/darwin/archive'
-      Pattern: 'azuredatastudio-darwin.zip'
-      signConfigType: inlineSignParams
-      inlineOperation: |
-        [
-          {
-            "keyCode": "CP-401337-Apple",
-            "operationCode": "MacAppDeveloperSign",
-            "parameters": {
-              "Hardening": "Enable"
-            },
-            "toolName": "sign",
-            "toolVersion": "1.0"
-          }
-        ]
-      SessionTimeout: 90
-    condition: and(succeeded(), eq(variables['signed'], true))
 
   - script: |
-      zip -d $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
+      set -e
-    displayName: Clean Archive
+      mkdir -p .build/darwin/archive
-    condition: and(succeeded(), eq(variables['signed'], true))
+      pushd ../azuredatastudio-darwin
-
+      ditto -c -k --keepParent *.app $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin-unsigned.zip
-  - task: EsrpCodeSigning@1
+      popd
-    displayName: 'ESRP Notarization'
+    displayName: 'Archive'
-    inputs:
-      ConnectedServiceName: 'Code Signing'
-      FolderPath: '$(Build.SourcesDirectory)/.build/darwin/archive'
-      Pattern: 'azuredatastudio-darwin.zip'
-      signConfigType: inlineSignParams
-      inlineOperation: |
-        [
-          {
-            "KeyCode": "CP-401337-Apple",
-            "OperationCode": "MacAppNotarize",
-            "Parameters": {
-              "BundleId": "com.microsoft.azuredatastudio-$(VSCODE_QUALITY)"
-            },
-            "ToolName": "sign",
-            "ToolVersion": "1.0"
-          }
-        ]
-      SessionTimeout: 120
     condition: and(succeeded(), eq(variables['signed'], true))
 
   - script: |

build/azure-pipelines/sql-product-build.yml

@@ -26,6 +26,16 @@ jobs:
   - template: darwin/sql-product-build-darwin.yml
   timeoutInMinutes: 180
 
+- job: macOS_Signing
+  condition: and(succeeded(), eq(variables['VSCODE_BUILD_MACOS'], 'true'), eq(variables['signed'], true))
+  pool:
+    vmImage: macOS-latest
+  dependsOn:
+  - macOS
+  steps:
+  - template: darwin/sql-product-build-darwin-signing.yml
+  timeoutInMinutes: 60
+
 - job: Linux
   condition: and(succeeded(), eq(variables['VSCODE_BUILD_LINUX'], 'true'))
   pool:
@@ -90,6 +100,7 @@ jobs:
   - Windows
   - Windows_Test
   - LinuxWeb
+  - macOS_Signing
   steps:
   - template: sql-release.yml