diff --git a/build/.nativeignore b/build/.nativeignore
index 24f7e1ed45..c6e5ed5b21 100644
--- a/build/.nativeignore
+++ b/build/.nativeignore
@@ -108,6 +108,8 @@ jquery-ui/demos/**
slickgrid/node_modules/**
slickgrid/examples/**
+kerberos/build/**
+
# END SQL Modules
nsfw/binding.gyp
diff --git a/build/azure-pipelines/darwin/createDrop.sh b/build/azure-pipelines/darwin/createDrop.sh
index d0d26f8177..3e7fb6c452 100755
--- a/build/azure-pipelines/darwin/createDrop.sh
+++ b/build/azure-pipelines/darwin/createDrop.sh
@@ -5,11 +5,6 @@ REPO="$(pwd)"
# ensure drop directories exist
mkdir -p $REPO/.build/darwin/{archive,server}
-# remove pkg from archive
-if [[ "$SIGNED" == "true" ]]; then
- zip -d $REPO/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
-fi
-
# package Remote Extension Host
pushd .. && mv azuredatastudio-reh-darwin azuredatastudio-server-darwin && zip -Xry $REPO/.build/darwin/server/azuredatastudio-server-darwin.zip azuredatastudio-server-darwin && popd
diff --git a/build/azure-pipelines/darwin/entitlements.xml b/build/azure-pipelines/darwin/entitlements.xml
index 16890d6443..dbc4e102c4 100644
--- a/build/azure-pipelines/darwin/entitlements.xml
+++ b/build/azure-pipelines/darwin/entitlements.xml
@@ -10,5 +10,13 @@
com.apple.security.cs.disable-library-validation
+ com.apple.security.network.client
+
+ com.apple.security.network.server
+
+ com.apple.security.app-sandbox
+
+ com.apple.security.automation.apple-events
+
diff --git a/build/azure-pipelines/darwin/sql-product-build-darwin.yml b/build/azure-pipelines/darwin/sql-product-build-darwin.yml
index c51f35415a..ac13c53344 100644
--- a/build/azure-pipelines/darwin/sql-product-build-darwin.yml
+++ b/build/azure-pipelines/darwin/sql-product-build-darwin.yml
@@ -1,4 +1,9 @@
steps:
+ - task: InstallAppleCertificate@2
+ displayName: 'Install developer certificate'
+ inputs:
+ certSecureFile: 'osx_signing_key.p12'
+
- script: |
mkdir -p .build
echo -n $BUILD_SOURCEVERSION > .build/commit
@@ -107,12 +112,49 @@ steps:
displayName: Run unit tests
condition: and(succeeded(), eq(variables['RUN_TESTS'], 'true'))
+ - script: |
+ set -e
+ pushd ../azuredatastudio-darwin
+ ls
+
+ echo "Cleaning the application"
+ xattr -cr *.app
+ cd *.app
+ find . -name '._*' -print0 | xargs -0 rm -rf --
+ cd ..
+
+ echo "Signing the application with deep"
+ codesign --deep --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS *.app
+
+ cd *.app
+ ls
+ echo "Signing specific components"
+ find . -type f -print0 | xargs -0 file | grep ': *Mach-O' | sed 's/: *Mach-O.*//' | while read -r file; do codesign --options runtime --timestamp --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS --force "$file" || break; done
+
+ echo "Signing Electron again..."
+ codesign --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS Contents/Frameworks/Electron\ Framework.framework
+ cd ..
+
+ echo "Signing the entire application one more time"
+ codesign --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS *.app
+ popd
+ displayName: 'Manual codesign'
+ condition: and(succeeded(), eq(variables['signed'], true))
+
- script: |
set -e
mkdir -p .build/darwin/archive
- pushd ../azuredatastudio-darwin && zip -r -X -y $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip * && popd
+ pushd ../azuredatastudio-darwin
+ ditto -c -k --keepParent *.app $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
+ popd
displayName: 'Archive'
+ - task: PublishPipelineArtifact@0
+ displayName: 'Publish SelfSigned'
+ inputs:
+ artifactName: darwin-selfsigned
+ targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
+
- task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
displayName: 'ESRP CodeSigning'
inputs:
@@ -124,13 +166,56 @@ steps:
[
{
"keyCode": "CP-401337-Apple",
- "operationSetCode": "MacAppDeveloperSign",
- "parameters": [],
+ "operationCode": "MacAppDeveloperSign",
+ "parameters": {
+ "Hardening": "Enable"
+ },
"toolName": "sign",
"toolVersion": "1.0"
}
]
- SessionTimeout: 125
+ SessionTimeout: 90
+ condition: and(succeeded(), eq(variables['signed'], true))
+
+ - script: |
+ zip -d $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
+ displayName: Clean Archive
+ condition: and(succeeded(), eq(variables['signed'], true))
+
+ - task: PublishPipelineArtifact@0
+ displayName: 'Publish Signed'
+ inputs:
+ artifactName: darwin-signed
+ targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
+ condition: and(succeeded(), eq(variables['signed'], true))
+
+ - task: EsrpCodeSigning@1
+ displayName: 'ESRP Notarization'
+ inputs:
+ ConnectedServiceName: 'Code Signing'
+ FolderPath: '$(Build.SourcesDirectory)/.build/darwin/archive'
+ Pattern: 'azuredatastudio-darwin.zip'
+ signConfigType: inlineSignParams
+ inlineOperation: |
+ [
+ {
+ "KeyCode": "CP-401337-Apple",
+ "OperationCode": "MacAppNotarize",
+ "Parameters": {
+ "BundleId": "com.microsoft.azuredatastudio-$(VSCODE_QUALITY)"
+ },
+ "ToolName": "sign",
+ "ToolVersion": "1.0"
+ }
+ ]
+ SessionTimeout: 120
+ condition: and(succeeded(), eq(variables['signed'], true))
+
+ - task: PublishPipelineArtifact@0
+ displayName: 'Publish Notarized'
+ inputs:
+ artifactName: darwin-notarized
+ targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
condition: and(succeeded(), eq(variables['signed'], true))
- script: |