Runtime hardening and notarization for OSX (#8663)

build/.nativeignore

@@ -108,6 +108,8 @@ jquery-ui/demos/**
 slickgrid/node_modules/**
 slickgrid/examples/**
 
+kerberos/build/**
+
 # END SQL Modules
 
 nsfw/binding.gyp

build/azure-pipelines/darwin/createDrop.sh

@@ -5,11 +5,6 @@ REPO="$(pwd)"
 # ensure drop directories exist
 mkdir -p $REPO/.build/darwin/{archive,server}
 
-# remove pkg from archive
-if [[ "$SIGNED" == "true" ]]; then
-	zip -d $REPO/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
-fi
-
 # package Remote Extension Host
 pushd .. && mv azuredatastudio-reh-darwin azuredatastudio-server-darwin && zip -Xry $REPO/.build/darwin/server/azuredatastudio-server-darwin.zip azuredatastudio-server-darwin && popd
 

build/azure-pipelines/darwin/entitlements.xml

@@ -10,5 +10,13 @@
 	<true/>
 	<key>com.apple.security.cs.disable-library-validation</key>
 	<true/>
+	<key>com.apple.security.network.client</key>
+	<true/>
+	<key>com.apple.security.network.server</key>
+	<true/>
+	<key>com.apple.security.app-sandbox</key>
+	<false/>
+	<key>com.apple.security.automation.apple-events</key>
+	<true/>
 </dict>
 </plist>

build/azure-pipelines/darwin/sql-product-build-darwin.yml

@@ -1,4 +1,9 @@
 steps:
+  - task: InstallAppleCertificate@2
+    displayName: 'Install developer certificate'
+    inputs:
+      certSecureFile: 'osx_signing_key.p12'
+
   - script: |
       mkdir -p .build
       echo -n $BUILD_SOURCEVERSION > .build/commit
@@ -107,12 +112,49 @@ steps:
     displayName: Run unit tests
     condition: and(succeeded(), eq(variables['RUN_TESTS'], 'true'))
 
+  - script: |
+      set -e
+      pushd ../azuredatastudio-darwin
+      ls
+
+      echo "Cleaning the application"
+      xattr -cr *.app
+      cd *.app
+      find . -name '._*' -print0 | xargs -0 rm -rf --
+      cd ..
+
+      echo "Signing the application with deep"
+      codesign --deep --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS *.app
+
+      cd *.app
+      ls
+      echo "Signing specific components"
+      find . -type f -print0 | xargs -0 file | grep ':  *Mach-O' | sed 's/:  *Mach-O.*//' | while read -r file; do codesign --options runtime --timestamp --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS --force "$file" || break; done
+
+      echo "Signing Electron again..."
+      codesign --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS Contents/Frameworks/Electron\ Framework.framework
+      cd ..
+
+      echo "Signing the entire application one more time"
+      codesign --force --timestamp --options runtime --entitlements $(Build.SourcesDirectory)/build/azure-pipelines/darwin/entitlements.xml -s LPV3BJJYXS *.app
+      popd
+    displayName: 'Manual codesign'
+    condition: and(succeeded(), eq(variables['signed'], true))
+
   - script: |
       set -e
       mkdir -p .build/darwin/archive
-      pushd ../azuredatastudio-darwin && zip -r -X -y $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip * && popd
+      pushd ../azuredatastudio-darwin
+      ditto -c -k --keepParent *.app $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
+      popd
     displayName: 'Archive'
 
+  - task: PublishPipelineArtifact@0
+    displayName: 'Publish SelfSigned'
+    inputs:
+      artifactName: darwin-selfsigned
+      targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
+
   - task: SFP.build-tasks.custom-build-task-1.EsrpCodeSigning@1
     displayName: 'ESRP CodeSigning'
     inputs:
@@ -124,13 +166,56 @@ steps:
         [
           {
             "keyCode": "CP-401337-Apple",
-            "operationSetCode": "MacAppDeveloperSign",
+            "operationCode": "MacAppDeveloperSign",
-            "parameters": [],
+            "parameters": {
+              "Hardening": "Enable"
+            },
             "toolName": "sign",
             "toolVersion": "1.0"
           }
         ]
-      SessionTimeout: 125
+      SessionTimeout: 90
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - script: |
+      zip -d $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip "*.pkg"
+    displayName: Clean Archive
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - task: PublishPipelineArtifact@0
+    displayName: 'Publish Signed'
+    inputs:
+      artifactName: darwin-signed
+      targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - task: EsrpCodeSigning@1
+    displayName: 'ESRP Notarization'
+    inputs:
+      ConnectedServiceName: 'Code Signing'
+      FolderPath: '$(Build.SourcesDirectory)/.build/darwin/archive'
+      Pattern: 'azuredatastudio-darwin.zip'
+      signConfigType: inlineSignParams
+      inlineOperation: |
+        [
+          {
+            "KeyCode": "CP-401337-Apple",
+            "OperationCode": "MacAppNotarize",
+            "Parameters": {
+              "BundleId": "com.microsoft.azuredatastudio-$(VSCODE_QUALITY)"
+            },
+            "ToolName": "sign",
+            "ToolVersion": "1.0"
+          }
+        ]
+      SessionTimeout: 120
+    condition: and(succeeded(), eq(variables['signed'], true))
+
+  - task: PublishPipelineArtifact@0
+    displayName: 'Publish Notarized'
+    inputs:
+      artifactName: darwin-notarized
+      targetPath: $(Build.SourcesDirectory)/.build/darwin/archive/azuredatastudio-darwin.zip
     condition: and(succeeded(), eq(variables['signed'], true))
 
   - script: |