mirror of
https://github.com/ckaczor/azuredatastudio.git
synced 2026-02-18 11:01:36 -05:00
Amir/target/notarization (#9082)
* runtime hardening * Notarization * Fix the parameters * Update sql-product-build-darwin.yml * Format * Change task name * Remove the array * Support new format * Use new format for notarizing too * Change timeouts to accommodate how long apple takes * Change timeout in minutes to 2 hours * Update sql-product-build-darwin.yml * Increase timeouts * Change the pipeline * Fix formatting * Fix formatting * Fix formatting * Fix formatting * Change path * Fix path for cleanup * Don't do hardening * Enable hardening again * Self sign * add display name * Change key identity * Deep codesign * Fix path * add extras * add hardening back * use ditto instead of zip per apple docs * Changing signing syntax * Don't deep sign * Use --deep and add new entitlement * Temporarily disable notarization * entitlements fix * Don't do runtime hardening for self sign * Will this fix codesign I wonder * codesigning * sign everything first * Change signing to delete bad files * remove xattr * Change the find command * Delete mssql and big-data-cluster * Stablize the signing * Bring in notarization changes
This commit is contained in:
@@ -5,11 +5,6 @@ REPO="$(pwd)"
|
||||
# ensure drop directories exist
|
||||
mkdir -p $REPO/.build/darwin/{archive,server}
|
||||
|
||||
# remove pkg from archive
|
||||
if [[ "$SIGNED" == "true" ]]; then
|
||||
zip -d $REPO/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
|
||||
fi
|
||||
|
||||
# package Remote Extension Host
|
||||
pushd .. && mv azuredatastudio-reh-darwin azuredatastudio-server-darwin && zip -Xry $REPO/.build/darwin/server/azuredatastudio-server-darwin.zip azuredatastudio-server-darwin && popd
|
||||
|
||||
|
||||
@@ -10,5 +10,13 @@
|
||||
<true/>
|
||||
<key>com.apple.security.cs.disable-library-validation</key>
|
||||
<true/>
|
||||
<key>com.apple.security.network.client</key>
|
||||
<true/>
|
||||
<key>com.apple.security.network.server</key>
|
||||
<true/>
|
||||
<key>com.apple.security.app-sandbox</key>
|
||||
<false/>
|
||||
<key>com.apple.security.automation.apple-events</key>
|
||||
<true/>
|
||||
</dict>
|
||||
</plist>
|
||||
|
||||
@@ -1,4 +1,9 @@
|
||||
steps:
|
||||
- task: InstallAppleCertificate@2
|
||||
displayName: 'Install developer certificate'
|
||||
inputs:
|
||||
certSecureFile: 'osx_signing_key.p12'
|
||||
|
||||
- script: |
|
||||
mkdir -p .build
|
||||
echo -n $BUILD_SOURCEVERSION > .build/commit
|
||||
@@ -107,12 +112,48 @@ steps:
|
||||
displayName: Run unit tests
|
||||
condition: and(succeeded(), eq(variables['RUN_TESTS'], 'true'))
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
pushd ../azuredatastudio-darwin
|
||||
ls
|
||||
|
||||
echo "Cleaning the application"
|
||||
xattr -cr *.app
|
||||
cd *.app
|
||||
find . -name '._*' -print0 | xargs -0 rm -rf --
|
||||
cd ..
|
||||
|
||||
echo "Signing the application with deep"
|
||||
codesign --deep --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS *.app
|
||||
|
||||
cd *.app
|
||||
ls
|
||||
echo "Signing specific components"
|
||||
find . -type f -print0 | xargs -0 file | grep ': *Mach-O' | sed 's/: *Mach-O.*//' | while read -r file; do codesign --options runtime --timestamp --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS --force "$file" || break; done
|
||||
|
||||
echo "Signing Electron again..."
|
||||
codesign --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS Contents/Frameworks/Electron\ Framework.framework
|
||||
cd ..
|
||||
|
||||
echo "Signing the entire application one more time"
|
||||
codesign --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS *.app
|
||||
popd
|
||||
displayName: 'Manual codesign'
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
mkdir -p .build/darwin/archive
|
||||
pushd ../azuredatastudio-darwin && zip -r -X -y $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip * && popd
|
||||
pushd ../azuredatastudio-darwin
|
||||
ditto -c -k --keepParent *.app $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
|
||||
popd
|
||||
displayName: 'Archive'
|
||||
|
||||
- task: PublishPipelineArtifact@0
|
||||
displayName: 'Publish SelfSigned'
|
||||
inputs:
|
||||
artifactName: darwin-selfsigned
|
||||
targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
|
||||
|
||||
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
|
||||
displayName: 'ESRP CodeSigning'
|
||||
inputs:
|
||||
@@ -124,14 +165,57 @@ steps:
|
||||
[
|
||||
{
|
||||
"keyCode": "CP-401337-Apple",
|
||||
"operationSetCode": "MacAppDeveloperSign",
|
||||
"parameters": [],
|
||||
"operationCode": "MacAppDeveloperSign",
|
||||
"parameters": {
|
||||
"Hardening": "Enable"
|
||||
},
|
||||
"toolName": "sign",
|
||||
"toolVersion": "1.0"
|
||||
}
|
||||
]
|
||||
SessionTimeout: 125
|
||||
condition: and(succeeded(), eq(variables['signed'], true))
|
||||
SessionTimeout: 90
|
||||
condition: and(succeeded(), eq(variables['signtba'], true))
|
||||
|
||||
- script: |
|
||||
zip -d $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
|
||||
displayName: Clean Archive
|
||||
condition: and(succeeded(), eq(variables['signtba'], true))
|
||||
|
||||
- task: PublishPipelineArtifact@0
|
||||
displayName: 'Publish Signed'
|
||||
inputs:
|
||||
artifactName: darwin-signed
|
||||
targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
|
||||
condition: and(succeeded(), eq(variables['signtba'], true))
|
||||
|
||||
- task: EsrpCodeSigning@1
|
||||
displayName: 'ESRP Notarization'
|
||||
inputs:
|
||||
ConnectedServiceName: 'Code Signing'
|
||||
FolderPath: '$(Build.SourcesDirectory)/.build/darwin/archive'
|
||||
Pattern: 'azuredatastudio-darwin.zip'
|
||||
signConfigType: inlineSignParams
|
||||
inlineOperation: |
|
||||
[
|
||||
{
|
||||
"KeyCode": "CP-401337-Apple",
|
||||
"OperationCode": "MacAppNotarize",
|
||||
"Parameters": {
|
||||
"BundleId": "com.microsoft.azuredatastudio-$(VSCODE_QUALITY)"
|
||||
},
|
||||
"ToolName": "sign",
|
||||
"ToolVersion": "1.0"
|
||||
}
|
||||
]
|
||||
SessionTimeout: 120
|
||||
condition: and(succeeded(), eq(variables['signtba'], true))
|
||||
|
||||
- task: PublishPipelineArtifact@0
|
||||
displayName: 'Publish Notarized'
|
||||
inputs:
|
||||
artifactName: darwin-notarized
|
||||
targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
|
||||
condition: and(succeeded(), eq(variables['signtba'], true))
|
||||
|
||||
- script: |
|
||||
set -e
|
||||
|
||||
Reference in New Issue
Block a user