From 0d4c9c9a622fd5422c3ab55c7e9fb67252c4c03e Mon Sep 17 00:00:00 2001
From: Alan Ren <alanren@microsoft.com>
Date: Fri, 10 Mar 2023 21:58:12 -0800
Subject: [PATCH] sign executable for osx-arm64 runtime (#1934)

* sign executables for mac

* fix indention

* use codesign

* fix directory

* add mkdir

* update release step

* fix error

* add migration and kusto executables

* revert the version change
---
 azure-pipelines/build-and-release.yml | 10 +++++++
 azure-pipelines/build.yml             |  2 +-
 azure-pipelines/osx-arm64-signing.yml | 42 +++++++++++++++++++++++++++
 azure-pipelines/release.yml           | 10 +++++++
 4 files changed, 63 insertions(+), 1 deletion(-)
 create mode 100644 azure-pipelines/osx-arm64-signing.yml

diff --git a/azure-pipelines/build-and-release.yml b/azure-pipelines/build-and-release.yml
index d7c8fe87..0fbd06d6 100644
--- a/azure-pipelines/build-and-release.yml
+++ b/azure-pipelines/build-and-release.yml
@@ -25,6 +25,16 @@ stages:
     - template: build.yml
     timeoutInMinutes: 90
 
+  # In order to run on arm64 macOS the executables must be at least self-signed, but dotnet publish step only does it when publishing on macOS.
+  # More information: https://github.com/dotnet/runtime/issues/49091
+  - job: CodeSign_osx_arm64_executables
+    pool:
+      vmImage: 'macos-latest'
+    dependsOn:
+      - Build
+    steps:
+    - template: osx-arm64-signing.yml
+
 - stage: Release
   variables:
   - name: skipComponentGovernanceDetection
diff --git a/azure-pipelines/build.yml b/azure-pipelines/build.yml
index 29a3bf55..b397ccca 100644
--- a/azure-pipelines/build.yml
+++ b/azure-pipelines/build.yml
@@ -9,7 +9,7 @@ parameters:
       archiveType: 'tar'
     - name: 'osx-arm64'
       displayName: 'osx arm'
-      archiveName: 'osx-arm64'
+      archiveName: 'osx-arm64-unsigned'
       archiveFileFormat: 'tar.gz'
       archiveType: 'tar'
     - name: 'rhel.7.2-x64'
diff --git a/azure-pipelines/osx-arm64-signing.yml b/azure-pipelines/osx-arm64-signing.yml
new file mode 100644
index 00000000..483f60c0
--- /dev/null
+++ b/azure-pipelines/osx-arm64-signing.yml
@@ -0,0 +1,42 @@
+steps:
+  - task: DownloadBuildArtifacts@0
+    displayName: 'Download Build Artifacts'
+    inputs:
+      downloadType: specific
+      itemPattern: |
+       drop/Microsoft.SqlTools.ServiceLayer-osx-arm64-unsigned-net7.0.tar.gz
+       drop/Microsoft.SqlTools.Migration-osx-arm64-unsigned-net7.0.tar.gz
+      downloadPath: '$(Agent.TempDirectory)'
+
+  - script: |
+      cd $(Agent.TempDirectory)/drop
+      mkdir sts
+      tar -xzvf Microsoft.SqlTools.ServiceLayer-osx-arm64-unsigned-net7.0.tar.gz -C sts
+      mkdir migration
+      tar -xzvf Microsoft.SqlTools.Migration-osx-arm64-unsigned-net7.0.tar.gz -C migration
+    displayName: 'Extract files'
+
+  - script: |
+      cd $(Agent.TempDirectory)/drop/sts
+      codesign -s - MicrosoftSqlToolsCredentials
+      codesign -s - MicrosoftSqlToolsServiceLayer
+      codesign -s - SqlToolsResourceProviderService
+      codesign -s - MicrosoftKustoServiceLayer
+      cd $(Agent.TempDirectory)/drop/migration
+      codesign -s - MicrosoftSqlToolsMigration
+    displayName: 'Sign executables'
+
+  - script: |
+      cd $(Agent.TempDirectory)/drop/sts
+      tar -czvf Microsoft.SqlTools.ServiceLayer-osx-arm64-net7.0.tar.gz *
+      cd $(Agent.TempDirectory)/drop/migration
+      tar -czvf Microsoft.SqlTools.Migration-osx-arm64-net7.0.tar.gz *
+    displayName: 'Archive files'
+
+  - script: |
+      cp $(Agent.TempDirectory)/drop/sts/Microsoft.SqlTools.ServiceLayer-osx-arm64-net7.0.tar.gz $(Build.ArtifactStagingDirectory)
+      cp $(Agent.TempDirectory)/drop/migration/Microsoft.SqlTools.Migration-osx-arm64-net7.0.tar.gz $(Build.ArtifactStagingDirectory)
+    displayName: 'Copy files to drop folder'
+
+  - task: PublishBuildArtifacts@1
+    displayName: 'Publish Artifact'
\ No newline at end of file
diff --git a/azure-pipelines/release.yml b/azure-pipelines/release.yml
index 219564b2..9c873e13 100644
--- a/azure-pipelines/release.yml
+++ b/azure-pipelines/release.yml
@@ -5,9 +5,11 @@ steps:
     azureSubscription: 'ClientToolsInfra_670062 (88d5392f-a34f-4769-b405-f597fc533613)'
     KeyVaultName: 'ado-secrets'
     SecretsFilter: 'github-distro-mixin-password,ado-crossplatbuildscripts-password'
+
 - powershell: |
     git clone https://$(ado-crossplatbuildscripts-password)@dev.azure.com/mssqltools/_git/CrossPlatBuildScripts
   displayName: Clone CrossPlatBuildScripts
+
 - task: DownloadBuildArtifacts@0
   displayName: 'Download build drop artifacts'
   inputs:
@@ -16,11 +18,19 @@ steps:
     artifactName: 'drop'
     itemPattern: '**/*'
     downloadPath: '$(Agent.TempDirectory)'
+
 - task: CopyFiles@2
   displayName: 'Copy build drop artifacts to: $(Build.SourcesDirectory)/artifacts/package/artifacts/package'
   inputs:
     SourceFolder: '$(Agent.TempDirectory)/drop'
     TargetFolder: '$(Build.SourcesDirectory)/artifacts/package'
+
+- script: |
+    cd $(Build.SourcesDirectory)/artifacts/package
+    rm Microsoft.SqlTools.ServiceLayer-osx-arm64-unsigned-net7.0.tar.gz
+    rm Microsoft.SqlTools.Migration-osx-arm64-unsigned-net7.0.tar.gz
+  displayName: 'Delete the unsigned arm64-osx packages'
+
 - task: PowerShell@2
   displayName: 'Run Automated Release Script'
   inputs: